Skip to content

Initial AppArmor support

Administrator requested to merge apparmor into master

I've created a new repository for postmarketOS apparmor profiles, with initial profiles for gnome-calculator and postmarketos-welcome-gtk3: https://gitlab.com/postmarketOS/postmarketos-apparmor-profiles

Architecture

With the APKBUILD in this repository:

  • all pmOS apparmor profiles are in that one repository (allows to easily audit the whole thing, dependencies are clear, we can add CI)
  • the profiles are split up per related pmOS/Alpine package. Right now this generates a subpackage for gnome-calculator and another subpackage for postmarketos-welcome-gtk3
  • the related subpackage will get installed automatically if postmarketos-apparmor-profiles and the related package is installed (install_if).
    • this way we only have profiles on the target device for which we actually have the applications installed.
    • important, so we don't needlessly load all the profiles on boot for applications that are not even installed.
    • alpine has similar logic to automatically install man-pages etc.
  • even though a lot is going on per profile/subpackage, the APKBUILD is short and it is only needed to add new profiles in one place in the APKBUILD.
  • check-apkbuild.sh makes sure, the variable does contain just the profile names from the repository and nothing else.

Note that this is not the only way this could be done, and it might as well change in the future. My idea would be to do a similar git repo and package in Alpine Linux (so we have most profiles in Alpine's repo and only the pmOS specific stuff in our repo, much like pmaports <> aports). I'll write a mailing list post and link it.

Note about the current apparmor-profiles package in Alpine's aports: these are example profiles from apparmor.git (here). It is not adjusted to Alpine and contains some weird things like nvidia_modprobe. The new postmarketos-apparmor-profiles repository is based on a minimalistic subset of these configs, and has been adjusted for Alpine's paths.

kconfig check

Related pmbootstrap merge request for kconfig checks: https://gitlab.com/postmarketOS/pmbootstrap/-/merge_requests/2133

For initial testing, I've configured linux-postmarketos-allwinner. With the pmbootstrap kconfig check adjustments, it should be easy to adjust your device's kernel too.

Test plan

  • install linux-postmarketos-allwinner from this MR
    • or enable apparmor config flags for your kernel (pmbootstrap kconfig check --apparmor your-kernel) and build it
  • apk add postmarketos-apparmor-profiles apparmor apparmor-utils
  • rc-update add apparmor boot
  • reboot
  • run gnome-calculator or postmarketos-welcome
$ sudo aa-status
apparmor module is loaded.
2 profiles are loaded.
2 profiles are in enforce mode.
   /usr/bin/gnome-calculator
   /usr/bin/postmarketos-welcome
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/bin/gnome-calculator (6138) 
   /usr/bin/postmarketos-welcome (6183) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

Playing around with the profiles:

  • remove /etc/welcome-message r, from /etc/apparmor.d/postmarketos-welcome-gtk3
  • reload the profile: sudo apparmor_parser -r /etc/apparmor.d/postmarketos-welcome-gtk3
  • start the welcome app again, note how it isn't allowed to display the welcome text
  • the violation is logged in dmesg
Edited by Administrator

Merge request reports