Hi Team,

Does anybody have any experience in writing the apparmor profile and
confine some of the openbmc application? I pulled the apparmor in the
openbmc image but it is not confining the openbmc application.Confining the
application on ubuntu works fine but that is not true with openbmc.

I am chasing this issue with apparmor team through
https://gitlab.com/apparmor/apparmor/-/issues/183

Ratan

On Tue, Jul 27, 2021 at 1:27 PM Ratan Gupta <ratankgupta31@gmail.com> wrote:

> Ignore my previous email, I got the issue that CONFIG_SECURITY should have
> been enabled also(That is a dependency)
>
> https://github.com/openbmc/linux/blob/1519240139a91e3dbc97d8f79de29a22a3328257/security/apparmor/Kconfig#L4
>
> On Tue, Jul 27, 2021 at 11:42 AM Ratan Gupta <ratankgupta31@gmail.com>
> wrote:
>
>> Hi All,
>>
>> I was trying to pull apparmor in openbmc, all the user space application
>> got pulled however I was unable to build the kernel with apparmor support.
>>
>> I made the following kernel configuration to include the apparmor(
>> https://github.com/openbmc/linux/blob/dev-5.10/Documentation/admin-guide/LSM/apparmor.rst
>> )
>>
>> CONFIG_SECURITYFS=y
>> CONFIG_SECURITY_NETWORK=y
>> CONFIG_SECURITY_PATH=y
>> CONFIG_SECURITY_APPARMOR=y
>> CONFIG_DEFAULT_SECURITY="apparmor"
>> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> CONFIG_AUDIT=y
>>
>>
>> In the build tree, kernel is not picking the above config parameters and
>> I was getting the following logs in the config_build_log which suggest that
>> kernel doesn't like these config.
>>
>> tmp/work-shared/hgx/kernel-source/.kernel-meta/cfg/merge_config_build.log
>>
>> Value requested for CONFIG_SECURITY_PATH not in final .config
>> Requested value:  CONFIG_SECURITY_PATH=y
>> CONFIG_SECURITY_PATH=y
>> Actual value:
>>
>> Value requested for CONFIG_SECURITY_APPARMOR not in final .config
>> Requested value:  CONFIG_SECURITY_APPARMOR=y
>> CONFIG_SECURITY_APPARMOR=y
>> Actual value:
>>
>> Value requested for CONFIG_DEFAULT_SECURITY not in final .config
>> Requested value:  CONFIG_DEFAULT_SECURITY="apparmor"
>> CONFIG_DEFAULT_SECURITY="apparmor"
>> Actual value:
>>
>> Value requested for CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE not in final
>> .config
>> Requested value:  CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> Actual value:
>>
>> Can somebody suggest me what I am missing here?
>>
>> Ratan Gupta
>>
>