- This topic has 0 replies, 1 voice, and was last updated Aug 27-4:33 pm by AK-47.
August 27, 2019 at 4:33 pm #26435MemberAK-47
Since Debian 10 Buster includes AppArmor enabled by default, I was mucking about with it on MX 19 Beta 1, and it works well without any additional configuration. It even works on the live system (snapshot, default kernel only). However, by default, it won’t work like this if you install other kernels. Same situation with the antiX default kernel.
To fix this I edit /etc/default/grub changing GRUB_CMDLINE_LINUX_DEFAULT from:
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=apparmor apparmor=1"
Without this change it tries to load SELinux which seems to conflict with AppArmor.
After that, run sudo update-grub and reboot.
On the live system you need to add the security=apparmor apparmor=1 to the kernel command line when you boot.
On vanilla antiX Full, the installation of apparmor, apparmor-profiles and apparmor-utils all ads up to an extra 3.2MB (as reported by apt install).
Testing on antiX, it doesn’t appear to take much memory. When starting antiX and loading into the desktop, Conky reports ~143-145MB of RAM used for the default x86-64 kernel after the whole desktop is loaded. It seems the addition of apparmor-profiles-extra adds a negligible amount (occasionally bringing it up a megabyte or two).
Since antiX includes Firejail by default, that works with AppArmor too:
$ firejail --apparmor --noprofile firefox
I found the –noprofile is necessary under antiX.
Checking it all out with aa-status reveals:
$ sudo aa-status [sudo] password for user: apparmor module is loaded. 38 profiles are loaded. 20 profiles are in enforce mode. /usr/bin/man /usr/bin/pidgin /usr/bin/pidgin//sanitized_helper /usr/bin/totem /usr/bin/totem-audio-preview /usr/bin/totem-video-thumbnailer /usr/bin/totem//sanitized_helper /usr/lib/cups/backend/cups-pdf /usr/sbin/apt-cacher-ng /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/haveged firejail-default libreoffice-senddoc libreoffice-soffice//gpg libreoffice-xpdfimport man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod 18 profiles are in complain mode. /usr/bin/irssi /usr/sbin/dnsmasq /usr/sbin/dnsmasq//libvirt_leaseshelper avahi-daemon identd klogd libreoffice-oopslash libreoffice-soffice mdnsd nmbd nscd ping smbd smbldap-useradd smbldap-useradd///etc/init.d/nscd syslog-ng syslogd traceroute 6 processes have profiles defined. 4 processes are in enforce mode. /usr/sbin/cupsd (1977) /usr/lib/firefox-esr/firefox-esr (3700) firejail-default /usr/lib/firefox-esr/firefox-esr (3754) firejail-default /usr/lib/firefox-esr/firefox-esr (3871) firejail-default 2 processes are in complain mode. /usr/sbin/avahi-daemon (1890) avahi-daemon /usr/sbin/avahi-daemon (1891) avahi-daemon 0 processes are unconfined but have a profile defined.
There are fewer profiles here than on MX even with apparmor-profiles-extra. On MX there are 4 more profiles in enforce mode:
As you can see getting it to work is pretty straightforward. I have only tested this on antiX 19 Beta 3 so I am not sure it will work in antiX 17.x or older. I haven’t tested it on an antiX live environment yet, however it works very well with the MX live environment so I would be surprised if it doesn’t work.
I reckon it’s worth considering enabling by default if there are no issues with old systems.
- You must be logged in to reply to this topic.