suchende Posted March 22, 2016 Posted March 22, 2016 I tried to used AppArmor under the Linux cubietruck 4.4.1-sunxi #10 SMP Wed Feb 17 17:57:20 CET 2016 armv7l GNU/Linux. But I get a kernel panic after i rebooted the system. Some questions: 1. Did you integrate AppArmor into the kernel? 2. Did you use an alternative mandatory access control? 3. Need I an additional kernel argument in the /boot/boot.cmd other than these "apparmor=1 security=apparmor"? 4. Is there a major diffenrece between your kernel and that from danad.de? Unluckily I was not capable of getting a dump from the kernel panic. If you need it, I would take a photo.
tkaiser Posted March 22, 2016 Posted March 22, 2016 If you need it, I would take a photo. To be used for what? Feeding an OCR engine? Please compare http://www.danand.de/index.php/2015-12/apparmor-and-u-boot-fix/ and https://github.com/igorpecovnik/lib/blob/master/config/linux-sunxi-next.config to get the idea how to fix this
TCB13 Posted January 26, 2019 Posted January 26, 2019 Links above seem dead. I tried to get Apparmor to run in a Nanopi Neo 2 (18.04.1 LTS 4.19.13-sunxi64) as: apt install apparmor echo "extraargs=apparmor=1 security=apparmor" >> /boot/armbianEnv.txt update-initramfs -u reboot However after the reboot I still get: root@nanopineo2:~# service apparmor status ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: inactive (dead) Condition: start condition failed at Sat 2019-01-26 16:10:54 UTC; 4min 55s ago └─ ConditionSecurity=apparmor was not met Docs: man:apparmor(7) http://wiki.apparmor.net/ I'm not much versed in this, do I need to compile a new kernel to enable AppArmor or, in theory my changes were enough? Thank you.
martinayotte Posted January 26, 2019 Posted January 26, 2019 8 minutes ago, TCB13 said: do I need to compile a new kernel to enable AppArmor Probably ... To confirm, check it by doing "grep APPARMOR /boot/config-*" . 1
TCB13 Posted January 26, 2019 Posted January 26, 2019 1 hour ago, martinayotte said: Probably ... To confirm, check it by doing "grep APPARMOR /boot/config-*" . Thanks for the answer, here is the result: root@nanopineo2:~# grep APPARMOR /boot/config-* CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0 CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y # CONFIG_SECURITY_APPARMOR_DEBUG is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_SECURITY_APPARMOR is set to y. Shouldn't it work out of the box with my changes to /boot/armbianEnv.txt ?
martinayotte Posted January 26, 2019 Posted January 26, 2019 1 hour ago, TCB13 said: Shouldn't it work out of the box Unfortunately, I don't know anythings about AppArmor ... Maybe their site will help : http://wiki.apparmor.net/
TCB13 Posted January 26, 2019 Posted January 26, 2019 @martinayotte I decided to switch to the Debian kernel and the exact same config worked right after a reboot. Although Ubuntu is the OS that brags about using Apparmor by default looks like on ARM Debian works much better.
Recommended Posts