apparmor support

apparmor support

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 1494 bytes --]

Hi All,

I was trying to pull apparmor in openbmc, all the user space application
got pulled however I was unable to build the kernel with apparmor support.

I made the following kernel configuration to include the apparmor(
https://github.com/openbmc/linux/blob/dev-5.10/Documentation/admin-guide/LSM/apparmor.rst
)

CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_PATH=y


*CONFIG_SECURITY_APPARMOR=yCONFIG_DEFAULT_SECURITY="apparmor"CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1*
CONFIG_AUDIT=y


In the build tree, kernel is not picking the above config parameters and I
was getting the following logs in the config_build_log which suggest that
kernel doesn't like these config.

tmp/work-shared/hgx/kernel-source/.kernel-meta/cfg/merge_config_build.log

Value requested for CONFIG_SECURITY_PATH not in final .config
Requested value:  CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_PATH=y
Actual value:

Value requested for CONFIG_SECURITY_APPARMOR not in final .config
Requested value:  CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR=y
Actual value:

Value requested for CONFIG_DEFAULT_SECURITY not in final .config
Requested value:  CONFIG_DEFAULT_SECURITY="apparmor"
CONFIG_DEFAULT_SECURITY="apparmor"
Actual value:

Value requested for CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE not in final
.config
Requested value:  CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
Actual value:

Can somebody suggest me what I am missing here?

Ratan Gupta

[-- Attachment #2: Type: text/html, Size: 1913 bytes --]

Re: apparmor support

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 2427 bytes --]

Hi Team,

Does anybody have any experience in writing the apparmor profile and
confine some of the openbmc application? I pulled the apparmor in the
openbmc image but it is not confining the openbmc application.Confining the
application on ubuntu works fine but that is not true with openbmc.

I am chasing this issue with apparmor team through
https://gitlab.com/apparmor/apparmor/-/issues/183

Ratan

On Tue, Jul 27, 2021 at 1:27 PM Ratan Gupta <ratankgupta31@gmail.com> wrote:

> Ignore my previous email, I got the issue that CONFIG_SECURITY should have
> been enabled also(That is a dependency)
>
> https://github.com/openbmc/linux/blob/1519240139a91e3dbc97d8f79de29a22a3328257/security/apparmor/Kconfig#L4
>
> On Tue, Jul 27, 2021 at 11:42 AM Ratan Gupta <ratankgupta31@gmail.com>
> wrote:
>
>> Hi All,
>>
>> I was trying to pull apparmor in openbmc, all the user space application
>> got pulled however I was unable to build the kernel with apparmor support.
>>
>> I made the following kernel configuration to include the apparmor(
>> https://github.com/openbmc/linux/blob/dev-5.10/Documentation/admin-guide/LSM/apparmor.rst
>> )
>>
>> CONFIG_SECURITYFS=y
>> CONFIG_SECURITY_NETWORK=y
>> CONFIG_SECURITY_PATH=y
>> CONFIG_SECURITY_APPARMOR=y
>> CONFIG_DEFAULT_SECURITY="apparmor"
>> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> CONFIG_AUDIT=y
>>
>>
>> In the build tree, kernel is not picking the above config parameters and
>> I was getting the following logs in the config_build_log which suggest that
>> kernel doesn't like these config.
>>
>> tmp/work-shared/hgx/kernel-source/.kernel-meta/cfg/merge_config_build.log
>>
>> Value requested for CONFIG_SECURITY_PATH not in final .config
>> Requested value:  CONFIG_SECURITY_PATH=y
>> CONFIG_SECURITY_PATH=y
>> Actual value:
>>
>> Value requested for CONFIG_SECURITY_APPARMOR not in final .config
>> Requested value:  CONFIG_SECURITY_APPARMOR=y
>> CONFIG_SECURITY_APPARMOR=y
>> Actual value:
>>
>> Value requested for CONFIG_DEFAULT_SECURITY not in final .config
>> Requested value:  CONFIG_DEFAULT_SECURITY="apparmor"
>> CONFIG_DEFAULT_SECURITY="apparmor"
>> Actual value:
>>
>> Value requested for CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE not in final
>> .config
>> Requested value:  CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> Actual value:
>>
>> Can somebody suggest me what I am missing here?
>>
>> Ratan Gupta
>>
>

[-- Attachment #2: Type: text/html, Size: 3566 bytes --]

Re: apparmor support

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 1881 bytes --]

Ignore my previous email, I got the issue that CONFIG_SECURITY should have
been enabled also(That is a dependency)
https://github.com/openbmc/linux/blob/1519240139a91e3dbc97d8f79de29a22a3328257/security/apparmor/Kconfig#L4

On Tue, Jul 27, 2021 at 11:42 AM Ratan Gupta <ratankgupta31@gmail.com>
wrote:

> Hi All,
>
> I was trying to pull apparmor in openbmc, all the user space application
> got pulled however I was unable to build the kernel with apparmor support.
>
> I made the following kernel configuration to include the apparmor(
> https://github.com/openbmc/linux/blob/dev-5.10/Documentation/admin-guide/LSM/apparmor.rst
> )
>
> CONFIG_SECURITYFS=y
> CONFIG_SECURITY_NETWORK=y
> CONFIG_SECURITY_PATH=y
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_DEFAULT_SECURITY="apparmor"
> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> CONFIG_AUDIT=y
>
>
> In the build tree, kernel is not picking the above config parameters and I
> was getting the following logs in the config_build_log which suggest that
> kernel doesn't like these config.
>
> tmp/work-shared/hgx/kernel-source/.kernel-meta/cfg/merge_config_build.log
>
> Value requested for CONFIG_SECURITY_PATH not in final .config
> Requested value:  CONFIG_SECURITY_PATH=y
> CONFIG_SECURITY_PATH=y
> Actual value:
>
> Value requested for CONFIG_SECURITY_APPARMOR not in final .config
> Requested value:  CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_APPARMOR=y
> Actual value:
>
> Value requested for CONFIG_DEFAULT_SECURITY not in final .config
> Requested value:  CONFIG_DEFAULT_SECURITY="apparmor"
> CONFIG_DEFAULT_SECURITY="apparmor"
> Actual value:
>
> Value requested for CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE not in final
> .config
> Requested value:  CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> Actual value:
>
> Can somebody suggest me what I am missing here?
>
> Ratan Gupta
>

[-- Attachment #2: Type: text/html, Size: 2631 bytes --]

apparmor support

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 1492 bytes --]

Hi All,

I was trying to pull apparmor in openbmc, all the user space application
got pulled however I was unable to build the kernel with apparmor support.

I made the following kernel configuration to include the apparmor(
https://github.com/openbmc/linux/blob/dev-5.10/Documentation/admin-guide/LSM/apparmor.rst
)

CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY="apparmor"
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_AUDIT=y


In the build tree, kernel is not picking the above config parameters and I
was getting the following logs in the config_build_log which suggest that
kernel doesn't like these config.

tmp/work-shared/hgx/kernel-source/.kernel-meta/cfg/merge_config_build.log

Value requested for CONFIG_SECURITY_PATH not in final .config
Requested value:  CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_PATH=y
Actual value:

Value requested for CONFIG_SECURITY_APPARMOR not in final .config
Requested value:  CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR=y
Actual value:

Value requested for CONFIG_DEFAULT_SECURITY not in final .config
Requested value:  CONFIG_DEFAULT_SECURITY="apparmor"
CONFIG_DEFAULT_SECURITY="apparmor"
Actual value:

Value requested for CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE not in final
.config
Requested value:  CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
Actual value:

Can somebody suggest me what I am missing here?

Ratan Gupta

[-- Attachment #2: Type: text/html, Size: 1782 bytes --]