AppArmor on antiX 19

Forum Forums antiX-development Development AppArmor on antiX 19

This topic contains 0 replies, has 1 voice, and was last updated by AK-47 Aug 27-4:33 pm.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #26435
    Member
    AK-47
    AK-47

    Since Debian 10 Buster includes AppArmor enabled by default, I was mucking about with it on MX 19 Beta 1, and it works well without any additional configuration. It even works on the live system (snapshot, default kernel only). However, by default, it won’t work like this if you install other kernels. Same situation with the antiX default kernel.

    To fix this I edit /etc/default/grub changing GRUB_CMDLINE_LINUX_DEFAULT from: GRUB_CMDLINE_LINUX_DEFAULT="quiet" to: GRUB_CMDLINE_LINUX_DEFAULT="quiet security=apparmor apparmor=1"
    Without this change it tries to load SELinux which seems to conflict with AppArmor.
    After that, run sudo update-grub and reboot.

    On the live system you need to add the security=apparmor apparmor=1 to the kernel command line when you boot.

    On vanilla antiX Full, the installation of apparmor, apparmor-profiles and apparmor-utils all ads up to an extra 3.2MB (as reported by apt install).

    Testing on antiX, it doesn’t appear to take much memory. When starting antiX and loading into the desktop, Conky reports ~143-145MB of RAM used for the default x86-64 kernel after the whole desktop is loaded. It seems the addition of apparmor-profiles-extra adds a negligible amount (occasionally bringing it up a megabyte or two).

    Since antiX includes Firejail by default, that works with AppArmor too: $ firejail --apparmor --noprofile firefox
    I found the –noprofile is necessary under antiX.

    Checking it all out with aa-status reveals:

    $ sudo aa-status
    [sudo] password for user: 
    apparmor module is loaded.
    38 profiles are loaded.
    20 profiles are in enforce mode.
       /usr/bin/man
       /usr/bin/pidgin
       /usr/bin/pidgin//sanitized_helper
       /usr/bin/totem
       /usr/bin/totem-audio-preview
       /usr/bin/totem-video-thumbnailer
       /usr/bin/totem//sanitized_helper
       /usr/lib/cups/backend/cups-pdf
       /usr/sbin/apt-cacher-ng
       /usr/sbin/cupsd
       /usr/sbin/cupsd//third_party
       /usr/sbin/haveged
       firejail-default
       libreoffice-senddoc
       libreoffice-soffice//gpg
       libreoffice-xpdfimport
       man_filter
       man_groff
       nvidia_modprobe
       nvidia_modprobe//kmod
    18 profiles are in complain mode.
       /usr/bin/irssi
       /usr/sbin/dnsmasq
       /usr/sbin/dnsmasq//libvirt_leaseshelper
       avahi-daemon
       identd
       klogd
       libreoffice-oopslash
       libreoffice-soffice
       mdnsd
       nmbd
       nscd
       ping
       smbd
       smbldap-useradd
       smbldap-useradd///etc/init.d/nscd
       syslog-ng
       syslogd
       traceroute
    6 processes have profiles defined.
    4 processes are in enforce mode.
       /usr/sbin/cupsd (1977) 
       /usr/lib/firefox-esr/firefox-esr (3700) firejail-default
       /usr/lib/firefox-esr/firefox-esr (3754) firejail-default
       /usr/lib/firefox-esr/firefox-esr (3871) firejail-default
    2 processes are in complain mode.
       /usr/sbin/avahi-daemon (1890) avahi-daemon
       /usr/sbin/avahi-daemon (1891) avahi-daemon
    0 processes are unconfined but have a profile defined.

    There are fewer profiles here than on MX even with apparmor-profiles-extra. On MX there are 4 more profiles in enforce mode:

    • /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
    • /usr/lib/x86-64-linux-gnu/lightdm/lightdm-guest-session//chromium
    • /usr/sbin/ntpd
    • /usr/sbin/cups-browsed

    As you can see getting it to work is pretty straightforward. I have only tested this on antiX 19 Beta 3 so I am not sure it will work in antiX 17.x or older. I haven’t tested it on an antiX live environment yet, however it works very well with the MX live environment so I would be surprised if it doesn’t work.

    I reckon it’s worth considering enabling by default if there are no issues with old systems.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.