[SOLVED] How to enable AppArmor on boot with GRUB?

Funny0facer · 2024-01-28 21:28:45

Hi,

My goal is to enable AppArmor because I installed snapd and read that AppArmor might increase the security of my system.

https://wiki.archlinux.org/title/AppArmor#Installation tells me to change the lsm parameter to

lsm=landlock,lockdown,yama,integrity,apparmor,bpf

How do I achieve this?

cat /sys/kernel/security/lsm

capability,landlock,lockdown,yama,bpf

This means, "integrity" and "apparmor" is missing.
1) is "integrity" necessary or is this just included in the list because the author had it inside? If this is necessary, are there some things, I have to do before enabling it?

2) How do I actually add kernel parameters? In my default grub file, I do not see any mention of the currently in-use lsm parameter.
I do not quite understand https://wiki.archlinux.org/title/GRUB#A … _arguments .
Is this my solution?

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 lsm=landlock,lockdown,yama,integrity,apparmor,bpf"

cat /etc/default/grub

# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=2
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
#GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `videoinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
#GRUB_DISABLE_OS_PROBER=false

Thanks for having a look at my question!

Last edited by Funny0facer (2024-01-29 21:26:26)

dogknowsnx · 2024-01-28 21:52:41

https://wiki.archlinux.org/title/Kernel_parameters#GRUB

Funny0facer · 2024-01-29 21:26:13

thanks for commenting. So my solution under 2) was right.

Arch Linux

#1 2024-01-28 21:28:45

[SOLVED] How to enable AppArmor on boot with GRUB?

#2 2024-01-28 21:52:41

Re: [SOLVED] How to enable AppArmor on boot with GRUB?

#3 2024-01-29 21:26:13

Re: [SOLVED] How to enable AppArmor on boot with GRUB?

Board footer