[apparmor] How to test if apparmor is built in kernel
Tyler Hicks
tyhicks at canonical.com
Thu Mar 10 17:33:32 UTC 2016
On 2016-03-10 09:26:32, John Johansen wrote:
> On 03/10/2016 07:10 AM, Jeroen Ooms wrote:
> > What would be a good method for a configure script to test if the
> > current kernel has apparmor support (even if apparmor is not actually
> > installed or has been disabled at boot)?
> >
> > I would like the configure script to suggest on e.g. Debian that
> > apparmor is supported (even though it might require modifying
> > /etc/default/grub and/or installing libapparmor-dev) but on Fedora /
> > CentOS it should silently build without apparmor.
> >
>
> can you link against libapparmor?
>
> It has a function that provides this information for you
>
> see man aa_is_enabled
>
> if you can't do that, the basic of it are check for /sys/modules/apparmor
> if apparmor is builtin, it will be there, even if it is disabled.
>
> if its there then you can check for /sys/modules/apparmor/parameters/enabled
> and if that is set to Y then you can check for the securityfs mount and
> the apparmor dir within it.
>
> again if you can link to lib apparmor there is a helper fn to find the mount
> point
> see man aa_find_mountpoint
Also worth noting is that the upcoming apparmor userspace 2.11 release
will include a new binary called aa-enabled:
$ ./binutils/aa-enabled
Yes
It may be too little too late.
Tyler
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160310/1c622bb0/attachment.pgp>
More information about the AppArmor
mailing list