Jump to content

APPARMOR kernel support/enablement (for SNAPD)


davidahoward

Recommended Posts

I recently have been trying to enable SNAPD (SNAPPY) on 16.04 MATE and server.

sudo apt install snapd

 

installs fine, but when I try install a 'snap' it fails.  this should work on 16.04.

 

sudo snap install hello-world

 

large error dump --- very misleading...  

 

When I checked to see what is going on with required apparmor module, I found it wasn't working.

 

When I checked the kernel I found to my surprise that apparmor wasn't enabled.  This has been enabled by default on Ubuntu for many, many years...

 

It would appear that several kernel flags need to be set in order for apparmor to work

 

set CONFIG_SECURITY_APPARMOR=y

 

"If AppArmor should be selected as the default security module then

   set CONFIG_DEFAULT_SECURITY="apparmor"

   set CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1"

 

 

Q: how do I enable this when I build an Armbian kernel?  I didn't find it in the menus when I did KERNEL_CONFIGURE="yes"

 

----

 

https://www.kernel.org/doc/Documentation/security/apparmor.txt

https://github.com/FlorentRevest/linux-sunxi-cedrus/blob/master/Documentation/security/apparmor.txt

 

----

 

Thanks!

David

 

 

P.S. 

For completeness, here is the actual error encountered... and this happened on 16.04 build server, desktop, legacy and current/dev kernel builds on orange pi pc+, bananapi m2+, and olimex lime2 nand and emmc.

 

-----

 

root@orangepipcplus:~# sudo snap find hello
Name                        Version  Developer       Notes    Summary
hello                       2.10     canonical       -        GNU Hello, the "hello world" snap
hello-world                 6.3      canonical       -        The 'hello-world' of snaps
hello-ricardokirkner-test1  2        ricardokirkner  1.00USD  say hello
hello-securx-snap           1.2      securx          -        Single-line elevator pitch for your amazing snap
rust-hello                  0.1      icey            -        Prove cross platform rust snaps
 
root@orangepipcplus:~# sudo snap install hello-world
error: cannot perform the following tasks:
- Setup snap "hello-world" (27) security profiles (cannot setup apparmor for snap "hello-world": cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
)
- Setup snap "hello-world" (27) security profiles (cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
)
root@orangepipcplus:~# uname -a
Linux orangepipcplus 4.9.0-sun8i #2 SMP Sat Dec 3 17:44:12 UTC 2016 armv7l armv7l armv7l GNU/Linux
 
-----
 
root@lime2-emmc:~# sudo snap install hello-world
error: cannot perform the following tasks:
- Setup snap "hello-world" (27) security profiles (cannot setup apparmor for snap "hello-world": cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
)
- Setup snap "hello-world" (27) security profiles (cannot load apparmor profile "snap.hello-world.env": cannot load apparmor profile: exit status 1
apparmor_parser output:
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
)
root@lime2-emmc:~# uname -a
Linux lime2-emmc 4.8.11-sunxi #1 SMP Wed Nov 30 19:03:50 UTC 2016 armv7l armv7l armv7l GNU/Linux
 
Link to comment
Share on other sites

Some kind of MAC (either AppArmor or SELinux) would be great.

I was thinking about trying to make SELinux work, but haven't found the time for messing around with it and my board is in "prod" anyway. :D

IIRC something was wrong or broken on arm by default. Don't recall. We are too busy elsewhere and not planning to deal with this soon. Help would be nice!

Link to comment
Share on other sites

OK - with some help from a colleague we have this working now...

 

into the 'armbian/userpatches' folder, I copied 'linux-sun8i-default.config' and 'linux-sun8i-dev.config' (from armbian/lib/config/kernel/)

 

then added the following to the end of the file:

 

#!dh

CONFIG_SECURITY=y

CONFIG_SECURITYFS=y

CONFIG_SECURITY_APPARMOR=y

CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1

CONFIG_DEFAULT_SECURITY_APPARMOR=y

CONFIG_DEFAULT_SECURITY="apparmor"

CONFIG_SECCOMP=y

CONFIG_SECCOMP_FILTER=y

#!dh

 

(not sure this is exactly how it's supposed to be done - but the result was good...)

 

....

 

root@bananapim2plus:/home/dhoward# snap list

Name         Version  Rev  Developer  Notes

core         16.04.1  645  canonical  -

hello-world  6.3      27   canonical  -

 

root@bananapim2plus:/home/dhoward# /snap/bin/hello-world

Hello World!

root@bananapim2plus:/home/dhoward# /snap/bin/hello-world.evil

Hello Evil World!

This example demonstrates the app confinement

You should see a permission denied error next

 

/snap/hello-world/27/bin/evil: 9: /snap/hello-world/27/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied

Link to comment
Share on other sites

Sorry for necroing, but I've just had time to tinker with MAC.

 

AppArmor seems to be working with @davidahoward 's options, although I'm more interested in SELinux.

I've built the kernel with these options:

root@orangepipc:~# grep -i selinux /boot/config-4.10.3-sun8i 
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY="selinux"
root@orangepipc:~# 

Despite this, selinux is not running:

root@orangepipc:~# check-selinux-installation 
../proc/1       kernel..
SELinux is not enabled.
The init process (PID 1) is running in an incorrect domain.
Old style ttys were found.
FSCKFIX is not enabled - not serious, but could prevent system from booting...

root@orangepipc:~# sestatus 
SELinux status:                 disabled
root@orangepipc:~# 

 

What I'd like to do is to pass the "selinux=1 security=selinux" options to the kernel, but since I'm noob to u-boot and arm in general, I don't know how to do it.

I've tried adding them ot /boot/armbianEnv.txt, but it doesn't make any difference, so I'm sure I'm missing something.

Here are the current kernel options:

root@orangepipc:~# cat /proc/cmdline
root=UUID=7bf2e6bb-0bd8-4e0e-9f25-72f2b9788556 rootwait rootfstype=ext4 console=tty1 console=ttyS0,115200 hdmi.audio=EDID:0 disp.screen0_output_mode=1920x1080p60 panic=10 consoleblank=0 loglevel=1 ubootpart=d8287bc5-01 ubootsource=mmc   sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_fb_mem_reserve=16 cgroup_enable=memory swapaccount=1
root@orangepipc:~#

Any idea/comment is appreciated.

Link to comment
Share on other sites

22 minutes ago, Drakoh said:

Any idea/comment is appreciated.

After 5 minutes on existing Ubuntu Xenial installation with default (untouched sun8i-dev) kernel config

root@orangepiplus2e:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

From shell history:

apt install policycoreutils selinux-basics selinux-policy-default auditd
selinux-activate
vi /boot/armbianEnv.txt
# add a line: extraargs=selinux=1 security=selinux
# this is needed with stock config where security is unset and SElinux is disabled by default

Then reboot and wait for some time, SElinux relabeling task will be running and the board will reboot again.

Please make a backup or ensure you can access your filesystem in case anything goes wrong.

Link to comment
Share on other sites

On 3/27/2017 at 10:08 PM, zador.blood.stained said:

apt install policycoreutils selinux-basics selinux-policy-default auditd
selinux-activate
vi /boot/armbianEnv.txt
# add a line: extraargs=selinux=1 security=selinux
# this is needed with stock config where security is unset and SElinux is disabled by default

 

Thanks, this was the missing piece.

 

After this I managed to play around with SELinux, but sadly, its support on Jessie is pretty much lacking, but there is hope it will be better in Stretch.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines