Re: AppArmor with BusyBox


Armin Kuster
 

On 4/27/21 8:33 PM, Khem Raj wrote:


On Tue, Apr 27, 2021 at 3:34 PM Konstantin Aladyshev
<aladyshev22@gmail.com <mailto:aladyshev22@gmail.com>> wrote:

I've added `IMAGE_INSTALL += "findutils"` to my `conf/local.conf`
file, and it seems like it was enough. There weren't any build
conflicts.

Should the AppArmor recipe be upgraded in some way to indicate that it
needs a full-featured findutils package instead of a busybox one?


I think it will be useful to dig a bit further and find out what
option does it need from findutils package sometimes this could be
solved by using compatible options etc 

If we find out that it has hard dependency on findutils then it should
be added to apparmor recipe RDEPENDS
You are using systemd.

There is a comment regarding coreutils and findutils

|# Add coreutils and findutils only if sysvinit scripts are in use

Patches welcome.

- Armin


|



Best regards,
Konstantin Aladyshev

On Mon, Apr 26, 2021 at 5:08 PM Quentin Schulz
<quentin.schulz@streamunlimited.com
<mailto:quentin.schulz@streamunlimited.com>> wrote:
>
> Hi Konstantin,
>
> On Mon, Apr 26, 2021 at 01:45:30PM +0300, Konstantin Aladyshev
wrote:
> > I'm using the OpenBMC system
(https://github.com/openbmc/openbmc) and
> > I've tried to enable AppArmor functionality from the
'meta-security'
> > layer.
> >
> > To achieve this I've added these strings to my local.conf file:
> > DISTRO_FEATURES_append = " apparmor"
> > IMAGE_INSTALL += "apparmor"
> >
> > The AppArmor functionality was installed to my image, but
> > unfortunately I've come to this issue:
> >
> > kernel: AppArmor: AppArmor initialized
> > kernel: AppArmor: AppArmor Filesystem Enabled
> > kernel: AppArmor: AppArmor sha1 policy hashing enabled
> > systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
> > -SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP
-GCRYPT
> > -GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD
-IDN2 -IDN
> > -PCRE2 default-hierarchy=hybrid)
> > systemd[1]: Starting AppArmor initialization...
> > apparmor[113]: Starting AppArmor profiles
> > apparmor[128]: xargs: invalid option -- 'd'
>
> Busybox implementation of xargs does not support specifying a
delimiter.
>
> I suggest you to install the full-featured xargs which is
provided by
> the findutils recipe.
>
> You probably need to disable xargs Busybox implementation otherwise
> there'll be a conflict (you'll know, Yocto won't create the image).
>
> Cheers,
> Quentin





Join yocto@lists.yoctoproject.org to automatically receive all group messages.