davidahoward

Members
  • Content Count

    2
  • Joined

  • Last visited


Reputation Activity

  1. Like
    davidahoward got a reaction from Drakoh in APPARMOR kernel support/enablement (for SNAPD)   
    OK - with some help from a colleague we have this working now...
     
    into the 'armbian/userpatches' folder, I copied 'linux-sun8i-default.config' and 'linux-sun8i-dev.config' (from armbian/lib/config/kernel/)
     
    then added the following to the end of the file:
     
    #!dh
    CONFIG_SECURITY=y
    CONFIG_SECURITYFS=y
    CONFIG_SECURITY_APPARMOR=y
    CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
    CONFIG_DEFAULT_SECURITY_APPARMOR=y
    CONFIG_DEFAULT_SECURITY="apparmor"
    CONFIG_SECCOMP=y
    CONFIG_SECCOMP_FILTER=y
    #!dh
     
    (not sure this is exactly how it's supposed to be done - but the result was good...)
     
    ....
     
    root@bananapim2plus:/home/dhoward# snap list
    Name         Version  Rev  Developer  Notes
    core         16.04.1  645  canonical  -
    hello-world  6.3      27   canonical  -
     
    root@bananapim2plus:/home/dhoward# /snap/bin/hello-world
    Hello World!
    root@bananapim2plus:/home/dhoward# /snap/bin/hello-world.evil
    Hello Evil World!
    This example demonstrates the app confinement
    You should see a permission denied error next
     
    /snap/hello-world/27/bin/evil: 9: /snap/hello-world/27/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied