On 2019-10-29 22:28:42, Justin Dick wrote: > Hello all - > > I'm trying to enable snapd on an embedded device, and looking into getting > apparmor support sorted out. I'm working with kernel 3.10 and AFAIK have > everything set up properly in the config. After boot, > /sys/module/apparmor/parameters/enabled is 'Y', but /sys/kernel/security/ is > completely empty. I've tried booting with no explicit flags set in the > kernel boot parameters (relying on the kernel config defaults), and with > setting "security=apparmor apparmor=1". Nothing seems to help. > > Any ideas from anyone? I'm pasting the relevant entries in /proc/config.gz > below.
You must mount securityfs as part of the boot process. You can do this manually to verify that it works: $ sudo mount -t securityfs securityfs /sys/kernel/security If that works, you'll need to determine how to best make that happen in early boot of your embedded device. Tyler > > Thanks, all! > Justin > > -sh-3.2# cat /proc/config.gz | gzip -d | grep SECURITY > CONFIG_EXT4_FS_SECURITY=y > # CONFIG_SECURITY_DMESG_RESTRICT is not set > CONFIG_SECURITY=y > CONFIG_SECURITYFS=y > CONFIG_SECURITY_NETWORK=y > # CONFIG_SECURITY_NETWORK_XFRM is not set > CONFIG_SECURITY_PATH=y > # CONFIG_SECURITY_SELINUX is not set > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > CONFIG_SECURITY_APPARMOR=y > CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 > # CONFIG_SECURITY_YAMA is not set > CONFIG_DEFAULT_SECURITY_APPARMOR=y > # CONFIG_DEFAULT_SECURITY_DAC is not set > CONFIG_DEFAULT_SECURITY="apparmor" > -sh-3.2# ls /sys/kernel/security/ > -sh-3.2# cat /sys/module/apparmor/parameters/enabled > Y > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
