Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel-balena: Ensure apparmor support is not enabled by default #3099

Closed
wants to merge 1 commit into from
Closed

kernel-balena: Ensure apparmor support is not enabled by default #3099

wants to merge 1 commit into from

Conversation

acostach
Copy link
Contributor

@acostach acostach commented Apr 7, 2023
edited
Loading

Encountered apparmour being enabled onn Kernel 5.10 but it likely happens on other versions too, if they set DEFAULT_SECURITY_APPARMOR=y when APPARMOR support is enabled by the BSP. For example the security Kconfig sets:

default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR

Let's ensure DEFAULT_SECURITY_APPARMOR is disabled regardless of the BSP defconfig settings.

Change-type: patch

Contributor checklist

Reviewer Guidelines

  • When submitting a review, please pick:
    • 'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
    • 'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
    • 'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)

@acostach acostach requested review from alexgg and lmbarros April 7, 2023 12:54
@flowzone-app flowzone-app bot enabled auto-merge April 7, 2023 12:54
lmbarros
lmbarros reviewed Apr 7, 2023
View reviewed changes
Copy link
Contributor

@lmbarros lmbarros left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me, but I'll let Alex chime in 'cause he understands the implications of these changes much better than I do.

@mtoman
Copy link
Contributor

mtoman commented Apr 7, 2023

lgtm

@acostach
kernel-balena: Ensure apparmor support is not enabled by default
b526cf8 
Kernel 5.10 at least and maybe other versions too set
DEFAULT_SECURITY_APPARMOR=y if APPARMOR support is enabled
by the BSP, example Kconfig:

   default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR

Let's ensure DEFAULT_SECURITY_APPARMOR is disabled regardless
of BSP defconfig.

Change-type: patch
Signed-off-by: Alexandru Costache <alexandru@balena.io>
alexgg
alexgg requested changes Apr 11, 2023
View reviewed changes
meta-balena-common/classes/kernel-balena.bbclass
@@ -176,7 +176,8 @@ BALENA_CONFIGS_DEPS[balena] ?= " \
CONFIG_NF_NAT_NEEDED=y \
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y \
CONFIG_NF_NAT_IPV4=y \
"
CONFIG_SECURITY_APPARMOR=n \
"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@acostach the problem with doing this is that we remove the possibility of using apparmor completely. I have opened a Zulip discussion see if we can understand why CONFIG_DEFAULT_SECURITY_APPARMOR=n is not working here.

@acostach
Copy link
Contributor Author

ack, closing this PR in this case

@acostach acostach closed this Apr 11, 2023
auto-merge was automatically disabled April 11, 2023 09:05

Pull request was closed

@acostach acostach mentioned this pull request Apr 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lmbarros lmbarros lmbarros left review comments

@alexgg alexgg alexgg requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@acostach @mtoman @alexgg @lmbarros