jump to navigation

AppArmor now available in Karmic — testing needed July 15, 2009

Posted by jdstrand in security, ubuntu, ubuntu-server.

After a lot of hard work by John Johansen and the Ubuntu kernel team, bug #375422 is well on its way to be fixed. More than just forward ported for Ubuntu, AppArmor has been reworked to use the updated kernel infrastructure for LSMs. As seen in #apparmor on Freenode a couple of days ago:

11:24 < jjohansen> I am working to a point where I can try upstreaming again, base off of the security_path_XXX patches instead of the vfs patches
11:24 < jjohansen> so the module is mostly self contained again

These patches are in the latest 9.10 kernel, and help testing AppArmor in Karmic is needed. To get started, verify you have at least 2.6.31-3.19-generic:

$ cat /proc/version_signature
Ubuntu 2.6.31-3.19-generic

AppArmor will be enabled by default for Karmic just like in previous Ubuntu releases, but it is off for now until a few kinks are worked out. To test it right away, you’ll need to reboot, adding ‘security=apparmor’ to the kernel command line. Then fire up ‘aa-status’ to see if it is enabled. A fresh install of 9.10 as of today should look something like:

$ sudo aa-status
apparmor module is loaded.
8 profiles are loaded.
8 profiles are in enforce mode.
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode :
/sbin/dhclient3 (3271)
/usr/sbin/cupsd (2645)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Please throw all your crazy profiles at it as well as testing the packages with existing profiles, then file bugs:

  • For the kernel, add your comments (positive and negative) to bug #375422
  • AppArmor tools bugs should be filed with ‘ubuntu-bug apparmor’
  • Profile bugs should be filed against the individual source package with ‘ubuntu-bug <source package name>’. See DebuggingApparmor for details.

Thank you Ubuntu Kernel team and especially John for all the hard work on getting the “MAC system for human beings” (as I like to call it) not only working again, but upstreamable — this is really great stuff! :)


1. Jon - July 15, 2009

Is there still work being done to get it into Linus’ kernel?

jdstrand - July 15, 2009

Yes! This is why I quoted John’s IRC message and said thanks for getting AppArmor “not only working again, but upstreamable”. The patches have been reworked with the ultimate goal to get them upstreamed into the official Linux kernel. This will make AppArmor much easier to maintain for Ubuntu (and elsewhere). Excellent progress has been made with regard to the patches themselves and once AppArmor is solid in Karmic’s kernel, look for it to be submitted to the upstream kernel.

2. Jon - July 15, 2009

Doh thanks, I should RTFP I guess ;)

This is really excellent news.
Smack, SELinux, Tomoyo, AppArmor … Linux will be soo secure ;)

But Debian is still on the dark SELinux side of things, right?

jdstrand - July 15, 2009

Debian has only SELinux support as far as I know (Ubuntu has SELinux support in universe, btw). However, I can easily imagine AppArmor support in Debian once it is in the official kernel.

3. Andy Rogers - July 15, 2009

Can confirm this works fine on me Karmic install on my laptop.

jdstrand - July 15, 2009

Excellent! Feel free to add your positive feedback to https://bugs.launchpad.net/ubuntu/+source/linux/+bug/375422.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: