[apparmor] Yocto apparmor porting

Mon Nov 2 13:58:43 UTC 2015

On 10/31/2015 12:52 AM, Jae Suk Park wrote:
> are there any guide regarding 'Apparmor porting to embeded linux' like yocto project?
> 
> I tried these procedures but seems to be plenty of things remained.
> 
> 1. install apparmor with apt-get in ubuntu.
> 
> 2. install apparmor from source code after compiling and 'make install' in ubuntu. (This requires python2.7 module 'apparmor.tools' which is impossible mission to solve)
> 
The core library is C, with the compiler in C/C++. This is the minim set you will need to be able to load policy.

Many of the userspace tools are written in python, there are still a few utils/scripts written in perl, none of these are required but are nice to have.

Python 2 should not be required, but is I think still supported by the tools. I know we have been looking at/discussing some when we can drop python 2 support and just support python 3

> Yocto porting needs many manual procedures.

> 3. kernel config for LSM and enable apparmor module.
> 
config wise, I would recommend the defaults in the apparmor config. It is what ubuntu, suse, ... use.

In addition you will need to ensure the lsm is enabled, and networking are enabled, and set the default security module to apparmor.

Ubuntu use the dev branch of apparmor which has not been upstreamed yet. It provides more features, and has a different set of bugs, but it does have a set of backport kernels, and patches. That provide device support back to the 3.4 kernel, there are some patches back to 3.0 but they have not been updated/revised or tested since Ubuntu dropped support of the Maguro nexus device.

> 4. writing bb file ( config, compile, install to various paths, )
> 
I have never done this

> 5. install to various directory manually.
> /etc/apparmor
> /etc/apparmor.d
these are the default policy, and config file dirs

they are not needed, at first but you will want at least /etc/apparmor/ and to set some config options if you want policy to load on boot

> /usr/lib/python2.7/site-packages/apparmor
> /usr/lib/python2.7/site-packages/LibAppArmor
these are needed by the utils

> /lib/apparmor/functions
there are for the boot scripts, you don't need them for early bring up, and may not need them at all on systemd (I'm not sure how far the systemd support is along here, the goal being to remove their need completely).

> 
> I met many obstacles during each procedures.
> 
Again at a minimum you will need the parser (policy compiler) and the library. This is a smaller target, and is what I would start with for userspace.

> Is there anybody would share your experience?
> 
I haven't done anything with yocto, but it should be fairly similar to porting to any other platform/packaging format.

You need to get the various pieces to build, and choose where to install them. You can drop and skip pieces as needed, and come back to them later as you have time/understand the packaging and layout of the system. Start out small, just get the kernel to build and boot, the defaults for apparmor don't require a policy be loaded, or just get the library to build and install, then the parser.

There are a lot of little bits and pieces, if you try to tackle them all at once you will get overwhelmed. Hopefully it will be easier if you focus on smaller chunks.