[apparmor] Yocto apparmor porting

John Johansen john.johansen at canonical.com
Wed Nov 4 21:32:19 UTC 2015 

On 11/03/2015 05:18 PM, Jae Suk Park wrote:
> Thanks for replying :)
> 
> Regarding No2 issue(Python Module apparmor.tools Error), I guess README file in Apparmor source packages needs amendments.
> I followed these procedure but resulted in  "ImportError: No module named apparmor.tools
> 
> libapparmor:
> $ cd ./libraries/libapparmor
> $ sh ./autogen.sh
> $ sh ./configure --prefix=/usr --with-perl 
> $ make
> $ make install
> 
> Utilities:
> $ cd utils
> $ make
> $ make install
> 
which version of apparmor? The more recent versions specify
$ cd ./libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python # see below
$ make
$ make check
$ make install

and mention --with-ruby if you desire that as well

> ubuntu 14.04]$ sudo aa-complain
> Traceback (most recent call last):
>   File "/usr/sbin/aa-complain", line 17, in <module>
>     import apparmor.tools
> ImportError: No module named apparmor.tools
> 
> I tried 2ways to install apparmor (apt-get case and 'make install' case)
> For apt-get case, I found apparmor-python related .deb packages in /var/cache/apt/archives
> and found python modules are installed in /usr/lib/python3/dist-packages/apparmor/tools.py
> 
>     apparmor-profiles_2.8.95~2430-ubuntu5.3_all.deb
>     apparmor-utils_2.8.95~2430-0ubuntu5.1_i386.deb
>     python3-apparmor_2.8.95~2430-0ubuntu5.1_i386.deb
>     python3-libapparmor_2.8.95~2430-0ubuntu5.1_i386.deb
> 
>     $ dpkg --contents python3-apparmor_2.8.95~2430-0ubuntu5.1_i386.deb
>     ./usr/lib/python3/dist-packages/
>     ./usr/lib/python3/dist-packages/apparmor/logparser.py
> 
>     $ dpkg --contents python3-libapparmor_2.8.95~2430-0ubuntu5.1_i386.deb 
>     ./usr/lib/python3/dist-packages/LibAppArmor-2.8.95.egg-info
>     ./usr/lib/python3/dist-packages/LibAppArmor/
> 
> 
> 
> For 'make install' case, /usr/lib/python2.7/site-packages/apparmor/tools.py
> This seems to be cause of "Import Error: No module named apparmor.tools"
> When I copied it manually to /usr/lib/python2.7/dist-packages/apparmor/tools.py, it worked ok
> Apparmor/utils/python-tools-setup.py imports distutils.command.install.py <http://distutils.command.install.py> and it copies to relevant paths.
> So README file in apparmor source packages needs newer version.
> 
> 
> 2015-11-02 22:58 GMT+09:00 John Johansen <john.johansen at canonical.com <mailto:john.johansen at canonical.com>>:
> 
>     On 10/31/2015 12:52 AM, Jae Suk Park wrote:
>     > are there any guide regarding 'Apparmor porting to embeded linux' like yocto project?
>     >
>     > I tried these procedures but seems to be plenty of things remained.
>     >
>     > 1. install apparmor with apt-get in ubuntu.
>     >
>     > 2. install apparmor from source code after compiling and 'make install' in ubuntu. (This requires python2.7 module 'apparmor.tools' which is impossible mission to solve)
>     >
>     The core library is C, with the compiler in C/C++. This is the minim set you will need to be able to load policy.
> 
>     Many of the userspace tools are written in python, there are still a few utils/scripts written in perl, none of these are required but are nice to have.
> 
>     Python 2 should not be required, but is I think still supported by the tools. I know we have been looking at/discussing some when we can drop python 2 support and just support python 3
> 
>     > Yocto porting needs many manual procedures.
> 
>     > 3. kernel config for LSM and enable apparmor module.
>     >
>     config wise, I would recommend the defaults in the apparmor config. It is what ubuntu, suse, ... use.
> 
>     In addition you will need to ensure the lsm is enabled, and networking are enabled, and set the default security module to apparmor.
> 
>     Ubuntu use the dev branch of apparmor which has not been upstreamed yet. It provides more features, and has a different set of bugs, but it does have a set of backport kernels, and patches. That provide device support back to the 3.4 kernel, there are some patches back to 3.0 but they have not been updated/revised or tested since Ubuntu dropped support of the Maguro nexus device.
> 
>     > 4. writing bb file ( config, compile, install to various paths, )
>     >
>     I have never done this
> 
>     > 5. install to various directory manually.
>     > /etc/apparmor
>     > /etc/apparmor.d
>     these are the default policy, and config file dirs
> 
>     they are not needed, at first but you will want at least /etc/apparmor/ and to set some config options if you want policy to load on boot
> 
>     > /usr/lib/python2.7/site-packages/apparmor
>     > /usr/lib/python2.7/site-packages/LibAppArmor
>     these are needed by the utils
> 
>     > /lib/apparmor/functions
>     there are for the boot scripts, you don't need them for early bring up, and may not need them at all on systemd (I'm not sure how far the systemd support is along here, the goal being to remove their need completely).
> 
>     >
>     > I met many obstacles during each procedures.
>     >
>     Again at a minimum you will need the parser (policy compiler) and the library. This is a smaller target, and is what I would start with for userspace.
> 
>     > Is there anybody would share your experience?
>     >
>     I haven't done anything with yocto, but it should be fairly similar to porting to any other platform/packaging format.
> 
>     You need to get the various pieces to build, and choose where to install them. You can drop and skip pieces as needed, and come back to them later as you have time/understand the packaging and layout of the system. Start out small, just get the kernel to build and boot, the defaults for apparmor don't require a policy be loaded, or just get the library to build and install, then the parser.
> 
>     There are a lot of little bits and pieces, if you try to tackle them all at once you will get overwhelmed. Hopefully it will be easier if you focus on smaller chunks.
> 
> 
> 
>

More information about the AppArmor mailing list