[SOLVED] AppArmor not loading profiles at boot

05 October 2020, 17:04:52

Hello,
I have AppArmor enabled in kernel

Quote

cat /usr/src/linux-5.8.13/.config | grep APPARMOR
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y

and in grub

Quote

GRUB_CMDLINE_LINUX_DEFAULT="resume=UUID=6e728585-d601-4ced-add0-9136b1cb1017 apparmor=1 security=apparmor init_on_alloc=1 init_on_free=1 pti=on mds=full"

AppArmor starts at boot:

Quote

sudo aa-enabled
Yes

but does not load profiles present in /etc/apparmor.d/

Quote

sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I can load profiles from command line:

Quote

sudo apparmor_parser --replace /etc/apparmor.d/usr.bin.thunderbird

and profiles are loaded:

Quote

sudo aa-status
apparmor module is loaded.
7 profiles are loaded.
7 profiles are in enforce mode.
   firejail-default
   ntpd
   thunderbird
   thunderbird//browser_java
   thunderbird//browser_openjdk
   thunderbird//gpg
   thunderbird//sanitized_helper
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

but after reboot apparmor starts without loading profiles.

I don't see apparmor service (openrc) to add

So how can I force apparmor to load profiles at boot?

Thank you

Re: AppArmor nor loading profiles at boot

Reply #1 – 06 October 2020, 00:51:11

apparmor-openrc is not listed by octopi
but after running

Quote

pacman -Ss appramor

I found that apparmor-openrc is available
so I run

Quote

pacman -S apparmor-openrc

and all works

also after installation of apparmor-openrc, package is now visible in octopi.

Re: AppArmor not loading profiles at boot

Reply #2 – 06 October 2020, 14:49:48

Quote from: tut – on 06 October 2020, 00:51:11

apparmor-openrc is not listed by octopi
also after installation of apparmor-openrc, package is now visible in octopi.

Hi, this is not correct.

Regards

Re: AppArmor not loading profiles at boot

Reply #3 – 06 October 2020, 17:27:56

actually I have seen only first two items:
apparmor from world
and
apparmor from extra
but not
apparmor-opencr

pacman did show all apparmor packages

thank you

Re: AppArmor not loading profiles at boot

Reply #4 – 30 December 2020, 13:07:37

BTW, where are runit init scripts for apparmor? I've noticed runit and s6 lack some init scripts compared to openrc. I took, e.g., hddtemp init module from Void Linux and modified it for my disks, but apparmor seems to be too complicated for my poor understanding.

Re: AppArmor not loading profiles at boot

Reply #5 – 24 January 2021, 12:13:44

Quote from: VictorBrand – on 30 December 2020, 13:07:37

BTW, where are runit init scripts for apparmor? I've noticed runit and s6 lack some init scripts compared to openrc. I took, e.g., hddtemp init module from Void Linux and modified it for my disks, but apparmor seems to be too complicated for my poor understanding.

Hi,

We consider to create and package them, but due to the fact that apparmor is complicated in specific parts, we need time.

Re: AppArmor not loading profiles at boot

Reply #6 – 29 January 2021, 14:30:23

@VictorBrand, on it's way.

I hope within next days will be available for both runit and s6 in our repos

Re: AppArmor not loading profiles at boot

Reply #7 – 29 January 2021, 17:16:47

Quote from: linuxer – on 29 January 2021, 14:30:23

@VictorBrand, on it's way.

I hope within next days will be available for both runit and s6 in our repos

Thank you! I have some experience in programming, but I've never learned bash-scripting, although now I'm trying to improve my skills. I've tried to import apparmor init scripts from other distros, but it's a bit complicated. Stage 2 runit scripts can be imported from Void Linux to Artix runit quite easily, but apparmor is a stage 1 script. In Void, it is rather complicated (it loads profiles from /etc/apparmor.d in a cycle), but, according to OpenRC and systemd apparmor init scripts, you only need to include /usr/lib/apparmor/apparmor.rc.functions, define some functions which do logging and console output (like aa_action, aa_log_action_start etc) and then invoke parse_profiles function after some checks.

The problem for me is that stage 1 runit scripts in Artix are made in other way than in Void. BTW I do like Artix' way more than Void's (not to say that in Void some packages are weirdly built, especially the kernels, which heat my CPU for some stupid reason). You are doing a good job, guys

Re: AppArmor not loading profiles at boot

Reply #8 – 30 January 2021, 13:17:42

@VictorBrand as soon as the servers will sync, apparmor-runit-20210129-1 will be available in world repo.