FS#56638 - [linux-hardened] Could AppArmor support be enabled in config?

Attached to Project: Arch Linux
Opened by Francois (francoism90) - Friday, 08 December 2017, 17:58 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 05 July 2018, 21:59 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 6
Private No

Details

Description:
Since AppArmor seem to be supported again by the kernel, and SELinux is enabled by default in config - could we please also enable AppArmor?

Additional info:
* linux-hardened 4.14.3.a-1

Steps to reproduce:
- Cat config, not enabled.
This task depends upon

Closed by  Levente Polyak (anthraxx)
Thursday, 05 July 2018, 21:59 GMT
Reason for closing:  Implemented
Additional comments about closing:  4.17.4.a-1
Comment by Freya Gentz (zegentz) - Wednesday, 13 December 2017, 01:30 GMT Comment by Francois (francoism90) - Wednesday, 13 December 2017, 11:54 GMT
@zagentz True, but since the config is already shipped, simple enabling the following flags should not 'break' linux-hardened in anyway:
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_SECURITY_APPARMOR=y

Yeah, I could add an own patch, but I rather would have a compiled kernel.
Comment by Eli Schwartz (eschwartz) - Wednesday, 13 December 2017, 13:10 GMT
The previous maintainer of linux-hardened did not wish to enable this, but he retired and passed on the reins to someone else. :)

It is entirely possible anthraxx will approve this request.
Comment by David McAdoo (geecroof) - Thursday, 14 December 2017, 13:12 GMT
@francoism90 those flags will run apparmor on every boot. We probably want enable it in kernel but run only when user chooses it. Same as SElinux.

CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
Comment by Francois (francoism90) - Thursday, 14 December 2017, 13:14 GMT
@geecroof Is indeed a far better solution. :)
Comment by Daniel de Kok (danieldk) - Saturday, 03 March 2018, 07:45 GMT
Enabling AppArmor in the hardened kernel would be great. I am running Arch Linux on a server with AppArmor to confine some processes. However, rebuilding the kernel package for every upgrade is painful. Even though I like SELinux, AppArmor is currently far more trivial to set up on Arch than SELinux.
Comment by Ike Rippin (Janick.Hauck92) - Monday, 26 March 2018, 21:10 GMT
Enabling one config option is certainly not a hard thing to do for a maintainer. Especially if it's opt-in and all maintenance is done in userspace anyway.
Comment by Francois (francoism90) - Sunday, 17 June 2018, 09:17 GMT
Sorry to ask, but is there any update on this? :)
Comment by Tommy Schmitt (spinka) - Friday, 29 June 2018, 19:44 GMT Comment by Francois (francoism90) - Saturday, 30 June 2018, 09:11 GMT
@spinka Thanks for the update, hope it can be merged any time soon.

Loading...