Jump to content

davidahoward

Members
 View Profile  See their activity

  • Posts

    2

  • Joined

  • Last visited

 Content Type 

Posts posted by davidahoward

    APPARMOR kernel support/enablement (for SNAPD)

    in Beginners

    Posted

    OK - with some help from a colleague we have this working now...

     

    into the 'armbian/userpatches' folder, I copied 'linux-sun8i-default.config' and 'linux-sun8i-dev.config' (from armbian/lib/config/kernel/)

     

    then added the following to the end of the file:

     

    #!dh

    CONFIG_SECURITY=y

    CONFIG_SECURITYFS=y

    CONFIG_SECURITY_APPARMOR=y

    CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1

    CONFIG_DEFAULT_SECURITY_APPARMOR=y

    CONFIG_DEFAULT_SECURITY="apparmor"

    CONFIG_SECCOMP=y

    CONFIG_SECCOMP_FILTER=y

    #!dh

     

    (not sure this is exactly how it's supposed to be done - but the result was good...)

     

    ....

     

    root@bananapim2plus:/home/dhoward# snap list

    Name         Version  Rev  Developer  Notes

    core         16.04.1  645  canonical  -

    hello-world  6.3      27   canonical  -

     

    root@bananapim2plus:/home/dhoward# /snap/bin/hello-world

    Hello World!

    root@bananapim2plus:/home/dhoward# /snap/bin/hello-world.evil

    Hello Evil World!

    This example demonstrates the app confinement

    You should see a permission denied error next

     

    /snap/hello-world/27/bin/evil: 9: /snap/hello-world/27/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied

    1

    APPARMOR kernel support/enablement (for SNAPD)

    in Beginners

    Posted

    I recently have been trying to enable SNAPD (SNAPPY) on 16.04 MATE and server.

    sudo apt install snapd

     

    installs fine, but when I try install a 'snap' it fails.  this should work on 16.04.

     

    sudo snap install hello-world

     

    large error dump --- very misleading...  

     

    When I checked to see what is going on with required apparmor module, I found it wasn't working.

     

    When I checked the kernel I found to my surprise that apparmor wasn't enabled.  This has been enabled by default on Ubuntu for many, many years...

     

    It would appear that several kernel flags need to be set in order for apparmor to work

     

    set CONFIG_SECURITY_APPARMOR=y

     

    "If AppArmor should be selected as the default security module then

       set CONFIG_DEFAULT_SECURITY="apparmor"

       set CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1"

     

     

    Q: how do I enable this when I build an Armbian kernel?  I didn't find it in the menus when I did KERNEL_CONFIGURE="yes"

     

    ----

     

    https://www.kernel.org/doc/Documentation/security/apparmor.txt

    https://github.com/FlorentRevest/linux-sunxi-cedrus/blob/master/Documentation/security/apparmor.txt

     

    ----

     

    Thanks!

    David

     

     

    P.S. 

    For completeness, here is the actual error encountered... and this happened on 16.04 build server, desktop, legacy and current/dev kernel builds on orange pi pc+, bananapi m2+, and olimex lime2 nand and emmc.

     

    -----

     

    root@orangepipcplus:~# sudo snap find hello
    Name                        Version  Developer       Notes    Summary
    hello                       2.10     canonical       -        GNU Hello, the "hello world" snap
    hello-world                 6.3      canonical       -        The 'hello-world' of snaps
    hello-ricardokirkner-test1  2        ricardokirkner  1.00USD  say hello
    hello-securx-snap           1.2      securx          -        Single-line elevator pitch for your amazing snap
    rust-hello                  0.1      icey            -        Prove cross platform rust snaps
     
    root@orangepipcplus:~# sudo snap install hello-world
    error: cannot perform the following tasks:
    - Setup snap "hello-world" (27) security profiles (cannot setup apparmor for snap "hello-world": cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1
    apparmor_parser output:
    Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
    Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
    Use --subdomainfs to override.
    )
    - Setup snap "hello-world" (27) security profiles (cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1
    apparmor_parser output:
    Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
    Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
    Use --subdomainfs to override.
    )
    root@orangepipcplus:~# uname -a
    Linux orangepipcplus 4.9.0-sun8i #2 SMP Sat Dec 3 17:44:12 UTC 2016 armv7l armv7l armv7l GNU/Linux
     
    -----
     
    root@lime2-emmc:~# sudo snap install hello-world
    error: cannot perform the following tasks:
    - Setup snap "hello-world" (27) security profiles (cannot setup apparmor for snap "hello-world": cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1
    apparmor_parser output:
    Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
    Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
    Use --subdomainfs to override.
    )
    - Setup snap "hello-world" (27) security profiles (cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1
    apparmor_parser output:
    Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
    Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
    Use --subdomainfs to override.
    )
    root@lime2-emmc:~# uname -a
    Linux lime2-emmc 4.8.11-sunxi #1 SMP Wed Nov 30 19:03:50 UTC 2016 armv7l armv7l armv7l GNU/Linux
     
    0
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines

  I accept