How disable apparmor?

deepforest · 2022-10-30 20:49:17

Delete this symlinks not help, apparmor is still loading

/etc/rcS.d/S14apparmor
/etc/systemd/system/sysinit.target.wants/apparmor.service

Head_on_a_Stick · 2022-10-30 20:53:00

Follow the advice given in my wiki link, here it is again:

# mkdir -p /etc/default/grub.d
# tee /etc/default/grub.d/apparmor.cfg >/dev/null <<<'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' 
# update-grub
# reboot

To re-enable AppArmor delete /etc/default/grub.d/apparmor.cfg and run the last two commands again.

Last edited by Head_on_a_Stick (2022-10-30 20:53:18)

GlennW · 2022-10-30 21:16:02

Hi, I add this to grub, similar to HoaS advice above... if apparmor has been setup before...

security=none apparmor=0

All the best.

deepforest · 2022-10-30 21:46:21

issue, still loading with errors

root@devuan:/home/freeartist# dmesg | grep -i apparmor
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-6.0.0-2-amd64 root=UUID=b719b471-3b3a-4eda-8fd4-0e5406bf9906 ro quiet mitigations=off apparmor=0
[    0.048939] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-6.0.0-2-amd64 root=UUID=b719b471-3b3a-4eda-8fd4-0e5406bf9906 ro quiet mitigations=off apparmor=0
[    1.036333] evm: security.apparmor
root@devuan:/home/freeartist# service apparmor status
apparmor module is loaded.
apparmor filesystem is not mounted.
root@devuan:/home/freeartist#

/var/log/boot                                                                                                                                                   1109305/1084K              99%
Sun Oct 30 23:38:31 2022: Starting: AppArmorLoading AppArmor profiles - failed, Do you have the correct privileges? ... .[31mfailed!.[0m

Sun Oct 30 23:38:39 2022: startpar: service(s) returned failure: apparmor ... .[31mfailed!.[0m

Head_on_a_Stick · 2022-10-30 22:23:20

The kernel & user space components are separate so

# update-rc.d apparmor disable

But see the third answer here. This is a disadvantage of sysvinit compared to systemd.

deepforest · 2022-10-30 22:41:44

Thanks! So hard and complex)
No errors at booting now.
Buy why i still see this? apparmor module is loaded

root@devuan:/home/freeartist# service apparmor status
apparmor module is loaded.
apparmor filesystem is not mounted.
root@devuan:/home/freeartist#

Last edited by deepforest (2022-10-30 22:55:07)

ralph.ronnquist · 2022-10-30 22:44:29

This is a disadvantage of sysvinit compared to systemd

What do you mean with that kind of fud?
The "thrid answer" you allude to is just tiny-brain wiffle-woffle with not much relevance, and I'm pretty sure you know that.

Generally it's a stance in Debian that when you install a package that offers a service, then the installation includes deploying that service, so therefore apparmor is deployed when installed, and a user must un-deploy it; there is no difference depending on init systems here.

Head_on_a_Stick · 2022-10-31 06:21:30

If you had bothered to read my link then you would know that there is a difference:

systemctl mask apparmor.service

^ That disables the service and prevents it from ever being started again, even if another service calls it and even if dpkg tries to enable it (as it will do after apparmor is upgraded).

Please tell me how to make sysvinit do that. I am very curious.

delgado · 2022-10-31 09:19:43

What about

apt remove apparmor

Guarantied to work with every init system.

Altoid · 2022-10-31 15:52:09

Hello:

delgado wrote:

What about
apt remove apparmor

Yes.
But then you upgrade the kernel and there it is again.

At least that's what happens to me (Beowulf with backported kernel) when I upgrade the kernel.
Even though my kernel command line clearly says apparmor=0 (!)

What I always do is purge apparmor after the upgrade and before rebooting and make sure the kernel comand line has not been edited.

[root@devuan ~]# apt purge apparmor

If it is now a module, one sure way is to blacklist it.

Check if you have some other stuff called tomoyo, another gift from the Debian devs.
You have to add security=none to the kernel command line to avoid that one.

See these two three posts:

https://dev1galaxy.org/viewtopic.php?id=2630
https://dev1galaxy.org/viewtopic.php?id=4329
https://dev1galaxy.org/viewtopic.php?id=4750

Best,

A.

Last edited by Altoid (2022-11-01 16:14:44)

aluma · 2022-10-31 19:06:45

Installed by exegnu64_chimaera-20220306, apparmor was not installed initially.
Updated kernel to 5.19, apparmor not installed.

And second, but it's up to you, I disabled rsyslog. From experience, it is needed in order to troubleshoot, and with a normally working system for years, I did not look into it. And the ssd drive will be more whole. It will take, you can always turn it on.

ralph.ronnquist · 2022-10-31 20:15:27

@Head_on_a_Stick, when you get your systemd pants on you really get fanboi tedious; taking any odd behaviour from the systemd bug collective and cast it as an advantage over something else with sysvinit. Now you seem to want to claim that overriding a service definition is the same as disabling a service?

Yes, sysvinit does not have overriding, and I can see how you might use that to override the service definition in a way that ends up not starting the daemon. Obviously this would compete with any prior overriding, but presumably overriding is actually quite unusual to use for any other purpose? (Otherwise I'd expect someone would have revised the rc script to include it)

I suppose a sysvinit way to achieve a similar override could be to add a premature exit into the startup script. Doing so would likely have the effect (advantage?) that the package installation system would query about that change upon upgrade, and you would then again automatically reconsider whether or not that "override" remains appropriate.

Clearly neither systemd nor sysvinit have a way to block package installation from installing into the boot sequence. I think this is more a result of the Debian principle to deploy services when installing them.

In any case, I'd agree that apt-get purge apparmor is best here, and that it also seems to need a security=none setting (or similar) on the boot command line to make the kernel bypass apparmor kernel code.

deepforest · 2022-10-31 21:17:43

so, solution here is remove apparmor?

Devarch · 2022-10-31 21:40:22

What is wrong with apparmor?

Matlib · 2022-10-31 22:23:35

Nothing. If you don't use it though it is safe to remove it.

Apparmor is on linux-image's recommended list, and that's why it may get selected automatically whenever a new kernel appears.

Altoid · 2022-10-31 22:59:57

Hello:

deepforest wrote:

so, solution here is remove apparmor?

Devarch wrote:

What is wrong with apparmor?

Please take a few minutes and read the thread and the content of the links posted.

As I see it, both questions have already been answered.
As always, YMMV.

Best,

A.

GlennW · 2022-10-31 23:17:44

Apparmor may offer sand-boxing for programs but it has cost me performance.

Slow boot times, slow shutdowns, and very slow program launches.

Devarch · 2022-11-01 01:05:26

GlennW wrote:

Apparmor may offer sand-boxing for programs but it has cost me performance.
Slow boot times, slow shutdowns, and very slow program launches.

Thanks. May be I should get rid of it too. Nothing is slow, but speed is a matter

deepforest · 2022-11-01 02:49:20

Thank to all for suggestions and replys! Its all bit hard for understanding for not expirenced linuxoids. I need time to think:)

so, is it safe to purge appamor, look for system responce and performance, and bring apparmor back if it will be needed?

Last edited by deepforest (2022-11-01 02:58:49)

Head_on_a_Stick · 2022-11-01 06:28:08

ralph.ronnquist wrote:

Clearly neither systemd nor sysvinit have a way to block package installation from installing into the boot sequence

Guess again: https://dev1galaxy.org/viewtopic.php?pid=32768#p32768

See also https://freedesktop.org/wiki/Software/systemd/Preset/.

ralph.ronnquist · 2022-11-01 06:56:29

Hah! I'm clearly full of wrong! Not only that, but there is also the possible overrides of insserv that can be used an misused in all sorts of ways.

Evenson · 2022-11-01 13:55:59

ralph.ronnquist wrote:

In any case, I'd agree that apt-get purge apparmor is best here, and that it also seems to need a security=none setting (or similar) on the boot command line to make the kernel bypass apparmor kernel code.

Is it really needed to have boot command security=none ?
Ive purged apparmor, was not aware of this extra step.

Altoid · 2022-11-01 16:13:38

Hello:

Evenson wrote:

Is it really needed to have boot command security=none ?
... was not aware of this extra step.

You would be if you had taken the time to read the whole thread. 8^D

Altoid wrote:

Check if you have some other stuff called tomoyo, another gift from the Debian devs.
You have to add security=none to the kernel command line to avoid that one.

Best,

A.

Last edited by Altoid (2022-11-01 16:16:22)

GlennW · 2022-11-01 23:58:10

Evenson wrote:
Is it really needed to have boot command security=none ?
... was not aware of this extra step.

the security module could be apparmor, selinux, ...

ref. https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html

"Examples include SELinux, Smack, Tomoyo, and AppArmor."

so, security= , requires none.

Evenson · 2022-11-02 15:20:59

GlennW wrote:

Evenson wrote:
Is it really needed to have boot command security=none ?
... was not aware of this extra step.
the security module could be apparmor, selinux, ...
ref. https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html
"Examples include SELinux, Smack, Tomoyo, and AppArmor."
so, security= , requires none.

Thanks, i read up on this today from the link you posted. Ive no need for any of these except yama via sysctl.
kernel.yama.ptrace_scope=2
So if i use security=none it should only be for SELinux, Smack, Tomoyo, and AppArmor ?

The officially official Devuan Forum!

#1 2022-10-30 20:49:17

How disable apparmor?

#2 2022-10-30 20:53:00

Re: How disable apparmor?

#3 2022-10-30 21:16:02

Re: How disable apparmor?

#4 2022-10-30 21:46:21

Re: How disable apparmor?

#5 2022-10-30 22:23:20

Re: How disable apparmor?

#6 2022-10-30 22:41:44

Re: How disable apparmor?

#7 2022-10-30 22:44:29

Re: How disable apparmor?

#8 2022-10-31 06:21:30

Re: How disable apparmor?

#9 2022-10-31 09:19:43

Re: How disable apparmor?

#10 2022-10-31 15:52:09

Re: How disable apparmor?

#11 2022-10-31 19:06:45

Re: How disable apparmor?

#12 2022-10-31 20:15:27

Re: How disable apparmor?

#13 2022-10-31 21:17:43

Re: How disable apparmor?

#14 2022-10-31 21:40:22

Re: How disable apparmor?

#15 2022-10-31 22:23:35

Re: How disable apparmor?

#16 2022-10-31 22:59:57

Re: How disable apparmor?

#17 2022-10-31 23:17:44

Re: How disable apparmor?

#18 2022-11-01 01:05:26

Re: How disable apparmor?

#19 2022-11-01 02:49:20

Re: How disable apparmor?

#20 2022-11-01 06:28:08

Re: How disable apparmor?

#21 2022-11-01 06:56:29

Re: How disable apparmor?

#22 2022-11-01 13:55:59

Re: How disable apparmor?

#23 2022-11-01 16:13:38

Re: How disable apparmor?

#24 2022-11-01 23:58:10

Re: How disable apparmor?

#25 2022-11-02 15:20:59

Re: How disable apparmor?

Board footer