You are not logged in.

#1 2020-01-01 18:35:15

davicb
Member
Registered: 2019-11-01
Posts: 15

[ SOLVED ] apparmor not loading via systemctl

Hi. I hope I am placing my question on the best spot. Let me know if I am not.
I just noticed by chance that my apparmor is not loading.
It might be important to use along snapcraft. Do not really know its importance. I just read somewere.
By the way, on the snapcraft page it is informed to install 'snapd' (which apparently is outdated, if someone reads the aur page would prefer to install snapd-git instead)
But anyway...
apparmor may be worth something, but after i run

~]$ systemctl enable --now apparmor.service

and then check it ( even after reboot )

[davi@dartcanon ~]$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: inactive (dead)
  Condition: start condition failed at Wed 2020-01-01 15:17:11 -03; 9s ago
             └─ ConditionSecurity=apparmor was not met

jan 01 15:17:11 dartcanon systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.
[davi@dartcanon ~]$ 

I read on this ling below it could be due a kernel thing.
https://www.reddit.com/r/archlinux/comm … y_not_met/
I need someone to translate me this part if it is appropriate.

EDIT: fixed by actually using the kernel (lol). Was unaware that linux-apparmor is a compiled into a separate kernel. Replace /initramfs-linux.img and /vmlinuz-linuz with /initramfs-linux-apparmor.img and /vmlinuz-linux-apparmor in arch.conf, alongside the apparmor=1 security=apparmor. Thanks u/th3voic31 !

Some info about my system:
I m using KDE on a pc.

~]$ pacman -Q linux
linux 5.4.6.arch3-1
~]$ pacman -Q linux-lts
linux-lts 4.19.91-1
~]$ 

Thanks

Last edited by davicb (2020-01-02 21:25:18)

Offline

#2 2020-01-01 18:44:30

2ManyDogs
Forum Moderator
Registered: 2012-01-15
Posts: 4,645

Re: [ SOLVED ] apparmor not loading via systemctl

Have you read the wiki page on apparmor? The wiki is a better source of information than random reddit posts.

https://wiki.archlinux.org/index.php/Ap … stallation


How to post. A sincere effort to use modest and proper language and grammar is a sign of respect toward the community.

Offline

#3 2020-01-02 00:31:35

davicb
Member
Registered: 2019-11-01
Posts: 15

Re: [ SOLVED ] apparmor not loading via systemctl

I followed through the wiki page on apparmor and aparently it needs to be done through some kernel compilation.

It seems I am going down a long path. If that is the way it is I am ok with that. Just thought it would require less intervention.

following this font:


https://wiki.archlinux.org/index.php/Kernel#Compilation


I cose /Arch Build System over /Traditional compilation

Now following this font:


https://wiki.archlinux.org/index.php/Ke … ild_System


Created the 'build' file inside home directory.
Made a linux kernel copy inside following the commands.

$ asp update linux
$ asp export linux

Now I am up to change PKGBUILD that looks like this

# Maintainer: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>

pkgbase=linux
pkgver=5.4.7.arch1
pkgrel=1
pkgdesc='Linux'
_srctag=v${pkgver%.*}-${pkgver##*.}
url="https://git.archlinux.org/linux.git/log/?h=$_srctag"
arch=(x86_64)
license=(GPL2)
makedepends=(
  bc kmod libelf
  xmlto python-sphinx python-sphinx_rtd_theme graphviz imagemagick
  git
)
options=('!strip')
_srcname=archlinux-linux
source=(
  "$_srcname::git+https://git.archlinux.org/linux.git?signed#tag=$_srctag"
  config         # the main kernel config file
)
validpgpkeys=(
  'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
  '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
  '8218F88849AAC522E94CF470A5E9288C4FA415FA'  # Jan Alexander Steffens (heftig)
)
sha256sums=('SKIP'
            'eeb60c19586bf5855eeaeac8323b0012107bfa74f9efa0c8e129d979d38f1f31')

export KBUILD_BUILD_HOST=archlinux
export KBUILD_BUILD_USER=$pkgbase
export KBUILD_BUILD_TIMESTAMP="$(date -Ru${SOURCE_DATE_EPOCH:+d @$SOURCE_DATE_EPOCH})"

prepare() {
  cd $_srcname

  msg2 "Setting version..."
  scripts/setlocalversion --save-scmversion
  echo "-$pkgrel" > localversion.10-pkgrel
  echo "${pkgbase#linux}" > localversion.20-pkgname

  local src
  for src in "${source[@]}"; do
    src="${src%%::*}"
    src="${src##*/}"
    [[ $src = *.patch ]] || continue
    msg2 "Applying patch $src..."
    patch -Np1 < "../$src"
  done

  msg2 "Setting config..."
  cp ../config .config
  make olddefconfig

  make -s kernelrelease > version
  msg2 "Prepared %s version %s" "$pkgbase" "$(<version)"
}

build() {
  cd $_srcname
  make bzImage modules htmldocs
}

_package() {
  pkgdesc="The $pkgdesc kernel and modules"
  depends=(coreutils kmod initramfs)
  optdepends=('crda: to set the correct wireless channels of your country'
              'linux-firmware: firmware images needed for some devices')

  cd $_srcname
  local kernver="$(<version)"
  local modulesdir="$pkgdir/usr/lib/modules/$kernver"

  msg2 "Installing boot image..."
  # systemd expects to find the kernel here to allow hibernation
  # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
  install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"

  # Used by mkinitcpio to name the kernel
  echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"

  msg2 "Installing modules..."
  make INSTALL_MOD_PATH="$pkgdir/usr" modules_install

  # remove build and source links
  rm "$modulesdir"/{source,build}

  msg2 "Fixing permissions..."
  chmod -Rc u=rwX,go=rX "$pkgdir"
}

_package-headers() {
  pkgdesc="Headers and scripts for building modules for the $pkgdesc kernel"

  cd $_srcname
  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"

  msg2 "Installing build files..."
  install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
    localversion.* version vmlinux
  install -Dt "$builddir/kernel" -m644 kernel/Makefile
  install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
  cp -t "$builddir" -a scripts

  # add objtool for external module building and enabled VALIDATION_STACK option
  install -Dt "$builddir/tools/objtool" tools/objtool/objtool

  # add xfs and shmem for aufs building
  mkdir -p "$builddir"/{fs/xfs,mm}

  msg2 "Installing headers..."
  cp -t "$builddir" -a include
  cp -t "$builddir/arch/x86" -a arch/x86/include
  install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s

  install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
  install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h

  # http://bugs.archlinux.org/task/13146
  install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h

  # http://bugs.archlinux.org/task/20402
  install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
  install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
  install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h

  msg2 "Installing KConfig files..."
  find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;

  msg2 "Removing unneeded architectures..."
  local arch
  for arch in "$builddir"/arch/*/; do
    [[ $arch = */x86/ ]] && continue
    echo "Removing $(basename "$arch")"
    rm -r "$arch"
  done

  msg2 "Removing documentation..."
  rm -r "$builddir/Documentation"

  msg2 "Removing broken symlinks..."
  find -L "$builddir" -type l -printf 'Removing %P\n' -delete

  msg2 "Removing loose objects..."
  find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete

  msg2 "Stripping build tools..."
  local file
  while read -rd '' file; do
    case "$(file -bi "$file")" in
      application/x-sharedlib\;*)      # Libraries (.so)
        strip -v $STRIP_SHARED "$file" ;;
      application/x-archive\;*)        # Libraries (.a)
        strip -v $STRIP_STATIC "$file" ;;
      application/x-executable\;*)     # Binaries
        strip -v $STRIP_BINARIES "$file" ;;
      application/x-pie-executable\;*) # Relocatable binaries
        strip -v $STRIP_SHARED "$file" ;;
    esac
  done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)

  msg2 "Adding symlink..."
  mkdir -p "$pkgdir/usr/src"
  ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase"

  msg2 "Fixing permissions..."
  chmod -Rc u=rwX,go=rX "$pkgdir"
}

_package-docs() {
  pkgdesc="Documentation for the $pkgdesc kernel"

  cd $_srcname
  local builddir="$pkgdir/usr/lib/modules/$(<version)/build"

  msg2 "Installing documentation..."
  local src dst
  while read -rd '' src; do
    dst="${src#Documentation/}"
    dst="$builddir/Documentation/${dst#output/}"
    install -Dm644 "$src" "$dst"
  done < <(find Documentation -name '.*' -prune -o ! -type d -print0)

  msg2 "Adding symlink..."
  mkdir -p "$pkgdir/usr/share/doc"
  ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase"

  msg2 "Fixing permissions..."
  chmod -Rc u=rwX,go=rX "$pkgdir"
}

pkgname=("$pkgbase" "$pkgbase-headers" "$pkgbase-docs")
for _p in "${pkgname[@]}"; do
  eval "package_$_p() {
    $(declare -f "_package${_p#$pkgbase}")
    _package${_p#$pkgbase}
  }"
done

# vim:set ts=8 sts=2 sw=2 et:

It seems I need to place the following lines somewhere above, where exactly?
font:

https://wiki.archlinux.org/index.php/Ap … stallation

apparmor=1 security=apparmor

CONFIG_SECURITY_APPARMOR=y
CONFIG_AUDIT=y

CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y

Maybe this thread should be placed under Kernel & Hardware.

Thanks

Offline

#4 2020-01-02 13:46:44

Everette88
Member
Registered: 2018-02-17
Posts: 41

Re: [ SOLVED ] apparmor not loading via systemctl

The wiki clearly states:

AppArmor is available in all officially supported kernels.

Then:

To enable AppArmor as default security model on every boot, set the following kernel parameters:

apparmor=1 security=apparmor

Above is enough to do for all linux* packages. The compilation part is about building your own custom kernel which isn't what you need.

Offline

#5 2020-01-02 16:14:19

davicb
Member
Registered: 2019-11-01
Posts: 15

Re: [ SOLVED ] apparmor not loading via systemctl

Everette88 wrote:

To enable AppArmor as default security model on every boot, set the following kernel parameters:

apparmor=1 security=apparmor

Ok, you filtered a lot, thanks for that.
But still this line quoted from the wiki. Should it go along some other command like...

# sysctl --load=filename.conf        (in this case 'apparmor=1 security=apparmor' goes probably after '='
or
# sysctl -w apparmor=1 security=apparmor

or 'apparmor=1 security=apparmor' should go inside a file?

Thanks

Offline

#6 2020-01-02 16:38:29

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 592

Re: [ SOLVED ] apparmor not loading via systemctl

sysctl does not get mentioned anywhere in the AppArmor page.

https://wiki.archlinux.org/index.php/Ap … stallation clearly links to https://wiki.archlinux.org/index.php/Kernel_parameters . Find the section for your boot loader in that page and use the instructions in it to set the required kernel parameters.

Offline

#7 2020-01-02 19:13:56

davicb
Member
Registered: 2019-11-01
Posts: 15

Re: [ SOLVED ] apparmor not loading via systemctl

nl6720 wrote:

sysctl does not get mentioned anywhere in the AppArmor page.

https://wiki.archlinux.org/index.php/Ap … stallation clearly links to https://wiki.archlinux.org/index.php/Kernel_parameters . Find the section for your boot loader in that page and use the instructions in it to set the required kernel parameters.

Ok I followed the section of my boot loader.
I managed to change this line at the start of the boot ,which is GRUB by the way, and added 'apparmor=1 security=apparmor'
Looked like this

linux /boot/vmlinuz-linux root=UUID=978e3e81-8048-4ae1-8a06-aa727458e8ff quiet splash apparmor=1 security=apparmor

It really worked, I checked with

aa-enabled

Of course it worked only for one boot.
I tried to Edit /etc/default/grub and append my kernel options to the GRUB_CMDLINE_LINUX_DEFAULT line:
Looked like this for me

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet" apparmor=1 security=apparmor

And ther run '# grub-mkconfig -o /boot/grub/grub.cfg' to make changes persistent, but in this case it did not work.
I must be skipping something

Thanks

Offline

#8 2020-01-02 19:19:50

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [ SOLVED ] apparmor not loading via systemctl

davicb wrote:

I tried to Edit /etc/default/grub and append my kernel options to the GRUB_CMDLINE_LINUX_DEFAULT line:
Looked like this for me

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet" apparmor=1 security=apparmor

And ther run '# grub-mkconfig -o /boot/grub/grub.cfg' to make changes persistent, but in this case it did not work.
I must be skipping something

Thanks

You need to add your new options in between the quotes.


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#9 2020-01-02 21:00:49

davicb
Member
Registered: 2019-11-01
Posts: 15

Re: [ SOLVED ] apparmor not loading via systemctl

Yes between the quotes of course.
Thanks, that finished the trick.


Thank you all for the time spent helping me.
Cheers

Offline

#10 2020-01-02 21:24:09

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [ SOLVED ] apparmor not loading via systemctl

Glad we could help. Please remember to mark this thread as [SOLVED].
CoC - How to post


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#11 2020-05-20 02:43:42

DifficultDerek
Member
Registered: 2020-05-20
Posts: 8

Re: [ SOLVED ] apparmor not loading via systemctl

davicb wrote:

Yes between the quotes of course.

Would you mind providing the working example? Thanks.

I also note that what you've posted differs from the Wiki:
Yours:  apparmor=1 security=apparmor
vs
Wiki:  apparmor=1 lsm=lockdown,yama,apparmor

Has the Wiki been updated very recently or was the line you gave from advice elsewhere?

Last edited by DifficultDerek (2020-05-20 02:47:18)

Offline

#12 2020-05-20 08:43:14

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 592

Re: [ SOLVED ] apparmor not loading via systemctl

Yes, the wiki was recently updated.

IIRC "apparmor=1" could also be omitted, but I don't remember since which Linux version.

Offline

#13 2020-06-13 16:24:11

vkm01
Member
Registered: 2020-06-13
Posts: 2

Re: [ SOLVED ] apparmor not loading via systemctl

DifficultDerek wrote:
davicb wrote:

Yes between the quotes of course.

Would you mind providing the working example? Thanks.

I also note that what you've posted differs from the Wiki:
Yours:  apparmor=1 security=apparmor
vs
Wiki:  apparmor=1 lsm=lockdown,yama,apparmor

Has the Wiki been updated very recently or was the line you gave from advice elsewhere?

After following the wiki on https://wiki.archlinux.org/index.php/Ap … stallation and https://wiki.archlinux.org/index.php/Ke … eters#GRUB
I made the following edit to /etc/default/grub :
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 lsm=lockdown,yama,apparmor loglevel=3 quiet"
GRUB_CMDLINE_LINUX=""
and also ran grub-mkconfig -o /boot/grub/grub.cfg
but on rebooting output of aa-enabled is No - disabled at boot.
is there something that I have missed? any help would be appreciated.

Offline

#14 2020-08-01 03:53:51

DifficultDerek
Member
Registered: 2020-05-20
Posts: 8

Re: [ SOLVED ] apparmor not loading via systemctl

Sorry - i plain missed your question.

I don't know why mine works and yours doesn't. It might be because I have 'quiet' BEFORE apparmor. Note my nvme is encrypted and needed the UUID because it kept getting confused between it and my other identical brand/model installed nvme device at boot. vg1 is part of the LVM:

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=XXXXXXXXX:vg1 quiet apparmor=1 lsm=lockdown,yama,apparmor"

Offline

#15 2020-08-01 04:09:01

vkm01
Member
Registered: 2020-06-13
Posts: 2

Re: [ SOLVED ] apparmor not loading via systemctl

No issues, Thankyou for the reply,
I had given up on apparmor and anbox as I had started using the web app for the android app (one note) that I was trying to install using anbox on Arch.
Nonetheless, I would post my results whenever I try enabling apparmor again.

Last edited by vkm01 (2020-08-01 04:10:47)

Offline

Board footer

Powered by FluxBB