You are not logged in.
Hi. I hope I am placing my question on the best spot. Let me know if I am not.
I just noticed by chance that my apparmor is not loading.
It might be important to use along snapcraft. Do not really know its importance. I just read somewere.
By the way, on the snapcraft page it is informed to install 'snapd' (which apparently is outdated, if someone reads the aur page would prefer to install snapd-git instead)
But anyway...
apparmor may be worth something, but after i run
~]$ systemctl enable --now apparmor.service
and then check it ( even after reboot )
[davi@dartcanon ~]$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Condition: start condition failed at Wed 2020-01-01 15:17:11 -03; 9s ago
└─ ConditionSecurity=apparmor was not met
jan 01 15:17:11 dartcanon systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.
[davi@dartcanon ~]$
I read on this ling below it could be due a kernel thing.
https://www.reddit.com/r/archlinux/comm … y_not_met/
I need someone to translate me this part if it is appropriate.
EDIT: fixed by actually using the kernel (lol). Was unaware that linux-apparmor is a compiled into a separate kernel. Replace /initramfs-linux.img and /vmlinuz-linuz with /initramfs-linux-apparmor.img and /vmlinuz-linux-apparmor in arch.conf, alongside the apparmor=1 security=apparmor. Thanks u/th3voic31 !
Some info about my system:
I m using KDE on a pc.
~]$ pacman -Q linux
linux 5.4.6.arch3-1
~]$ pacman -Q linux-lts
linux-lts 4.19.91-1
~]$
Thanks
Last edited by davicb (2020-01-02 21:25:18)
Offline
Have you read the wiki page on apparmor? The wiki is a better source of information than random reddit posts.
Offline
I followed through the wiki page on apparmor and aparently it needs to be done through some kernel compilation.
It seems I am going down a long path. If that is the way it is I am ok with that. Just thought it would require less intervention.
following this font:
https://wiki.archlinux.org/index.php/Kernel#Compilation
I cose /Arch Build System over /Traditional compilation
Now following this font:
https://wiki.archlinux.org/index.php/Ke … ild_System
Created the 'build' file inside home directory.
Made a linux kernel copy inside following the commands.
$ asp update linux
$ asp export linux
Now I am up to change PKGBUILD that looks like this
# Maintainer: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
pkgbase=linux
pkgver=5.4.7.arch1
pkgrel=1
pkgdesc='Linux'
_srctag=v${pkgver%.*}-${pkgver##*.}
url="https://git.archlinux.org/linux.git/log/?h=$_srctag"
arch=(x86_64)
license=(GPL2)
makedepends=(
bc kmod libelf
xmlto python-sphinx python-sphinx_rtd_theme graphviz imagemagick
git
)
options=('!strip')
_srcname=archlinux-linux
source=(
"$_srcname::git+https://git.archlinux.org/linux.git?signed#tag=$_srctag"
config # the main kernel config file
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
'8218F88849AAC522E94CF470A5E9288C4FA415FA' # Jan Alexander Steffens (heftig)
)
sha256sums=('SKIP'
'eeb60c19586bf5855eeaeac8323b0012107bfa74f9efa0c8e129d979d38f1f31')
export KBUILD_BUILD_HOST=archlinux
export KBUILD_BUILD_USER=$pkgbase
export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"
prepare() {
cd $_srcname
msg2 "Setting version..."
scripts/setlocalversion --save-scmversion
echo "-$pkgrel" > localversion.10-pkgrel
echo "${pkgbase#linux}" > localversion.20-pkgname
local src
for src in "${source[@]}"; do
src="${src%%::*}"
src="${src##*/}"
[[ $src = *.patch ]] || continue
msg2 "Applying patch $src..."
patch -Np1 < "../$src"
done
msg2 "Setting config..."
cp ../config .config
make olddefconfig
make -s kernelrelease > version
msg2 "Prepared %s version %s" "$pkgbase" "$(<version)"
}
build() {
cd $_srcname
make bzImage modules htmldocs
}
_package() {
pkgdesc="The $pkgdesc kernel and modules"
depends=(coreutils kmod initramfs)
optdepends=('crda: to set the correct wireless channels of your country'
'linux-firmware: firmware images needed for some devices')
cd $_srcname
local kernver="$(<version)"
local modulesdir="$pkgdir/usr/lib/modules/$kernver"
msg2 "Installing boot image..."
# systemd expects to find the kernel here to allow hibernation
# https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
# Used by mkinitcpio to name the kernel
echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"
msg2 "Installing modules..."
make INSTALL_MOD_PATH="$pkgdir/usr" modules_install
# remove build and source links
rm "$modulesdir"/{source,build}
msg2 "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
_package-headers() {
pkgdesc="Headers and scripts for building modules for the $pkgdesc kernel"
cd $_srcname
local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
msg2 "Installing build files..."
install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
localversion.* version vmlinux
install -Dt "$builddir/kernel" -m644 kernel/Makefile
install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
cp -t "$builddir" -a scripts
# add objtool for external module building and enabled VALIDATION_STACK option
install -Dt "$builddir/tools/objtool" tools/objtool/objtool
# add xfs and shmem for aufs building
mkdir -p "$builddir"/{fs/xfs,mm}
msg2 "Installing headers..."
cp -t "$builddir" -a include
cp -t "$builddir/arch/x86" -a arch/x86/include
install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s
install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h
# http://bugs.archlinux.org/task/13146
install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h
# http://bugs.archlinux.org/task/20402
install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h
msg2 "Installing KConfig files..."
find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;
msg2 "Removing unneeded architectures..."
local arch
for arch in "$builddir"/arch/*/; do
[[ $arch = */x86/ ]] && continue
echo "Removing $(basename "$arch")"
rm -r "$arch"
done
msg2 "Removing documentation..."
rm -r "$builddir/Documentation"
msg2 "Removing broken symlinks..."
find -L "$builddir" -type l -printf 'Removing %P\n' -delete
msg2 "Removing loose objects..."
find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete
msg2 "Stripping build tools..."
local file
while read -rd '' file; do
case "$(file -bi "$file")" in
application/x-sharedlib\;*) # Libraries (.so)
strip -v $STRIP_SHARED "$file" ;;
application/x-archive\;*) # Libraries (.a)
strip -v $STRIP_STATIC "$file" ;;
application/x-executable\;*) # Binaries
strip -v $STRIP_BINARIES "$file" ;;
application/x-pie-executable\;*) # Relocatable binaries
strip -v $STRIP_SHARED "$file" ;;
esac
done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)
msg2 "Adding symlink..."
mkdir -p "$pkgdir/usr/src"
ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase"
msg2 "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
_package-docs() {
pkgdesc="Documentation for the $pkgdesc kernel"
cd $_srcname
local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
msg2 "Installing documentation..."
local src dst
while read -rd '' src; do
dst="${src#Documentation/}"
dst="$builddir/Documentation/${dst#output/}"
install -Dm644 "$src" "$dst"
done < <(find Documentation -name '.*' -prune -o ! -type d -print0)
msg2 "Adding symlink..."
mkdir -p "$pkgdir/usr/share/doc"
ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase"
msg2 "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
pkgname=("$pkgbase" "$pkgbase-headers" "$pkgbase-docs")
for _p in "${pkgname[@]}"; do
eval "package_$_p() {
$(declare -f "_package${_p#$pkgbase}")
_package${_p#$pkgbase}
}"
done
# vim:set ts=8 sts=2 sw=2 et:
It seems I need to place the following lines somewhere above, where exactly?
font:
https://wiki.archlinux.org/index.php/Ap … stallation
apparmor=1 security=apparmor
CONFIG_SECURITY_APPARMOR=y
CONFIG_AUDIT=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y
Maybe this thread should be placed under Kernel & Hardware.
Thanks
Offline
The wiki clearly states:
AppArmor is available in all officially supported kernels.
Then:
To enable AppArmor as default security model on every boot, set the following kernel parameters:
apparmor=1 security=apparmor
Above is enough to do for all linux* packages. The compilation part is about building your own custom kernel which isn't what you need.
Offline
To enable AppArmor as default security model on every boot, set the following kernel parameters:
apparmor=1 security=apparmor
Ok, you filtered a lot, thanks for that.
But still this line quoted from the wiki. Should it go along some other command like...
# sysctl --load=filename.conf (in this case 'apparmor=1 security=apparmor' goes probably after '='
or
# sysctl -w apparmor=1 security=apparmor
or 'apparmor=1 security=apparmor' should go inside a file?
Thanks
Offline
sysctl does not get mentioned anywhere in the AppArmor page.
https://wiki.archlinux.org/index.php/Ap … stallation clearly links to https://wiki.archlinux.org/index.php/Kernel_parameters . Find the section for your boot loader in that page and use the instructions in it to set the required kernel parameters.
Offline
sysctl does not get mentioned anywhere in the AppArmor page.
https://wiki.archlinux.org/index.php/Ap … stallation clearly links to https://wiki.archlinux.org/index.php/Kernel_parameters . Find the section for your boot loader in that page and use the instructions in it to set the required kernel parameters.
Ok I followed the section of my boot loader.
I managed to change this line at the start of the boot ,which is GRUB by the way, and added 'apparmor=1 security=apparmor'
Looked like this
linux /boot/vmlinuz-linux root=UUID=978e3e81-8048-4ae1-8a06-aa727458e8ff quiet splash apparmor=1 security=apparmor
It really worked, I checked with
aa-enabled
Of course it worked only for one boot.
I tried to Edit /etc/default/grub and append my kernel options to the GRUB_CMDLINE_LINUX_DEFAULT line:
Looked like this for me
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet" apparmor=1 security=apparmor
And ther run '# grub-mkconfig -o /boot/grub/grub.cfg' to make changes persistent, but in this case it did not work.
I must be skipping something
Thanks
Offline
I tried to Edit /etc/default/grub and append my kernel options to the GRUB_CMDLINE_LINUX_DEFAULT line:
Looked like this for meGRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet" apparmor=1 security=apparmor
And ther run '# grub-mkconfig -o /boot/grub/grub.cfg' to make changes persistent, but in this case it did not work.
I must be skipping somethingThanks
You need to add your new options in between the quotes.
Offline
Yes between the quotes of course.
Thanks, that finished the trick.
Thank you all for the time spent helping me.
Cheers
Offline
Glad we could help. Please remember to mark this thread as [SOLVED].
CoC - How to post
Offline
Yes between the quotes of course.
Would you mind providing the working example? Thanks.
I also note that what you've posted differs from the Wiki:
Yours: apparmor=1 security=apparmor
vs
Wiki: apparmor=1 lsm=lockdown,yama,apparmor
Has the Wiki been updated very recently or was the line you gave from advice elsewhere?
Last edited by DifficultDerek (2020-05-20 02:47:18)
Offline
Yes, the wiki was recently updated.
IIRC "apparmor=1" could also be omitted, but I don't remember since which Linux version.
Offline
davicb wrote:Yes between the quotes of course.
Would you mind providing the working example? Thanks.
I also note that what you've posted differs from the Wiki:
Yours: apparmor=1 security=apparmor
vs
Wiki: apparmor=1 lsm=lockdown,yama,apparmorHas the Wiki been updated very recently or was the line you gave from advice elsewhere?
After following the wiki on https://wiki.archlinux.org/index.php/Ap … stallation and https://wiki.archlinux.org/index.php/Ke … eters#GRUB
I made the following edit to /etc/default/grub :
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 lsm=lockdown,yama,apparmor loglevel=3 quiet"
GRUB_CMDLINE_LINUX=""
and also ran grub-mkconfig -o /boot/grub/grub.cfg
but on rebooting output of aa-enabled is No - disabled at boot.
is there something that I have missed? any help would be appreciated.
Offline
Sorry - i plain missed your question.
I don't know why mine works and yours doesn't. It might be because I have 'quiet' BEFORE apparmor. Note my nvme is encrypted and needed the UUID because it kept getting confused between it and my other identical brand/model installed nvme device at boot. vg1 is part of the LVM:
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=XXXXXXXXX:vg1 quiet apparmor=1 lsm=lockdown,yama,apparmor"
Offline
No issues, Thankyou for the reply,
I had given up on apparmor and anbox as I had started using the web app for the android app (one note) that I was trying to install using anbox on Arch.
Nonetheless, I would post my results whenever I try enabling apparmor again.
Last edited by vkm01 (2020-08-01 04:10:47)
Offline