[apparmor] How to test if apparmor is built in kernel
John Johansen
john.johansen at canonical.com
Thu Mar 10 17:26:32 UTC 2016
On 03/10/2016 07:10 AM, Jeroen Ooms wrote:
> What would be a good method for a configure script to test if the
> current kernel has apparmor support (even if apparmor is not actually
> installed or has been disabled at boot)?
>
> I would like the configure script to suggest on e.g. Debian that
> apparmor is supported (even though it might require modifying
> /etc/default/grub and/or installing libapparmor-dev) but on Fedora /
> CentOS it should silently build without apparmor.
>
can you link against libapparmor?
It has a function that provides this information for you
see man aa_is_enabled
if you can't do that, the basic of it are check for /sys/modules/apparmor
if apparmor is builtin, it will be there, even if it is disabled.
if its there then you can check for /sys/modules/apparmor/parameters/enabled
and if that is set to Y then you can check for the securityfs mount and
the apparmor dir within it.
again if you can link to lib apparmor there is a helper fn to find the mount
point
see man aa_find_mountpoint
More information about the AppArmor
mailing list