Apparmor on Raspberry Pi4 won't enable

I’m trying to enable apparmor on Manjaro ARM on my Raspberry Pi4.

I installed the following packages:
sudo pacman -S grub efibootmgr os-prober

Then I edited this file:

To add “apparmor=1 lsm=lockdown,yama,apparmor” to the GRUB_CMDLINE_LINUX_DEFAULT variable.
The result is:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet apparmor=1 lsm=lockdown,yama,apparmor"

Then I executed sudo update-grub and rebooted the Raspberry.
Once rebooted, apparmor still won’t enable:

$ aa-enabled 
No - disabled at boot.

$ aa-status 
apparmor module is loaded.
apparmor filesystem is not mounted.

$ sudo systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: inactive (dead)
  Condition: start condition failed at Mon 2022-06-27 00:32:08 CEST; 14min ago
             └─ ConditionSecurity=apparmor was not met

Jun 27 00:32:08 raspberry systemd[1]: Load AppArmor profiles was skipped because of a failed condition check (ConditionSecurity=apparmor).

What am I missing?

OS info:

$ uname -a
Linux raspberry 5.15.48-1-MANJARO-ARM-RPI #1 SMP PREEMPT Fri Jun 17 22:14:20 UTC 2022 aarch64 GNU/Linux

I see you have apparmor=1 in GRUB_CMDLINE_LINUX_DEFAULT= but in the gentoo wiki they also have security=apparmor. Looking at the error above it seems to mention that not being set.


Looking at the arch wiki the minimal modules are enabled in the kernel they suggested but looking at the gentoo wiki some more might be brought in but I have not done their procedure to see yet.

Are you even sure grub is being used, your GRUB_CMDLINE_LINUX_DEFAULT= does not look right from what I remember booting with grub; I believe root= should be there. Basically the same as cmdline.txt with you additions and if I remember right cmdline.txt should not be present. I believe it is using your cmdline.txt instead. You can tell by looking at /proc/cmdline after booting.

Have you tried adding your additions to cmdline.txt with out grub. Also audit=0 in cmdline.txt might cause issues as as audit it is required by apparmor.

I have not messed wit efi/grub for several months as RPi broke it several kernels/firmware’s back and I have never revisited it.

1 Like

Ahhhhh waait, I didn’t know about cmdline.txt!

So I edited /boot/cmdline.txt adding “apparmor=1 lsm=lockdown,yama,apparmor” and now its working!
Thank you for your helping!

P.s. The usage of security=apparmor seems to be somewhat deprecated, now in the Arch documentation is sticked around the lsm flags

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.