[kernel] add AppArmor by default

[philmmanjaro]

There was a suggestion to re-integrate AppArmor back into Manjaro. Followed config changes are needed:

 CONFIG_SECURITY_APPARMOR=y
 CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 CONFIG_AUDIT=y

These were the reasons why we had removed it:

Effectively, disabling them was done because tomoyo/selinux/apparmor/others aren't officially supported (the user space packages required are only available in the AUR, and a large amount of user configuration is necessary for them to be of any use anyway).

It was also done to get rid of CONFIG_AUDIT, which has a high cost. It's the source of a significant number of kernel vulnerabilities, fills the kernel log with nonsense by default and forces all system calls down the slow path by default which has a high performance cost.

[philmmanjaro]

AppArmor is still active in linux310 and linux312.

[curiosity-seeker]

I think the first reason is not very convincing. The proposed config changes are aimed to users who know what they are doing. They can easily install the AppArmor userspace tools from the AUR. Other users won't be affected.

Regarding the second reason: I found this article (from 2014 - I don't know if anything has changed since then). Aside from the fact that the audit code maintainer disagrees with the accusations mentioned in that article, it seems that those problems are mainly related to

CONFIG_AUDITSYSCALL=y

which is not necessary for AppArmor.

[philmmanjaro]

@udeved does including CONFIG_AUDIT=y makes any sense in regard of OpenRC?

[cooloutac]

High performance cost and multiple kernel vulnerabilities? What? So why doesn't debian based distros have this problem? Sounds a little far fetched.

[cooloutac]

ugh, I installed the linux-grsec and linux-grsec-headers packages from https://www.archlinux.org/packages/community/x86_64/linux-grsec/ It works as far as I can tell.

But the problem is when i try to install nvidia-grsec from aur so i can get the prop drivers working with it. I ran into so many issues. It kept saying that nvidia-utils 364.19 was not installed when it was. So i edited those lines too to not look for specific version. Since i already had right version installed, and what was weird is it would try to install 304xx utils. Which made no sense to me? Then i had to edit a line to reflect right extra modules kernel version. Then i started getting errors about wrong gcc plugin version so I had to uninstall gcc-multilib and install gcc6.1. Then it finally starting building but at the end once again complained again about unable to resovle nvidia-utils=364.19 a dependency of nvidia-grsec-dkms. But i have it installed!. So hit skip and it installed and said to reboot. But was unable to boot into x. No error just nothing i had to go to a tty.

So what the heck do I do there, how can I resolve that? How can I install this nvidia-grsec package so i can have nvidia prop drivers with grsec kernel for steam gaming. I don't know where to post about this, is it cause i'm on manjaro? I'm also disappointed to see even the linux-grsec kernel from arch doens't support apparmor. Thats so weird to me.

I might just go back to debian and just build my own kernel cause I dont' think I can handle this...its all too bizarre.

[philmmanjaro]

@cooloutac: It is not bizzare at all. Manjaro provides a different version as Archlinux. Here is the snippet of our nvidia extramodule PKGBUILD:

pkgver=364.19
pkgrel=2
epoch=1
provides=("$_pkgname=$pkgver")
groups=("$_linuxprefix-extramodules")
pkgdesc="NVIDIA drivers for linux."
depends=("$_linuxprefix" "nvidia-utils=${epoch}:${pkgver}")

In Manjaro we have an epoch. So you have to edit the nvidia-grsec-dkms package to check for nvidia-utils=1:364.19. linux-grsec disabled AUDIT for the same reasons as I've stated before. Sure, Debian has AUDIT enabled. For ConsoleKit2 however CONFIG_AUDITSYSCALL=y is also needed. Using audit in general might slow down your system. It all has a pro and con.

[cooloutac]

I meant bizarre that arch doesn't support apparmor. I have compiled arch kernel with apparmor support before, but I used menuconfig, and didn't have to do anything diff then I would on debian using mainline kernel. I never noticed any performance issue using it or not, but I never benchmarked gaming performance.

Regarding nvidia-grsec, I'll try again but there must be a line i'm not editing correctly. The patch on spenders site is outdated and I can't even find a link to download the matching driver from nvidia, so I was hoping the nvidia-grsec package would work for me. It would really suck not to have any extra security at all from the kernel on my manjaro system. I don't think I can bear that.