Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: [SOLVED] AppArmor not loading profiles at boot (Read 2126 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

[SOLVED] AppArmor not loading profiles at boot

Hello,
I have AppArmor enabled in kernel
Quote
cat /usr/src/linux-5.8.13/.config | grep APPARMOR
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y
and in grub

Quote
GRUB_CMDLINE_LINUX_DEFAULT="resume=UUID=6e728585-d601-4ced-add0-9136b1cb1017 apparmor=1 security=apparmor init_on_alloc=1 init_on_free=1 pti=on mds=full"

AppArmor starts at boot:
Quote
sudo aa-enabled
Yes

but does not load profiles present in /etc/apparmor.d/
Quote
sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I can load profiles from command line:
Quote
sudo apparmor_parser --replace /etc/apparmor.d/usr.bin.thunderbird
and profiles are loaded:
Quote
sudo aa-status
apparmor module is loaded.
7 profiles are loaded.
7 profiles are in enforce mode.
   firejail-default
   ntpd
   thunderbird
   thunderbird//browser_java
   thunderbird//browser_openjdk
   thunderbird//gpg
   thunderbird//sanitized_helper
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

but after reboot apparmor starts without loading profiles.

I don't see apparmor service (openrc) to add

So how can I force apparmor to load profiles at boot?

Thank you

Re: AppArmor nor loading profiles at boot

Reply #1
apparmor-openrc is not listed by octopi
but after running
Quote
pacman -Ss appramor
I found that apparmor-openrc is available
so I run
Quote
pacman -S apparmor-openrc

and all works

also after installation of apparmor-openrc, package is now visible in octopi.

Re: AppArmor not loading profiles at boot

Reply #2
apparmor-openrc is not listed by octopi
also after installation of apparmor-openrc, package is now visible in octopi.
Hi, this is not correct.



Regards

Re: AppArmor not loading profiles at boot

Reply #3
actually I have seen only first two items:
apparmor from world
and
apparmor from extra
but not
apparmor-opencr


pacman did show all apparmor packages


thank you

Re: AppArmor not loading profiles at boot

Reply #4
BTW, where are runit init scripts for apparmor? I've noticed runit and s6 lack some init scripts compared to openrc. I took, e.g., hddtemp init module from Void Linux and modified it for my disks, but apparmor seems to be too complicated for my poor understanding.

Re: AppArmor not loading profiles at boot

Reply #5
BTW, where are runit init scripts for apparmor? I've noticed runit and s6 lack some init scripts compared to openrc. I took, e.g., hddtemp init module from Void Linux and modified it for my disks, but apparmor seems to be too complicated for my poor understanding.

Hi,

We consider to create and package them, but due to the fact that apparmor is complicated in specific parts, we need time.


Re: AppArmor not loading profiles at boot

Reply #6
@VictorBrand, on it's way.

I hope within next days will be available for both runit and s6 in our repos


Re: AppArmor not loading profiles at boot

Reply #7
@VictorBrand, on it's way.

I hope within next days will be available for both runit and s6 in our repos

Thank you! I have some experience in programming, but I've never learned bash-scripting, although now I'm trying to improve my skills. I've tried to import apparmor init scripts from other distros, but it's a bit complicated. Stage 2 runit scripts can be imported from Void Linux to Artix runit quite easily, but apparmor is a stage 1 script. In Void, it is rather complicated (it loads profiles from /etc/apparmor.d in a cycle), but, according to OpenRC and systemd apparmor init scripts, you only need to include /usr/lib/apparmor/apparmor.rc.functions, define some functions which do logging and console output (like aa_action, aa_log_action_start etc) and then invoke parse_profiles function after some checks.

The problem for me is that stage 1 runit scripts in Artix are made in other way than in Void. BTW I do like Artix' way more than Void's (not to say that in Void some packages are weirdly built, especially the kernels, which heat my CPU for some stupid reason). You are doing a good job, guys :)

Re: AppArmor not loading profiles at boot

Reply #8
@VictorBrand as soon as the servers will sync, apparmor-runit-20210129-1 will be available in world repo.