AppArmor with BusyBox


aladyshev22@...
 

I'm using the OpenBMC system (https://github.com/openbmc/openbmc) and
I've tried to enable AppArmor functionality from the 'meta-security'
layer.

To achieve this I've added these strings to my local.conf file:
DISTRO_FEATURES_append = " apparmor"
IMAGE_INSTALL += "apparmor"

The AppArmor functionality was installed to my image, but
unfortunately I've come to this issue:

kernel: AppArmor: AppArmor initialized
kernel: AppArmor: AppArmor Filesystem Enabled
kernel: AppArmor: AppArmor sha1 policy hashing enabled
systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
-SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP -GCRYPT
-GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN
-PCRE2 default-hierarchy=hybrid)
systemd[1]: Starting AppArmor initialization...
apparmor[113]: Starting AppArmor profiles
apparmor[128]: xargs: invalid option -- 'd'
apparmor[128]: BusyBox v1.33.0 (2021-04-01 10:05:19 UTC) multi-call binary.
apparmor[128]: Usage: xargs [OPTIONS] [PROG ARGS]
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
...
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[138]: xargs: invalid option -- 'd'
apparmor[138]: BusyBox v1.33.0 (2021-04-01 10:05:19 UTC) multi-call binary.
apparmor[138]: Usage: xargs [OPTIONS] [PROG ARGS]
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
...
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[113]: failed!
systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: apparmor.service: Failed with result 'exit-code'.
systemd[1]: Failed to start AppArmor initialization.
dbus-broker-launch[152]: AppArmor enabled, but not supported. Ignoring.


From the way I see it the problems start from this output:
xargs: invalid option -- 'd'

This error comes from a fact that `xargs` from the `busybox` doesn't
have the `-d` option
(https://git.busybox.net/busybox/tree/findutils/xargs.c)
but this functionality is used in the file:
https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-mac/AppArmor/files/functions

Once I've discovered it, I started to wonder if I'm doing everything correctly.
Is my issue a simple bug, or AppArmor is not supposed to be run in an
environment like mine?

Best regards,
Konstantin Aladyshev


Konstantin Aladyshev <aladyshev22@...>
 

I'm using the OpenBMC system (https://github.com/openbmc/openbmc) and
I've tried to enable AppArmor functionality from the 'meta-security'
layer.

To achieve this I've added these strings to my local.conf file:
DISTRO_FEATURES_append = " apparmor"
IMAGE_INSTALL += "apparmor"

The AppArmor functionality was installed to my image, but
unfortunately I've come to this issue:

kernel: AppArmor: AppArmor initialized
kernel: AppArmor: AppArmor Filesystem Enabled
kernel: AppArmor: AppArmor sha1 policy hashing enabled
systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
-SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP -GCRYPT
-GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN
-PCRE2 default-hierarchy=hybrid)
systemd[1]: Starting AppArmor initialization...
apparmor[113]: Starting AppArmor profiles
apparmor[128]: xargs: invalid option -- 'd'
apparmor[128]: BusyBox v1.33.0 (2021-04-01 10:05:19 UTC) multi-call binary.
apparmor[128]: Usage: xargs [OPTIONS] [PROG ARGS]
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
...
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[131]: /lib/apparmor/functions: line 76: echo: write error: Broken pipe
apparmor[138]: xargs: invalid option -- 'd'
apparmor[138]: BusyBox v1.33.0 (2021-04-01 10:05:19 UTC) multi-call binary.
apparmor[138]: Usage: xargs [OPTIONS] [PROG ARGS]
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
...
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[142]: /lib/apparmor/functions: line 92: echo: write error: Broken pipe
apparmor[113]: failed!
systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: apparmor.service: Failed with result 'exit-code'.
systemd[1]: Failed to start AppArmor initialization.
dbus-broker-launch[152]: AppArmor enabled, but not supported. Ignoring.


From the way I see it the problems start from this output:
xargs: invalid option -- 'd'

This error comes from a fact that `xargs` from the `busybox` doesn't
have the `-d` option
(https://git.busybox.net/busybox/tree/findutils/xargs.c)
but this functionality is used in the file:
https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/recipes-mac/AppArmor/files/functions

Once I've discovered it, I started to wonder if I'm doing everything correctly.
Is my issue a simple bug, or AppArmor is not supposed to be run in an
environment like mine?

Best regards,
Konstantin Aladyshev


Quentin Schulz
 

Hi Konstantin,

On Mon, Apr 26, 2021 at 01:45:30PM +0300, Konstantin Aladyshev wrote:
I'm using the OpenBMC system (https://github.com/openbmc/openbmc) and
I've tried to enable AppArmor functionality from the 'meta-security'
layer.

To achieve this I've added these strings to my local.conf file:
DISTRO_FEATURES_append = " apparmor"
IMAGE_INSTALL += "apparmor"

The AppArmor functionality was installed to my image, but
unfortunately I've come to this issue:

kernel: AppArmor: AppArmor initialized
kernel: AppArmor: AppArmor Filesystem Enabled
kernel: AppArmor: AppArmor sha1 policy hashing enabled
systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
-SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP -GCRYPT
-GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN
-PCRE2 default-hierarchy=hybrid)
systemd[1]: Starting AppArmor initialization...
apparmor[113]: Starting AppArmor profiles
apparmor[128]: xargs: invalid option -- 'd'
Busybox implementation of xargs does not support specifying a delimiter.

I suggest you to install the full-featured xargs which is provided by
the findutils recipe.

You probably need to disable xargs Busybox implementation otherwise
there'll be a conflict (you'll know, Yocto won't create the image).

Cheers,
Quentin


Konstantin Aladyshev <aladyshev22@...>
 

I've added `IMAGE_INSTALL += "findutils"` to my `conf/local.conf`
file, and it seems like it was enough. There weren't any build
conflicts.

Should the AppArmor recipe be upgraded in some way to indicate that it
needs a full-featured findutils package instead of a busybox one?

Best regards,
Konstantin Aladyshev

On Mon, Apr 26, 2021 at 5:08 PM Quentin Schulz
<quentin.schulz@streamunlimited.com> wrote:

Hi Konstantin,

On Mon, Apr 26, 2021 at 01:45:30PM +0300, Konstantin Aladyshev wrote:
I'm using the OpenBMC system (https://github.com/openbmc/openbmc) and
I've tried to enable AppArmor functionality from the 'meta-security'
layer.

To achieve this I've added these strings to my local.conf file:
DISTRO_FEATURES_append = " apparmor"
IMAGE_INSTALL += "apparmor"

The AppArmor functionality was installed to my image, but
unfortunately I've come to this issue:

kernel: AppArmor: AppArmor initialized
kernel: AppArmor: AppArmor Filesystem Enabled
kernel: AppArmor: AppArmor sha1 policy hashing enabled
systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
-SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP -GCRYPT
-GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN
-PCRE2 default-hierarchy=hybrid)
systemd[1]: Starting AppArmor initialization...
apparmor[113]: Starting AppArmor profiles
apparmor[128]: xargs: invalid option -- 'd'
Busybox implementation of xargs does not support specifying a delimiter.

I suggest you to install the full-featured xargs which is provided by
the findutils recipe.

You probably need to disable xargs Busybox implementation otherwise
there'll be a conflict (you'll know, Yocto won't create the image).

Cheers,
Quentin


Khem Raj
 



On Tue, Apr 27, 2021 at 3:34 PM Konstantin Aladyshev <aladyshev22@...> wrote:
I've added `IMAGE_INSTALL += "findutils"` to my `conf/local.conf`
file, and it seems like it was enough. There weren't any build
conflicts.

Should the AppArmor recipe be upgraded in some way to indicate that it
needs a full-featured findutils package instead of a busybox one?

I think it will be useful to dig a bit further and find out what option does it need from findutils package sometimes this could be solved by using compatible options etc 

If we find out that it has hard dependency on findutils then it should be added to apparmor recipe RDEPENDS 



Best regards,
Konstantin Aladyshev

On Mon, Apr 26, 2021 at 5:08 PM Quentin Schulz
<quentin.schulz@...> wrote:
>
> Hi Konstantin,
>
> On Mon, Apr 26, 2021 at 01:45:30PM +0300, Konstantin Aladyshev wrote:
> > I'm using the OpenBMC system (https://github.com/openbmc/openbmc) and
> > I've tried to enable AppArmor functionality from the 'meta-security'
> > layer.
> >
> > To achieve this I've added these strings to my local.conf file:
> > DISTRO_FEATURES_append = " apparmor"
> > IMAGE_INSTALL += "apparmor"
> >
> > The AppArmor functionality was installed to my image, but
> > unfortunately I've come to this issue:
> >
> > kernel: AppArmor: AppArmor initialized
> > kernel: AppArmor: AppArmor Filesystem Enabled
> > kernel: AppArmor: AppArmor sha1 policy hashing enabled
> > systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
> > -SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP -GCRYPT
> > -GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN
> > -PCRE2 default-hierarchy=hybrid)
> > systemd[1]: Starting AppArmor initialization...
> > apparmor[113]: Starting AppArmor profiles
> > apparmor[128]: xargs: invalid option -- 'd'
>
> Busybox implementation of xargs does not support specifying a delimiter.
>
> I suggest you to install the full-featured xargs which is provided by
> the findutils recipe.
>
> You probably need to disable xargs Busybox implementation otherwise
> there'll be a conflict (you'll know, Yocto won't create the image).
>
> Cheers,
> Quentin




Armin Kuster
 

On 4/27/21 8:33 PM, Khem Raj wrote:


On Tue, Apr 27, 2021 at 3:34 PM Konstantin Aladyshev
<aladyshev22@gmail.com <mailto:aladyshev22@gmail.com>> wrote:

I've added `IMAGE_INSTALL += "findutils"` to my `conf/local.conf`
file, and it seems like it was enough. There weren't any build
conflicts.

Should the AppArmor recipe be upgraded in some way to indicate that it
needs a full-featured findutils package instead of a busybox one?


I think it will be useful to dig a bit further and find out what
option does it need from findutils package sometimes this could be
solved by using compatible options etc 

If we find out that it has hard dependency on findutils then it should
be added to apparmor recipe RDEPENDS
You are using systemd.

There is a comment regarding coreutils and findutils

|# Add coreutils and findutils only if sysvinit scripts are in use

Patches welcome.

- Armin


|



Best regards,
Konstantin Aladyshev

On Mon, Apr 26, 2021 at 5:08 PM Quentin Schulz
<quentin.schulz@streamunlimited.com
<mailto:quentin.schulz@streamunlimited.com>> wrote:
>
> Hi Konstantin,
>
> On Mon, Apr 26, 2021 at 01:45:30PM +0300, Konstantin Aladyshev
wrote:
> > I'm using the OpenBMC system
(https://github.com/openbmc/openbmc) and
> > I've tried to enable AppArmor functionality from the
'meta-security'
> > layer.
> >
> > To achieve this I've added these strings to my local.conf file:
> > DISTRO_FEATURES_append = " apparmor"
> > IMAGE_INSTALL += "apparmor"
> >
> > The AppArmor functionality was installed to my image, but
> > unfortunately I've come to this issue:
> >
> > kernel: AppArmor: AppArmor initialized
> > kernel: AppArmor: AppArmor Filesystem Enabled
> > kernel: AppArmor: AppArmor sha1 policy hashing enabled
> > systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
> > -SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP
-GCRYPT
> > -GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD
-IDN2 -IDN
> > -PCRE2 default-hierarchy=hybrid)
> > systemd[1]: Starting AppArmor initialization...
> > apparmor[113]: Starting AppArmor profiles
> > apparmor[128]: xargs: invalid option -- 'd'
>
> Busybox implementation of xargs does not support specifying a
delimiter.
>
> I suggest you to install the full-featured xargs which is
provided by
> the findutils recipe.
>
> You probably need to disable xargs Busybox implementation otherwise
> there'll be a conflict (you'll know, Yocto won't create the image).
>
> Cheers,
> Quentin






Quentin Schulz
 

Hi Khem,

On Tue, Apr 27, 2021 at 08:33:08PM -0700, Khem Raj wrote:
On Tue, Apr 27, 2021 at 3:34 PM Konstantin Aladyshev <aladyshev22@gmail.com>
wrote:

I've added `IMAGE_INSTALL += "findutils"` to my `conf/local.conf`
file, and it seems like it was enough. There weren't any build
conflicts.

Should the AppArmor recipe be upgraded in some way to indicate that it
needs a full-featured findutils package instead of a busybox one?

I think it will be useful to dig a bit further and find out what option
does it need from findutils package sometimes this could be solved by using
compatible options etc
Not sure to really understand the question, but the -d option of xargs
is for specifying a delimiter different than the default space.

There is no support for such a thing in Busybox implementation of
xargs. Usually options for tools in Busybox are specified at the
beginning of the C file:
https://git.busybox.net/busybox/tree/findutils/xargs.c
Line 17 to 71.

If one looks for delimiter keyword in the file, nothing configurable is
available, it's either space or EOF that is matched.

I'm naive enough to think it might be not too hard to add this option to\
Busybox implementation.

Cheers,
Quentin