suchende Posted March 22, 2016 Share Posted March 22, 2016 I tried to used AppArmor under the Linux cubietruck 4.4.1-sunxi #10 SMP Wed Feb 17 17:57:20 CET 2016 armv7l GNU/Linux. But I get a kernel panic after i rebooted the system. Some questions: 1. Did you integrate AppArmor into the kernel? 2. Did you use an alternative mandatory access control? 3. Need I an additional kernel argument in the /boot/boot.cmd other than these "apparmor=1 security=apparmor"? 4. Is there a major diffenrece between your kernel and that from danad.de? Unluckily I was not capable of getting a dump from the kernel panic. If you need it, I would take a photo. Link to comment Share on other sites More sharing options...
tkaiser Posted March 22, 2016 Share Posted March 22, 2016 If you need it, I would take a photo. To be used for what? Feeding an OCR engine? Please compare http://www.danand.de/index.php/2015-12/apparmor-and-u-boot-fix/ and https://github.com/igorpecovnik/lib/blob/master/config/linux-sunxi-next.config to get the idea how to fix this Link to comment Share on other sites More sharing options...
TCB13 Posted January 26, 2019 Share Posted January 26, 2019 Links above seem dead. I tried to get Apparmor to run in a Nanopi Neo 2 (18.04.1 LTS 4.19.13-sunxi64) as: apt install apparmor echo "extraargs=apparmor=1 security=apparmor" >> /boot/armbianEnv.txt update-initramfs -u reboot However after the reboot I still get: root@nanopineo2:~# service apparmor status ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: inactive (dead) Condition: start condition failed at Sat 2019-01-26 16:10:54 UTC; 4min 55s ago └─ ConditionSecurity=apparmor was not met Docs: man:apparmor(7) http://wiki.apparmor.net/ I'm not much versed in this, do I need to compile a new kernel to enable AppArmor or, in theory my changes were enough? Thank you. Link to comment Share on other sites More sharing options...
martinayotte Posted January 26, 2019 Share Posted January 26, 2019 8 minutes ago, TCB13 said: do I need to compile a new kernel to enable AppArmor Probably ... To confirm, check it by doing "grep APPARMOR /boot/config-*" . 1 Link to comment Share on other sites More sharing options...
TCB13 Posted January 26, 2019 Share Posted January 26, 2019 1 hour ago, martinayotte said: Probably ... To confirm, check it by doing "grep APPARMOR /boot/config-*" . Thanks for the answer, here is the result: root@nanopineo2:~# grep APPARMOR /boot/config-* CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0 CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y # CONFIG_SECURITY_APPARMOR_DEBUG is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_SECURITY_APPARMOR is set to y. Shouldn't it work out of the box with my changes to /boot/armbianEnv.txt ? Link to comment Share on other sites More sharing options...
martinayotte Posted January 26, 2019 Share Posted January 26, 2019 1 hour ago, TCB13 said: Shouldn't it work out of the box Unfortunately, I don't know anythings about AppArmor ... Maybe their site will help : http://wiki.apparmor.net/ Link to comment Share on other sites More sharing options...
TCB13 Posted January 26, 2019 Share Posted January 26, 2019 @martinayotte I decided to switch to the Debian kernel and the exact same config worked right after a reboot. Although Ubuntu is the OS that brags about using Apparmor by default looks like on ARM Debian works much better. Link to comment Share on other sites More sharing options...
Recommended Posts