davidahoward Posted December 8, 2016 Posted December 8, 2016 I recently have been trying to enable SNAPD (SNAPPY) on 16.04 MATE and server. sudo apt install snapd installs fine, but when I try install a 'snap' it fails. this should work on 16.04. sudo snap install hello-world large error dump --- very misleading... When I checked to see what is going on with required apparmor module, I found it wasn't working. When I checked the kernel I found to my surprise that apparmor wasn't enabled. This has been enabled by default on Ubuntu for many, many years... It would appear that several kernel flags need to be set in order for apparmor to work set CONFIG_SECURITY_APPARMOR=y "If AppArmor should be selected as the default security module then set CONFIG_DEFAULT_SECURITY="apparmor" set CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1" Q: how do I enable this when I build an Armbian kernel? I didn't find it in the menus when I did KERNEL_CONFIGURE="yes" ---- https://www.kernel.org/doc/Documentation/security/apparmor.txt https://github.com/FlorentRevest/linux-sunxi-cedrus/blob/master/Documentation/security/apparmor.txt ---- Thanks! David P.S. For completeness, here is the actual error encountered... and this happened on 16.04 build server, desktop, legacy and current/dev kernel builds on orange pi pc+, bananapi m2+, and olimex lime2 nand and emmc. ----- root@orangepipcplus:~# sudo snap find hello Name Version Developer Notes Summary hello 2.10 canonical - GNU Hello, the "hello world" snap hello-world 6.3 canonical - The 'hello-world' of snaps hello-ricardokirkner-test1 2 ricardokirkner 1.00USD say hello hello-securx-snap 1.2 securx - Single-line elevator pitch for your amazing snap rust-hello 0.1 icey - Prove cross platform rust snaps root@orangepipcplus:~# sudo snap install hello-world error: cannot perform the following tasks: - Setup snap "hello-world" (27) security profiles (cannot setup apparmor for snap "hello-world": cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1 apparmor_parser output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ) - Setup snap "hello-world" (27) security profiles (cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1 apparmor_parser output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ) root@orangepipcplus:~# uname -a Linux orangepipcplus 4.9.0-sun8i #2 SMP Sat Dec 3 17:44:12 UTC 2016 armv7l armv7l armv7l GNU/Linux ----- root@lime2-emmc:~# sudo snap install hello-world error: cannot perform the following tasks: - Setup snap "hello-world" (27) security profiles (cannot setup apparmor for snap "hello-world": cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1 apparmor_parser output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ) - Setup snap "hello-world" (27) security profiles (cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1 apparmor_parser output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ) root@lime2-emmc:~# uname -a Linux lime2-emmc 4.8.11-sunxi #1 SMP Wed Nov 30 19:03:50 UTC 2016 armv7l armv7l armv7l GNU/Linux
Drakoh Posted December 14, 2016 Posted December 14, 2016 Some kind of MAC (either AppArmor or SELinux) would be great. I was thinking about trying to make SELinux work, but haven't found the time for messing around with it and my board is in "prod" anyway.
Igor Posted December 15, 2016 Posted December 15, 2016 Some kind of MAC (either AppArmor or SELinux) would be great. I was thinking about trying to make SELinux work, but haven't found the time for messing around with it and my board is in "prod" anyway. IIRC something was wrong or broken on arm by default. Don't recall. We are too busy elsewhere and not planning to deal with this soon. Help would be nice!
zador.blood.stained Posted December 15, 2016 Posted December 15, 2016 I think AppArmor can be enabled in several kernels (especially mainline), but it won't be activated by default (will need boot script adjustment) and will need some feedback to test if it works or not.
davidahoward Posted December 27, 2016 Author Posted December 27, 2016 OK - with some help from a colleague we have this working now... into the 'armbian/userpatches' folder, I copied 'linux-sun8i-default.config' and 'linux-sun8i-dev.config' (from armbian/lib/config/kernel/) then added the following to the end of the file: #!dh CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_DEFAULT_SECURITY_APPARMOR=y CONFIG_DEFAULT_SECURITY="apparmor" CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y #!dh (not sure this is exactly how it's supposed to be done - but the result was good...) .... root@bananapim2plus:/home/dhoward# snap list Name Version Rev Developer Notes core 16.04.1 645 canonical - hello-world 6.3 27 canonical - root@bananapim2plus:/home/dhoward# /snap/bin/hello-world Hello World! root@bananapim2plus:/home/dhoward# /snap/bin/hello-world.evil Hello Evil World! This example demonstrates the app confinement You should see a permission denied error next /snap/hello-world/27/bin/evil: 9: /snap/hello-world/27/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied 1
Drakoh Posted March 27, 2017 Posted March 27, 2017 Sorry for necroing, but I've just had time to tinker with MAC. AppArmor seems to be working with @davidahoward 's options, although I'm more interested in SELinux. I've built the kernel with these options: root@orangepipc:~# grep -i selinux /boot/config-4.10.3-sun8i CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 CONFIG_DEFAULT_SECURITY_SELINUX=y CONFIG_DEFAULT_SECURITY="selinux" root@orangepipc:~# Despite this, selinux is not running: root@orangepipc:~# check-selinux-installation ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. Old style ttys were found. FSCKFIX is not enabled - not serious, but could prevent system from booting... root@orangepipc:~# sestatus SELinux status: disabled root@orangepipc:~# What I'd like to do is to pass the "selinux=1 security=selinux" options to the kernel, but since I'm noob to u-boot and arm in general, I don't know how to do it. I've tried adding them ot /boot/armbianEnv.txt, but it doesn't make any difference, so I'm sure I'm missing something. Here are the current kernel options: root@orangepipc:~# cat /proc/cmdline root=UUID=7bf2e6bb-0bd8-4e0e-9f25-72f2b9788556 rootwait rootfstype=ext4 console=tty1 console=ttyS0,115200 hdmi.audio=EDID:0 disp.screen0_output_mode=1920x1080p60 panic=10 consoleblank=0 loglevel=1 ubootpart=d8287bc5-01 ubootsource=mmc sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_fb_mem_reserve=16 cgroup_enable=memory swapaccount=1 root@orangepipc:~# Any idea/comment is appreciated.
zador.blood.stained Posted March 27, 2017 Posted March 27, 2017 22 minutes ago, Drakoh said: Any idea/comment is appreciated. After 5 minutes on existing Ubuntu Xenial installation with default (untouched sun8i-dev) kernel config root@orangepiplus2e:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30 From shell history: apt install policycoreutils selinux-basics selinux-policy-default auditd selinux-activate vi /boot/armbianEnv.txt # add a line: extraargs=selinux=1 security=selinux # this is needed with stock config where security is unset and SElinux is disabled by default Then reboot and wait for some time, SElinux relabeling task will be running and the board will reboot again. Please make a backup or ensure you can access your filesystem in case anything goes wrong. 1
Drakoh Posted April 29, 2017 Posted April 29, 2017 On 3/27/2017 at 10:08 PM, zador.blood.stained said: apt install policycoreutils selinux-basics selinux-policy-default auditd selinux-activate vi /boot/armbianEnv.txt # add a line: extraargs=selinux=1 security=selinux # this is needed with stock config where security is unset and SElinux is disabled by default Thanks, this was the missing piece. After this I managed to play around with SELinux, but sadly, its support on Jessie is pretty much lacking, but there is hope it will be better in Stretch.
Recommended Posts