AppArmor

AppArmor

[Anders Montonen]

Hi,

Has anyone tried using AppArmor with Yocto? The recipe in the 
meta-security layer is broken, and when fixed so it actually builds, it 
turns out the installed init script relies on functions not found in 
Yocto's version of LSB.

Regards,
Anders

Re: AppArmor

[Dominig ar Foll (Intel Open Source)]

[-- Attachment #1: Type: text/html, Size: 2063 bytes --]

Re: AppArmor

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

On Tue, Jun 20, 2017 at 04:19:24PM +0300, Anders Montonen wrote:

> Hi,
> 
> Has anyone tried using AppArmor with Yocto? The recipe in the
> meta-security layer is broken, and when fixed so it actually builds,
> it turns out the installed init script relies on functions not found
> in Yocto's version of LSB.

The biggest problem I've found thus far with AppArmor was needing to do
some tweaks (which I've posted) so that the utilities have all of the
required python/perl bindings.  I do need to poke things harder however.

-- 
Tom

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: AppArmor

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 584 bytes --]

On Tue, Jun 20, 2017 at 9:56 AM Anders Montonen <Anders.Montonen@iki.fi>
wrote:

> Hi,
>
> Has anyone tried using AppArmor with Yocto? The recipe in the
> meta-security layer is broken, and when fixed so it actually builds, it
> turns out the installed init script relies on functions not found in
> Yocto's version of LSB.
>

That seems a bug to me perhaps can be fixed in initscripts ?

>
> Regards,
> Anders
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>

[-- Attachment #2: Type: text/html, Size: 1156 bytes --]

Re: AppArmor

[Anders Montonen]

[-- Attachment #1: Type: text/plain, Size: 1514 bytes --]

On 21 Jun 2017, at 23:46, Khem Raj <raj.khem@gmail.com> wrote:
> On Tue, Jun 20, 2017 at 9:56 AM Anders Montonen <Anders.Montonen@iki.fi <mailto:Anders.Montonen@iki.fi>> wrote:
> Has anyone tried using AppArmor with Yocto? The recipe in the
> meta-security layer is broken, and when fixed so it actually builds, it
> turns out the installed init script relies on functions not found in
> Yocto's version of LSB.
> That seems a bug to me perhaps can be fixed in initscripts ?

I ended up replacing the recipe with one combining the one from meta-security and from the OpenSwitch project[1]. This allowed me to get rid of the sysvinit and apache2 dependencies. I’ll have to look for Tom Rini’s tweaks and see if he fixed the Python issues more elegantly.

IIRC the issues I ran into with the meta-security recipe were:
- The tools under binutils require the static library
- The systemd service file isn’t installed
- The Python apparmor module is built against Python 2.7, while the scripts that use it are Python 3. Commit 
89683b4fee4616a08d249bc7afd7be55f3fa71a3 is wrong, it papers over a QA warning without fixing the actual problem.
- The Python LibAppArmor module isn’t built at all.

Regards,
Anders

[1] <http://git.openswitch.net/cgit/openswitch/ops-build/tree/yocto/openswitch/meta-foss-openswitch/recipes-security/apparmor <http://git.openswitch.net/cgit/openswitch/ops-build/tree/yocto/openswitch/meta-foss-openswitch/recipes-security/apparmor/apparmor_2.10.95.bb?h=master>>

[-- Attachment #2: Type: text/html, Size: 2455 bytes --]

Re: AppArmor

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 1453 bytes --]

On Thu, Jun 22, 2017 at 05:01:09AM +0300, Anders Montonen wrote:
> On 21 Jun 2017, at 23:46, Khem Raj <raj.khem@gmail.com> wrote:
> > On Tue, Jun 20, 2017 at 9:56 AM Anders Montonen <Anders.Montonen@iki.fi <mailto:Anders.Montonen@iki.fi>> wrote:
> > Has anyone tried using AppArmor with Yocto? The recipe in the
> > meta-security layer is broken, and when fixed so it actually builds, it
> > turns out the installed init script relies on functions not found in
> > Yocto's version of LSB.
> > That seems a bug to me perhaps can be fixed in initscripts ?
> 
> I ended up replacing the recipe with one combining the one from meta-security and from the OpenSwitch project[1]. This allowed me to get rid of the sysvinit and apache2 dependencies. I’ll have to look for Tom Rini’s tweaks and see if he fixed the Python issues more elegantly.
> 
> IIRC the issues I ran into with the meta-security recipe were:
> - The tools under binutils require the static library
> - The systemd service file isn’t installed
> - The Python apparmor module is built against Python 2.7, while the scripts that use it are Python 3. Commit 
> 89683b4fee4616a08d249bc7afd7be55f3fa71a3 is wrong, it papers over a QA warning without fixing the actual problem.
> - The Python LibAppArmor module isn’t built at all.

I did fix the latter of these (along with the perl problem), but I'm
using sysvinit and needed apache2 in my project anyhow.

-- 
Tom

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: AppArmor

[Anders Montonen]

Hi Tom,

On Thu, 22 Jun 2017, Tom Rini wrote:
>
> I did fix the latter of these (along with the perl problem), but I'm
> using sysvinit and needed apache2 in my project anyhow.

Your commit fixes most of the problems, but /usr/bin/aa-easyprof still 
gets installed with a shebang referring to the host python3 interpreter. 
The script is processed and installed by utils/python-tools-setup.py, 
which captures whatever $PYTHON is set to at the time.

-a

Re: AppArmor

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 617 bytes --]

On Thu, Jun 29, 2017 at 01:56:22PM +0300, Anders Montonen wrote:
> Hi Tom,
> 
> On Thu, 22 Jun 2017, Tom Rini wrote:
> >
> >I did fix the latter of these (along with the perl problem), but I'm
> >using sysvinit and needed apache2 in my project anyhow.
> 
> Your commit fixes most of the problems, but /usr/bin/aa-easyprof
> still gets installed with a shebang referring to the host python3
> interpreter. The script is processed and installed by
> utils/python-tools-setup.py, which captures whatever $PYTHON is set
> to at the time.

Oh thanks!  I'll v2 things shortly with that fixed up.

-- 
Tom

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: AppArmor

[Tom Rini]

On Thu, Jun 29, 2017 at 09:35:06PM -0400, Tom Rini wrote:
> On Thu, Jun 29, 2017 at 01:56:22PM +0300, Anders Montonen wrote:
> > Hi Tom,
> > 
> > On Thu, 22 Jun 2017, Tom Rini wrote:
> > >
> > >I did fix the latter of these (along with the perl problem), but I'm
> > >using sysvinit and needed apache2 in my project anyhow.
> > 
> > Your commit fixes most of the problems, but /usr/bin/aa-easyprof
> > still gets installed with a shebang referring to the host python3
> > interpreter. The script is processed and installed by
> > utils/python-tools-setup.py, which captures whatever $PYTHON is set
> > to at the time.
> 
> Oh thanks!  I'll v2 things shortly with that fixed up.

So, FYI all, here's where I'm at.  Fixing up aa-easyprof for the shebang
part is easy as there's a few other cases around of "manually correct a
shebang".  But this exposes another problem of needing to basically
RDEPEND on python3-modules as not only does apparmor depend on a few
different core modules but the core modules themselves do not have
correct interdependencies.  As it stand today for perl this is handled
by some very fragile looking shell expressions that get re-run per perl
upgrade.  I don't think I can come up with the equivalent for python.
So my local version also has this just saying we need all of
python3-modules to be installed, and then it works.

I've also fixed up some minor logging issues in the sysvinit script
(which I know isn't a concern for Anders as he's using systemd, but just
being complete).  I will post another version in a few days just so
others can have functioning apparmor if they want it, at least until
Armin speaks up.

-- 
Tom

Re: AppArmor

[Gunnar Andersson]

Dominic ar Foll writes:

> I have been presenting AGL  Smack based security model in quite a few 
> conferences over the world and not many people have come to me
> to talk about their "solution" working either on SE Linux or
> AppArmor. So far I have the impression that AGL is quite unique in
> its full integration of an LSM module in an embedded project.
>
> One of the member of Genivi Alliance (I believe it was Bosh with 
> its product called at the time eCore) told (about 3 years 
> that they would put their security framework which was based on 
> AppAmor, in the Open, but I have never eared about it since that

https://apertis.org

Code and docs came out around a year after the initial announcement under
the new name, so it has been published about 2 years or so.

Apertis builds with OBS, so it might not directly help the OP however.


- Gunnar

-- 
Gunnar Andersson <gandersson@genivi.org>
Development Lead
GENIVI Alliance