[apparmor] Yocto apparmor porting

Jae Suk Park jspark99 at gmail.com
Wed Nov 4 01:18:45 UTC 2015 

Thanks for replying :)

Regarding No2 issue(Python Module apparmor.tools Error), I guess README
file in Apparmor source packages needs amendments.
I followed these procedure but resulted in  "ImportError: No module named
apparmor.tools

libapparmor:
$ cd ./libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl
$ make
$ make install

Utilities:
$ cd utils
$ make
$ make install

ubuntu 14.04]$ sudo aa-complain
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 17, in <module>
    import apparmor.tools
ImportError: No module named apparmor.tools

I tried 2ways to install apparmor (apt-get case and 'make install' case)
For apt-get case, I found apparmor-python related .deb packages in
/var/cache/apt/archives
and found python modules are installed in
/usr/lib/python3/dist-packages/apparmor/tools.py

apparmor-profiles_2.8.95~2430-ubuntu5.3_all.deb
apparmor-utils_2.8.95~2430-0ubuntu5.1_i386.deb
python3-apparmor_2.8.95~2430-0ubuntu5.1_i386.deb
python3-libapparmor_2.8.95~2430-0ubuntu5.1_i386.deb

$ dpkg --contents python3-apparmor_2.8.95~2430-0ubuntu5.1_i386.deb
./usr/lib/python3/dist-packages/
./usr/lib/python3/dist-packages/apparmor/logparser.py

$ dpkg --contents python3-libapparmor_2.8.95~2430-0ubuntu5.1_i386.deb
./usr/lib/python3/dist-packages/LibAppArmor-2.8.95.egg-info
./usr/lib/python3/dist-packages/LibAppArmor/



For 'make install' case, /usr/lib/python2.7/site-packages/apparmor/tools.py
This seems to be cause of "Import Error: No module named apparmor.tools"
When I copied it manually to
/usr/lib/python2.7/dist-packages/apparmor/tools.py, it worked ok
Apparmor/utils/python-tools-setup.py imports distutils.command.install.py
and it copies to relevant paths.
So README file in apparmor source packages needs newer version.


2015-11-02 22:58 GMT+09:00 John Johansen <john.johansen at canonical.com>:

> On 10/31/2015 12:52 AM, Jae Suk Park wrote:
> > are there any guide regarding 'Apparmor porting to embeded linux' like
> yocto project?
> >
> > I tried these procedures but seems to be plenty of things remained.
> >
> > 1. install apparmor with apt-get in ubuntu.
> >
> > 2. install apparmor from source code after compiling and 'make install'
> in ubuntu. (This requires python2.7 module 'apparmor.tools' which is
> impossible mission to solve)
> >
> The core library is C, with the compiler in C/C++. This is the minim set
> you will need to be able to load policy.
>
> Many of the userspace tools are written in python, there are still a few
> utils/scripts written in perl, none of these are required but are nice to
> have.
>
> Python 2 should not be required, but is I think still supported by the
> tools. I know we have been looking at/discussing some when we can drop
> python 2 support and just support python 3
>
> > Yocto porting needs many manual procedures.
>
> > 3. kernel config for LSM and enable apparmor module.
> >
> config wise, I would recommend the defaults in the apparmor config. It is
> what ubuntu, suse, ... use.
>
> In addition you will need to ensure the lsm is enabled, and networking are
> enabled, and set the default security module to apparmor.
>
> Ubuntu use the dev branch of apparmor which has not been upstreamed yet.
> It provides more features, and has a different set of bugs, but it does
> have a set of backport kernels, and patches. That provide device support
> back to the 3.4 kernel, there are some patches back to 3.0 but they have
> not been updated/revised or tested since Ubuntu dropped support of the
> Maguro nexus device.
>
> > 4. writing bb file ( config, compile, install to various paths, )
> >
> I have never done this
>
> > 5. install to various directory manually.
> > /etc/apparmor
> > /etc/apparmor.d
> these are the default policy, and config file dirs
>
> they are not needed, at first but you will want at least /etc/apparmor/
> and to set some config options if you want policy to load on boot
>
> > /usr/lib/python2.7/site-packages/apparmor
> > /usr/lib/python2.7/site-packages/LibAppArmor
> these are needed by the utils
>
> > /lib/apparmor/functions
> there are for the boot scripts, you don't need them for early bring up,
> and may not need them at all on systemd (I'm not sure how far the systemd
> support is along here, the goal being to remove their need completely).
>
> >
> > I met many obstacles during each procedures.
> >
> Again at a minimum you will need the parser (policy compiler) and the
> library. This is a smaller target, and is what I would start with for
> userspace.
>
> > Is there anybody would share your experience?
> >
> I haven't done anything with yocto, but it should be fairly similar to
> porting to any other platform/packaging format.
>
> You need to get the various pieces to build, and choose where to install
> them. You can drop and skip pieces as needed, and come back to them later
> as you have time/understand the packaging and layout of the system. Start
> out small, just get the kernel to build and boot, the defaults for apparmor
> don't require a policy be loaded, or just get the library to build and
> install, then the parser.
>
> There are a lot of little bits and pieces, if you try to tackle them all
> at once you will get overwhelmed. Hopefully it will be easier if you focus
> on smaller chunks.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151104/91166a7f/attachment.html>

More information about the AppArmor mailing list