AppArmor now available in Karmic — testing needed July 15, 2009
Posted by jdstrand in security, ubuntu, ubuntu-server.Tags: canonical
trackback
After a lot of hard work by John Johansen and the Ubuntu kernel team, bug #375422 is well on its way to be fixed. More than just forward ported for Ubuntu, AppArmor has been reworked to use the updated kernel infrastructure for LSMs. As seen in #apparmor on Freenode a couple of days ago:
11:24 < jjohansen> I am working to a point where I can try upstreaming again, base off of the security_path_XXX patches instead of the vfs patches
11:24 < jjohansen> so the module is mostly self contained again
These patches are in the latest 9.10 kernel, and help testing AppArmor in Karmic is needed. To get started, verify you have at least 2.6.31-3.19-generic:
$ cat /proc/version_signature
Ubuntu 2.6.31-3.19-generic
AppArmor will be enabled by default for Karmic just like in previous Ubuntu releases, but it is off for now until a few kinks are worked out. To test it right away, you’ll need to reboot, adding ‘security=apparmor’ to the kernel command line. Then fire up ‘aa-status’ to see if it is enabled. A fresh install of 9.10 as of today should look something like:
$ sudo aa-status
apparmor module is loaded.
8 profiles are loaded.
8 profiles are in enforce mode.
/usr/lib/connman/scripts/dhclient-script
/usr/share/gdm/guest-session/Xsession
/usr/sbin/tcpdump
/usr/lib/cups/backend/cups-pdf
/sbin/dhclient3
/usr/sbin/cupsd
/sbin/dhclient-script
/usr/lib/NetworkManager/nm-dhcp-client.action
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode :
/sbin/dhclient3 (3271)
/usr/sbin/cupsd (2645)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Please throw all your crazy profiles at it as well as testing the packages with existing profiles, then file bugs:
- For the kernel, add your comments (positive and negative) to bug #375422
- AppArmor tools bugs should be filed with ‘ubuntu-bug apparmor’
- Profile bugs should be filed against the individual source package with ‘ubuntu-bug <source package name>’. See DebuggingApparmor for details.
Thank you Ubuntu Kernel team and especially John for all the hard work on getting the “MAC system for human beings” (as I like to call it) not only working again, but upstreamable — this is really great stuff! :)
Blog: jdstrand 
Is there still work being done to get it into Linus’ kernel?
Yes! This is why I quoted John’s IRC message and said thanks for getting AppArmor “not only working again, but upstreamable”. The patches have been reworked with the ultimate goal to get them upstreamed into the official Linux kernel. This will make AppArmor much easier to maintain for Ubuntu (and elsewhere). Excellent progress has been made with regard to the patches themselves and once AppArmor is solid in Karmic’s kernel, look for it to be submitted to the upstream kernel.
Doh thanks, I should RTFP I guess ;)
This is really excellent news.
Smack, SELinux, Tomoyo, AppArmor … Linux will be soo secure ;)
But Debian is still on the dark SELinux side of things, right?
Debian has only SELinux support as far as I know (Ubuntu has SELinux support in universe, btw). However, I can easily imagine AppArmor support in Debian once it is in the official kernel.
Can confirm this works fine on me Karmic install on my laptop.
Excellent! Feel free to add your positive feedback to https://bugs.launchpad.net/ubuntu/+source/linux/+bug/375422.