Armbian: Enable AppArmor

30 de Janeiro, 2019

ARM, Debian, Informática, Linux, Open-Source, Single Board Computer

AppArmor allows you to restrict programs’ capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. For most use cases an SBC doesn’t need this kind of advanced security feature, however I’m sure some people would appreciate them.

First things first, we need to know if your Armbian was actually build with support for AppArmor:

root@nanopineo2:~# grep APPARMOR /boot/config-*
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set

Note the second line CONFIG_SECURITY_APPARMOR=y, this means that in most cases you will be able to use use AppArmor. Proceed to install AppArmor with:

apt install apparmor

Now we need to tell the system to start with AppArmor. Since this is an Armbian system that runs on U-Boot we should change boot options at /boot/armbianEnv.txt:

echo "extraargs=apparmor=1 security=apparmor" >> /boot/armbianEnv.txt
update-initramfs -u
reboot

After the system reboots, check AppArmor’s status with:

systemctl status apparmor.service
aa-status

Now enjoy AppArmor in your Armbian SBC. If you are new to AppArmor I suggest you read this tutorial.

Note: I’ve notice that this might fail on some SBCs/CPU when using the Ubuntu (bionic) kernel, however it always works in Debian (stretch).