apparmor support in latest kernel

ph0tios · 2012-09-29 20:09:43

I was just curious if anyone know whether or not apparmor is fully featured now in the arch kernel or does it still require patching? The wiki mentions it but the information seems somewhat outdated. thanks!

karol · 2012-09-29 20:12:52

Is should support it out of the box: https://bugs.archlinux.org/task/21406
The last comment is

It will be included in .36 with default to not use it.

https://projects.archlinux.org/svntogit … inux#n5756

ph0tios · 2012-09-29 20:26:54

Ah ok. I figured it was probably fully supported by now; I just wasn't sure because the wiki mentions needing to patch it to get full functionality.

"However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See here for details. There are compatibility patches that can be applied to every recent kernel to reintroduce these interfaces. The patchset is pretty small and should be applied if you decide to use AppArmor. (Note: the patchset for 2.6.39 works with Kernel 3.0.x)"

But it seems the information might be a little outdated. I just wanted to make sure I wasn't missing out on anything. =P

mosquitogang201 · 2012-10-02 12:53:52

The last time I tried this you still had to compile and install a custom kernel from AUR for apparmor profiles to work. That was with 3.4.x series kernels. If you search for "apparmor" in the AUR you will find it.

Pres · 2012-10-02 13:32:14

I use Apparmor just fine with the stock kernel. You can still enable/disable profiles. The biggest annoyance I found was that genprof would not work without the apparmor patches compiled in, but for basic support you don't need the custom kernel.

brebs · 2012-10-02 13:55:11

See patched kernel in AUR.

The 3 patches will have been taken from Launchpad - they are in a subdirectory within apparmor-2.8.0.tar.gz

They work fine for me in kernel 3.4.11 - perhaps they also apply cleanly to kernel 3.5, since I've not seen anyone moan or produce patches.

ph0tios · 2012-10-05 11:20:53

I'll give the patches a try with the latest kernel I suppose and see how they hold up. I also thought about using grsecurity for MAC, but it looks like it might be a little bit daunting for a desktop setup.

brebs · 2012-10-08 23:46:47

I haven't found any apparmor patches for kernel 3.6 yet

brebs · 2012-11-11 22:39:02

Found (but I haven't tried them) - opensuse's kernel-source has a patches.apparmor.tar.bz2

Lekensteyn · 2012-11-11 22:49:26

You do not need patching for basic functionality. If you need mount or/and network mediation, you need to apply one or two patches. To make use of aa-status (and the upstream rc script), you'll also need the profile introspection patch.

For my config, I am using only the introspection patch:
https://github.com/Lekensteyn/aur/blob/ … file.patch

When I asked in irc about the status of merging the patches in mainline, I was told that the interface is going to change and these patches will never be merged and eventually dropped. I think that we can expect new stuff before April 2013, when the next Ubuntu version is released. The kernel patches will probably end up in 3.8 or 3.9.

brebs · 2012-11-12 06:10:51

The opensuse patches (two) are for profile introspection and network mediation.

brebs · 2012-11-16 18:07:57

I've just updated from kernel 3.4.18 to pf-kernel 3.6.8, with opensuse's 2 kernel patches for apparmor, and it seems to be working fine. The patches need to be applied in this order:

apparmor-compatibility-patch-for-v5-network-control
apparmor-profiles-seq_file

post-factum · 2012-11-17 15:17:49

Is this the right source code repo for 3.6 kernel:

https://git.kernel.org/?p=linux/kernel/ … v3.6-aa2.8

?

I was asked to include enhanced AppArmor support into pf-kernel, but I'm wondering how to do that and why I should do that .

brebs · 2012-11-17 16:10:15

Probably not - it's an "Unnamed repository", and I dunno who "jj" is. Edit: Oh, John Johansen is the author of the network-control patch. I dunno if it's reliable.

Here's the 2 opensuse files I mentioned above: network-control and profiles.

Last edited by brebs (2012-11-17 16:14:30)

brebs · 2013-01-12 14:33:21

apparmor 2.8.1 is out

revno: 2058
Add kernel patches for 3.5 and 3.6 kernels

To support fontconfig 2.10.91, I add:

sed -i -e "19i \ \ /usr/share/fontconfig/** r,\n  /usr/share/texmf-dist/fonts/** r," profiles/apparmor.d/abstractions/fonts

The 3 apparmor kernel patches for kernel 3.4 are unchanged from apparmor 2.8.0

hunterthomson · 2013-01-14 22:12:29

ph0tios wrote:

I'll give the patches a try with the latest kernel I suppose and see how they hold up. I also thought about using grsecurity for MAC, but it looks like it might be a little bit daunting for a desktop setup.

Meh, not so much. RBAC has a learning mode like AppArmor.

All the other security measures grsecurity and PaX can provide are critical too. Arch Linux is vanilla, so it is up to the User to secure their systems. Linux all by itself is very vulnerable to attack. The aur/linux-pax-flags package takes 99% of all the trouble out of using PaX. I just make sure to run it after every upgrade to make sure the pax flags are set correctly.

Last edited by hunterthomson (2013-01-14 22:15:14)

graysky · 2013-02-05 23:50:00

Anyone running AA with 3.7.x care to update the wiki page?

brebs?

brebs · 2013-02-05 23:56:16

I'm on kernel 3.4.29, which works well. I plan on sticking with 3.4.x for a while.

graysky · 2013-02-05 23:59:36

@brebs - Systemd support?

brebs · 2013-02-06 00:36:13

I don't use systemd, and don't intend to.

I suggest you see how OpenSuSE mixes systemd and apparmor

I just keep it simple. AppArmor installs /etc/init.d/boot.apparmor, but I don't use it.

In the kernel cmdline I have:

apparmor=1 security=apparmor

(Which is actually overkill, but worth mentioning.)

And in an old-fashioned initscript I have:

apparmor_parser -a /etc/apparmor.d/usr.sbin.named
apparmor_parser -a /etc/apparmor.d/usr.bin.evolution
etc.

My kernel has:

$ zgrep -i appar /proc/config.gz 
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY="apparmor"

So I don't have to load any kernel modules in the initscript.

graysky · 2013-02-06 00:44:25

Thanks for the info. Think I'll wait until official systemd support is added and the AUR package is updated.

brebs · 2013-05-13 10:53:39

OpenSuse has good patches for kernel 3.9.2, in the kernel-source src.rpm. The 2 files are, also mirrored by me:

apparmor-compatibility-patch-for-v5-network-control
apparmor-profiles-seq_file

So there is no support for "mount" security, but that's not important. Example:

mount -> @{HOME}/.gvfs/,

I had to upgrade my kernel headers from 3.4.x, because capability block_suspend was added in kernel 3.5, and postfix wants it, and my apparmor program didn't even recognize it, to be able to allow it!

/usr/include/linux/capability.h:#define CAP_BLOCK_SUSPEND    36

apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/postfix" ... comm="master" ... capability=36  capname="block_suspend"

Arch Linux

#1 2012-09-29 20:09:43

apparmor support in latest kernel

#2 2012-09-29 20:12:52

Re: apparmor support in latest kernel

#3 2012-09-29 20:26:54

Re: apparmor support in latest kernel

#4 2012-10-02 12:53:52

Re: apparmor support in latest kernel

#5 2012-10-02 13:32:14

Re: apparmor support in latest kernel

#6 2012-10-02 13:55:11

Re: apparmor support in latest kernel

#7 2012-10-05 11:20:53

Re: apparmor support in latest kernel

#8 2012-10-08 23:46:47

Re: apparmor support in latest kernel

#9 2012-11-11 22:39:02

Re: apparmor support in latest kernel

#10 2012-11-11 22:49:26

Re: apparmor support in latest kernel

#11 2012-11-12 06:10:51

Re: apparmor support in latest kernel

#12 2012-11-16 18:07:57

Re: apparmor support in latest kernel

#13 2012-11-17 15:17:49

Re: apparmor support in latest kernel

#14 2012-11-17 16:10:15

Re: apparmor support in latest kernel

#15 2013-01-12 14:33:21

Re: apparmor support in latest kernel

#16 2013-01-14 22:12:29

Re: apparmor support in latest kernel

#17 2013-02-05 23:50:00

Re: apparmor support in latest kernel

#18 2013-02-05 23:56:16

Re: apparmor support in latest kernel

#19 2013-02-05 23:59:36

Re: apparmor support in latest kernel

#20 2013-02-06 00:36:13

Re: apparmor support in latest kernel

#21 2013-02-06 00:44:25

Re: apparmor support in latest kernel

#22 2013-05-13 10:53:39

Re: apparmor support in latest kernel

Board footer