Jump to content

davidahoward

Members
  • Posts

    2
  • Joined

  • Last visited

Everything posted by davidahoward

  1. OK - with some help from a colleague we have this working now... into the 'armbian/userpatches' folder, I copied 'linux-sun8i-default.config' and 'linux-sun8i-dev.config' (from armbian/lib/config/kernel/) then added the following to the end of the file: #!dh CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_DEFAULT_SECURITY_APPARMOR=y CONFIG_DEFAULT_SECURITY="apparmor" CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y #!dh (not sure this is exactly how it's supposed to be done - but the result was good...) .... root@bananapim2plus:/home/dhoward# snap list Name Version Rev Developer Notes core 16.04.1 645 canonical - hello-world 6.3 27 canonical - root@bananapim2plus:/home/dhoward# /snap/bin/hello-world Hello World! root@bananapim2plus:/home/dhoward# /snap/bin/hello-world.evil Hello Evil World! This example demonstrates the app confinement You should see a permission denied error next /snap/hello-world/27/bin/evil: 9: /snap/hello-world/27/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied
  2. I recently have been trying to enable SNAPD (SNAPPY) on 16.04 MATE and server. sudo apt install snapd installs fine, but when I try install a 'snap' it fails. this should work on 16.04. sudo snap install hello-world large error dump --- very misleading... When I checked to see what is going on with required apparmor module, I found it wasn't working. When I checked the kernel I found to my surprise that apparmor wasn't enabled. This has been enabled by default on Ubuntu for many, many years... It would appear that several kernel flags need to be set in order for apparmor to work set CONFIG_SECURITY_APPARMOR=y "If AppArmor should be selected as the default security module then set CONFIG_DEFAULT_SECURITY="apparmor" set CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1" Q: how do I enable this when I build an Armbian kernel? I didn't find it in the menus when I did KERNEL_CONFIGURE="yes" ---- https://www.kernel.org/doc/Documentation/security/apparmor.txt https://github.com/FlorentRevest/linux-sunxi-cedrus/blob/master/Documentation/security/apparmor.txt ---- Thanks! David P.S. For completeness, here is the actual error encountered... and this happened on 16.04 build server, desktop, legacy and current/dev kernel builds on orange pi pc+, bananapi m2+, and olimex lime2 nand and emmc. ----- root@orangepipcplus:~# sudo snap find hello Name Version Developer Notes Summary hello 2.10 canonical - GNU Hello, the "hello world" snap hello-world 6.3 canonical - The 'hello-world' of snaps hello-ricardokirkner-test1 2 ricardokirkner 1.00USD say hello hello-securx-snap 1.2 securx - Single-line elevator pitch for your amazing snap rust-hello 0.1 icey - Prove cross platform rust snaps root@orangepipcplus:~# sudo snap install hello-world error: cannot perform the following tasks: - Setup snap "hello-world" (27) security profiles (cannot setup apparmor for snap "hello-world": cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1 apparmor_parser output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ) - Setup snap "hello-world" (27) security profiles (cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1 apparmor_parser output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ) root@orangepipcplus:~# uname -a Linux orangepipcplus 4.9.0-sun8i #2 SMP Sat Dec 3 17:44:12 UTC 2016 armv7l armv7l armv7l GNU/Linux ----- root@lime2-emmc:~# sudo snap install hello-world error: cannot perform the following tasks: - Setup snap "hello-world" (27) security profiles (cannot setup apparmor for snap "hello-world": cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1 apparmor_parser output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ) - Setup snap "hello-world" (27) security profiles (cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1 apparmor_parser output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ) root@lime2-emmc:~# uname -a Linux lime2-emmc 4.8.11-sunxi #1 SMP Wed Nov 30 19:03:50 UTC 2016 armv7l armv7l armv7l GNU/Linux
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines