The officially official Devuan Forum!

You are not logged in.

#1 2021-05-16 19:29:46

Altoid
Member
Registered: 2017-05-07
Posts: 850  

Kernel upgrade: apparmor and tomoyo

Hello:

My 4.19 Devuan Beowulf, unlike ascii which had it disabled by default, set up apparmor as if I had actually asked for it.

I let it stay on and after reading around a bit, decided that it was not worth keeping around.
So I uninstalled it and added apparmor=0 to my kernel command line so it would not be asking for it.

Fast forward to my upgrading the installation to the 5.10 kernel:

groucho@devuan:~$ uname -a
Linux devuan 5.10.0-0.bpo.3-amd64 #1 SMP Debian 5.10.13-1~bpo10+1 (2021-02-11) x86_64 GNU/Linux
groucho@devuan:~$ 

The 5.10 kernel also recommends apparmor:

groucho@devuan:~$ aptitude why apparmor
i   linux-image-5.10.0-0.bpo.3-amd64 Recommends apparmor
groucho@devuan:~$ 

So it does as the upgrade from ascii to Beowulf did and installs apparmor.

Now ...
Seeing that my kernel command line had the apparmor=0 bit, you'd think that it would leave it alone and skip installing apparmor.
After all, it left the rest of the command line stanzas as they were.

But no ...
Not only did it install apparmor but it also removed the apparmor=0 bit from the kernel command line.

No big deal: I just uninstalled it and returned the kernel command line to what I had set it.

Then while looking for clues as to what goes on in my system when I get a bad shutdown, I found this in dmesg:

In dmesg ie: at boot

[   21.906451] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.

Also at shutdown:

In kern.log and syslog:

May 16 13:57:16 devuan kernel: [14429.313238] Not activating Mandatory Access Control as /sbin/tomoyo-init does not exist.

I had to look it up as I had no idea as to what tomoyo was, let alone of its existence.

What is all this about?
Is it just me or am I seeing far too many (unrequired) Mandatory Access Control instances in the Linux kernel?

Cheers,

A.

Last edited by Altoid (2021-05-16 19:30:19)

Offline

#2 2021-05-16 22:00:15

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 572  

Re: Kernel upgrade: apparmor and tomoyo

What is all this about?
Is it just me or am I seeing far too many (unrequired) Mandatory Access Control instances in the Linux kernel?

I would call it Way Too Many.

tomoyo-tools seems to be to be upstreamed from http://tomoyo.osdn.jp/ (and why that is enabled in debian's standard linux-image is unkown to me). Apparently adding security=none to the boot command should disable this one.

Offline

#3 2021-05-16 22:30:18

Altoid
Member
Registered: 2017-05-07
Posts: 850  

Re: Kernel upgrade: apparmor and tomoyo

Hello:

ralph.ronnquist wrote:

... Way Too Many.

Indeed ...

ralph.ronnquist wrote:

tomoyo-tools ...
... why that is enabled in debian's standard linux-image is unkown to me ...

Hmm ...
Maybe it's yet another one of Poettering's brillant ideas?

ralph.ronnquist wrote:

Apparently adding security=none to the boot command should disable this one.

I was wondering about that.
A bit for disabling apparmor but none for disabling tomoyo?

I think not:
https://wiki.archlinux.org/title/TOMOYO_Linux#

wiki.archlinux wrote:

TOMOYO Linux 2.x is the Linux mainline kernel branch of development. In June 2009, TOMOYO was merged into the Linux kernel version 2.6.30 and it uses standard Linux Security Module (LSM) hooks. However, the LSM hooks must be extended further in order to port the full MAC functionality of TOMOYO Linux into the Linux kernel. Thus, it does not yet provide equal functionality with the 1.x branch of development. This chart compares the differences between each branch.

wiki.archlinux wrote:

Disabling
For kernels 5.1 and above remove tomoyo from the lsm= kernel parameter or remove lsm= entirely.  <- | x |
For kernels 3.2 to 5.0 change the kernel parameter security=tomoyo to security=none.

I'll try it out and report.

-------> I_don't_like_this.  8^|

If and when I want/need to install a Mandatory Access Control scheme for my rig's security, I'll just apt install the required modules and configure.
Why do I have to have the kernel looking to run something that is not there?

Thanks for your input.

Best,

A.

Last edited by Altoid (2021-05-16 22:32:17)

Offline

#4 2021-05-16 22:46:29

Altoid
Member
Registered: 2017-05-07
Posts: 850  

Re: Kernel upgrade: apparmor and tomoyo

Hello:

You were quite right, I stand corrected.

In spite of what wiki.archlinux says, adding security=none disables tomoyo as there are no entries for it in dmesg, kern.log or syslog.

Edit: security=none not only disables tomoyo, it also makes apparmor=0 unneccesary. 8^D

Thanks for the heads up.  8^)
Best,

A.

Last edited by Altoid (2021-05-16 22:56:00)

Offline

#5 2021-05-17 14:49:36

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: Kernel upgrade: apparmor and tomoyo

If not activated then this sort of config should be opt in even at the kernel level. Makes no sense to call it a security feature if it is not running as a security feature. Hope i got that right in my understanding?

Offline

#6 2021-05-17 15:51:26

Altoid
Member
Registered: 2017-05-07
Posts: 850  

Re: Kernel upgrade: apparmor and tomoyo

Hello:

dice wrote:

... this sort of config should be opt in even at the kernel level.

Exactly my point.

Altoid wrote:

If and when I want/need to install a Mandatory Access Control scheme for my rig's security, I'll just apt install the required modules and configure.

Altoid wrote:

Makes no sense to call it a security feature ...

I could not care less about what it is called.

It is being made part of the kernel just because some DH decided it should be.
Why? On the basis of what?

Next thing you know you'll have to set it up/configure if you want the kernel to work.
eg: no apparmor/tomoyo/SELinux? No WAN/LAN.

This has all the colourings of one of Poettering's diktats.
Like this other one:

https://dev1galaxy.org/viewtopic.php?id=4136

Bad, bad, bad ...

A.

Offline

#7 2021-05-17 17:53:29

Camtaf
Member
Registered: 2019-11-19
Posts: 101  

Re: Kernel upgrade: apparmor and tomoyo

Everything not needed to run a system should remain optional - we don't all run servers - if this is what it is meant for.

If the devs want to have a version for servers, that's fine by me, but please don't foist these things onto ordinary desktop users the likes of me, as I have no idea about them, & don't want them.

I just want a good working distro to do my daily tasks, thankyou. wink

Offline

#8 2021-05-17 18:30:18

Altoid
Member
Registered: 2017-05-07
Posts: 850  

Re: Kernel upgrade: apparmor and tomoyo

Hello:

Camtaf wrote:

Everything not needed to run a system should remain optional ...
... don't foist these things onto ordinary desktop users ...

Evidently that's not the vision of those who are in a position to run the Debian show and decide the hows, why's and whens.

Camtaf wrote:

... a good working distro to do my daily tasks ..

I'm glad to see we're more than one.

But I'm afraid the dice have already been rolled.
And the result was not in our favour.

Hence the very existence of Devuan.

Best,

A.

Offline

#9 2021-05-18 09:42:14

Camtaf
Member
Registered: 2019-11-19
Posts: 101  

Re: Kernel upgrade: apparmor and tomoyo

I went off Debian when they foisted systemd onto its users, I've been using a non systemd version/distro, but they have been adding too many things to the already full menu, which just makes it look tatty now.........

So here I am, back to Devuan, (I tried it a couple of times in the past), using the regular 'live' version installed to disk.

Seems to be working well, but haven't looked below the surface, so to speak, (& I'm not so sure I can be bothered messing with altering things on distros any more).

I just needed to find a decent replacement for my previous distro. smile

Last edited by Camtaf (2021-05-18 09:43:45)

Offline

Board footer