You are not logged in.
Pages: 1
I was just curious if anyone know whether or not apparmor is fully featured now in the arch kernel or does it still require patching? The wiki mentions it but the information seems somewhat outdated. thanks!
Offline
Is should support it out of the box: https://bugs.archlinux.org/task/21406
The last comment is
It will be included in .36 with default to not use it.
Offline
Ah ok. I figured it was probably fully supported by now; I just wasn't sure because the wiki mentions needing to patch it to get full functionality.
"However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See here for details. There are compatibility patches that can be applied to every recent kernel to reintroduce these interfaces. The patchset is pretty small and should be applied if you decide to use AppArmor. (Note: the patchset for 2.6.39 works with Kernel 3.0.x)"
But it seems the information might be a little outdated. I just wanted to make sure I wasn't missing out on anything. =P
Offline
The last time I tried this you still had to compile and install a custom kernel from AUR for apparmor profiles to work. That was with 3.4.x series kernels. If you search for "apparmor" in the AUR you will find it.
Offline
I use Apparmor just fine with the stock kernel. You can still enable/disable profiles. The biggest annoyance I found was that genprof would not work without the apparmor patches compiled in, but for basic support you don't need the custom kernel.
Offline
The 3 patches will have been taken from Launchpad - they are in a subdirectory within apparmor-2.8.0.tar.gz
They work fine for me in kernel 3.4.11 - perhaps they also apply cleanly to kernel 3.5, since I've not seen anyone moan or produce patches.
Offline
I'll give the patches a try with the latest kernel I suppose and see how they hold up. I also thought about using grsecurity for MAC, but it looks like it might be a little bit daunting for a desktop setup.
Offline
I haven't found any apparmor patches for kernel 3.6 yet
Offline
Found (but I haven't tried them) - opensuse's kernel-source has a patches.apparmor.tar.bz2
Offline
You do not need patching for basic functionality. If you need mount or/and network mediation, you need to apply one or two patches. To make use of aa-status (and the upstream rc script), you'll also need the profile introspection patch.
For my config, I am using only the introspection patch:
https://github.com/Lekensteyn/aur/blob/ … file.patch
When I asked in irc about the status of merging the patches in mainline, I was told that the interface is going to change and these patches will never be merged and eventually dropped. I think that we can expect new stuff before April 2013, when the next Ubuntu version is released. The kernel patches will probably end up in 3.8 or 3.9.
Offline
The opensuse patches (two) are for profile introspection and network mediation.
Offline
I've just updated from kernel 3.4.18 to pf-kernel 3.6.8, with opensuse's 2 kernel patches for apparmor, and it seems to be working fine. The patches need to be applied in this order:
apparmor-compatibility-patch-for-v5-network-control
apparmor-profiles-seq_file
Offline
Is this the right source code repo for 3.6 kernel:
https://git.kernel.org/?p=linux/kernel/ … v3.6-aa2.8
?
I was asked to include enhanced AppArmor support into pf-kernel, but I'm wondering how to do that and why I should do that .
uname == latest pf-kernel
Offline
Probably not - it's an "Unnamed repository", and I dunno who "jj" is. Edit: Oh, John Johansen is the author of the network-control patch. I dunno if it's reliable.
Here's the 2 opensuse files I mentioned above: network-control and profiles.
Last edited by brebs (2012-11-17 16:14:30)
Offline
apparmor 2.8.1 is out
revno: 2058
Add kernel patches for 3.5 and 3.6 kernels
To support fontconfig 2.10.91, I add:
sed -i -e "19i \ \ /usr/share/fontconfig/** r,\n /usr/share/texmf-dist/fonts/** r," profiles/apparmor.d/abstractions/fonts
The 3 apparmor kernel patches for kernel 3.4 are unchanged from apparmor 2.8.0
Offline
I'll give the patches a try with the latest kernel I suppose and see how they hold up. I also thought about using grsecurity for MAC, but it looks like it might be a little bit daunting for a desktop setup.
Meh, not so much. RBAC has a learning mode like AppArmor.
All the other security measures grsecurity and PaX can provide are critical too. Arch Linux is vanilla, so it is up to the User to secure their systems. Linux all by itself is very vulnerable to attack. The aur/linux-pax-flags package takes 99% of all the trouble out of using PaX. I just make sure to run it after every upgrade to make sure the pax flags are set correctly.
Last edited by hunterthomson (2013-01-14 22:15:14)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
Anyone running AA with 3.7.x care to update the wiki page?
brebs?
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
I'm on kernel 3.4.29, which works well. I plan on sticking with 3.4.x for a while.
Offline
@brebs - Systemd support?
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
I don't use systemd, and don't intend to.
I suggest you see how OpenSuSE mixes systemd and apparmor
I just keep it simple. AppArmor installs /etc/init.d/boot.apparmor, but I don't use it.
In the kernel cmdline I have:
apparmor=1 security=apparmor
(Which is actually overkill, but worth mentioning.)
And in an old-fashioned initscript I have:
apparmor_parser -a /etc/apparmor.d/usr.sbin.named
apparmor_parser -a /etc/apparmor.d/usr.bin.evolution
etc.
My kernel has:
$ zgrep -i appar /proc/config.gz
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY="apparmor"
So I don't have to load any kernel modules in the initscript.
Offline
Thanks for the info. Think I'll wait until official systemd support is added and the AUR package is updated.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
OpenSuse has good patches for kernel 3.9.2, in the kernel-source src.rpm. The 2 files are, also mirrored by me:
apparmor-compatibility-patch-for-v5-network-control
apparmor-profiles-seq_file
So there is no support for "mount" security, but that's not important. Example:
mount -> @{HOME}/.gvfs/,
I had to upgrade my kernel headers from 3.4.x, because capability block_suspend was added in kernel 3.5, and postfix wants it, and my apparmor program didn't even recognize it, to be able to allow it!
/usr/include/linux/capability.h:#define CAP_BLOCK_SUSPEND 36
apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/postfix" ... comm="master" ... capability=36 capname="block_suspend"
Offline
Pages: 1