Skip to main content
Topic: Apparmor does not work on linux-hardened (OpenRC) (Read 915 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Apparmor does not work on linux-hardened (OpenRC)

Hello all, I haven't been able to find any threads with an identical problem so I post here. I am running artix with linux-hardened and openrc. Apparmor gives me the following error:

doas apparmor_parser /usr/share/apparmor/extra-profiles/
Code: [Select]
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
Trying to rerun the same command with --subdomainfs fails silently. The message "Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)" is in Openrc init logs too

AppArmor is enabled in the kernel

cat /usr/src/linux-hardened/.config | grep APPARMOR
Code: [Select]
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set

AppArmor is also enabled in grub (/etc/default/grub)

Code: [Select]
GRUB_CMDLINE_LINUX="landlock,lockdown,yama,apparmor,bpf"

Code: [Select]
aa-enabled
No - disabled at boot.

Code: [Select]
aa-status
apparmor module is loaded.
apparmor filesystem is not mounted.

Code: [Select]
rc-service apparmor status
 * status: started

Any help would be greatly appreciated.

Re: Apparmor does not work on linux-hardened (OpenRC)

Reply #1
i know nothing about apparmor or linux-hardened kernel.  My question though is are the headers for the hardened kernel installed?
Cat Herders of Linux


Re: Apparmor does not work on linux-hardened (OpenRC)

Reply #3


Well hopefuly a dev/someone with exp with apparmor and hardened kernel will come along soon.

Shame debug isn't on.  That would probably be useful.

The error clearly seems to indicate apparmor is the wrong version.


https://unix.stackexchange.com/questions/401927/enabling-apparmor-in-linux

is this related to your issue?
Cat Herders of Linux

Re: Apparmor does not work on linux-hardened (OpenRC)

Reply #4

Well hopefuly a dev/someone with exp with apparmor and hardened kernel will come along soon.

Shame debug isn't on.  That would probably be useful.

The error clearly seems to indicate apparmor is the wrong version.


https://unix.stackexchange.com/questions/401927/enabling-apparmor-in-linux

is this related to your issue?
I don't think so, I am not compiling my own kernel. Hard to say as the config he links 404s

 

Re: Apparmor does not work on linux-hardened (OpenRC)

Reply #5
Well, after returning to the issue after some time I've discovered that the guide I initially followed was faulty. I put the relevant information on GRUB_CMDLINE_LINUX_DEFAULT rather than GRUB_CMDLINE_LINUX and all works well.

I've also enabled auditd so in the end my line is
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet lsm=landlock,lockdown,yama,apparmor,bpf audit=1"

All works nicely, running default profiles, provided extra-profiles, and krathalans apparmor profiles