Why Apparmor is disabled in systemd's PKGBUILD?

Manjaro Development Packaging
1

Hi all,

5 or 6 months ago, while reading the contents of Manjaro’s PKGBUILD for systemd, I found that it had the following line in meson options:
-Dapparmor=false
I checked yesterday and I see it’s still there.
Could someone please explain why? I’m just curious.

PS: I tried to build it with true, installed it, everything seems to work fine.

$ systemctl --version
systemd 246 (246.6-1-manjaro)
+PAM +AUDIT -SELINUX -IMA +APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

Also Arch has this option enabled btw.

2

I reinstalled Manjaro yesterday, because of some problem, and i noticed it had:
apparmor=1 security=apparmor as kernel parameters in the bootloader.
So i think it is used already using these kernel options…

> systemctl --version
systemd 246 (246.6-1-manjaro)
+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
3

No this is not correct. It is set to automatic, which means it will be enabled if the apparmor library is found and disabled if the library is not found. Since apparmor is not installed in the default Arch build environment it is automatically set to disabled.

I also think this is the reason it is disabled in Manjaro. Because otherwise every Manajro system would need apparmor installed. It would not be optional anymore.

1 Like
4

Aha, now I see. I thought it was set to false due to some issues or whatnot. Thank you for your thoughts and for correcting me.

1 Like
5

Hello there,

Shouldn’t SMACK be disabled as well if the purpose is to disable Linux Security Modules for systemd?

Why enable it if AppArmor is the default LSM in Manjaro?

Just wondering when reading this :slight_smile:

6

I hope this isn’t derailing here and it’s on topic.

Would the normal manjaro user notice at all if apparmour was enabled, installed and set as kernel parameters if they didn’t make use of it?

7

No this is not the purpose of disabling apparmor.

Is it? Also there is no reason why you should only use/need one.

1 Like
8

What’s the purpose to disable it?

And I thought major LSM’s couldn’t be stacked? (aren’t compatible)

Excuse my ignorance on this subject, just learning along the way :smiley:

9

If it is enabled, a Manjaro system will not boot without the apparmor library.

It depends what you do. Smack does not require any libraries, it just needs to be enabled in the Kernel. And even if it is not enabled in the Kernel, systemd can be build with support for it.
Even if a feature is enabled does not mean it will be used. But if a enabled feature requires a third party library, it needs to be available.

For example a systemctl --version form a rhel8. And rhel can’t boot without selinux, it does not need to be enabled or used. But the library need to be available. Also Smack is enabled.

$ systemctl --version
systemd 239
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy

or Ubuntu an even better example

$ systemctl --version
systemd 245 (245.4-4ubuntu3)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

It is impossible to remove libselinux1 without damaging the system.

3 Likes
10

Waoh thanks! Clears up a lot! Was getting confused but now it makes sense :smiley:

1 Like
11

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.