How to enable AppArmor at Raspberry Pi 2

Raspberry Pi’s Linux kernel has been disable AppArmor.

How to enable AppArmor at Raspberry Pi 2 is under below.

More, I use Raspberry Pi 2 Model B and Linux distribution is Debian GNU/Linux 9.

1. Install packages to relate to AppArmor.

# apt-get install apparmor apparmor-utils apparmor-profiles

2. Cloning kernel sources and setting .config file.

For details on about kernel buiding, see “Kernel building – Raspberry Pi Documentation“.

$ git clone --depth=1 https://github.com/raspberrypi/linux
$ cd linux
$ KERNEL=kernel7
$ make bcm2709_defconfig
$ make menuconfig
  • You enable “Enable different security models” in “Security options”.
  • Then, you should enable “AppArmor support”.
  • Finaly, you set 0 at “AppArmor boot parameter default value”.

Between default .config file and AppArmor enabled .config file parameters difference are under below.

CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_CRYPTO_SHA1=y
CONFIG_AUDIT_GENERIC=y

3. Rebuilding kernel and install.

$ make -j4 zImage modules dtbs
$ sudo make modules_install
$ sudo cp arch/arm/boot/dts/*.dtb /boot/
$ sudo cp arch/arm/boot/dts/overlays/*.dtb* /boot/overlays/
$ sudo cp arch/arm/boot/dts/overlays/README /boot/overlays/
$ sudo cp arch/arm/boot/zImage /boot/$KERNEL.img

4. Setting kernel options.

You add below parameters to /boot/cmdline.txt.

 apparmor=1 security=apparmor

4.Reboot and check.

# apparmor_status

Now, you can use AppArmor at Raspberry Pi 2.

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です