Topic: Tutorial: how to install AppArmor in Debian Stable.
Tutorial: Installing Apparmor in Debian Stable. Iye (July 2011).
If you don't know what Apparmor is, check http://wiki.apparmor.net/index.php/Main_Page
NOTE: In fact I'm running CrunchBang 10 "Statler" r20110207 up to date from the Debian Stable repos.
So probably this tutorial applies to all distros based on Debian Stable.
Apparmor packages are in Debian Sid repos, but if you try to install them from Debian Stable, you
will have to upgrade a s***load of packages, all of them from unstable. At the end of this tutorial
you will have AppArmor and only a few packages from Sid.
First, you will need a kernel that supports AppArmor. The Liquorix kernel supports
it but lacks some patches that for example, let you to block an app access to the network.
So if you want to use Liquorix, skip to step 11, if you want all the features
of Apparmor keep on reading.
So first you will need to compile the kernel with AppArmor support
01. Download latest kernel (version 2.6.39.3 at the time I wrote this.
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.3.tar.bz2Uncompress to "/usr/src/" . In my case I got "/usr/src/linux-2.6.36.3".
02. Download Apparmor patches from http://kernel.org/pub/linux/security/apparmor/
For the kernel I'm using, the file is apparmor-v2.6+v2.4-compat-for-2.6.39.tgz
It has 3 file inside, named "000*". Uncompress them in the "/usr/src/linux*" directory you got
when uncompressing the kernel sources.
Apply all 3 of them with
patch -p1 < 000x_NAME_OF_PATCH03. You will need to install the following packages to compile the kernel:
sudo apt-get install libncurses5-dev fakeroot kernel-package04. Many people have troubles compiling the kernel because of file permissions, so:
sudo chown -R YOUR_USERNAME /usr/src/linux-2.6.36.305. run
make menuconfig in "/usr/src/linux-2.6.36.3/"
Once in the menu, go to "SECURITY OPTIONS" and:
-check "Enable the securityfs filesystem"
-check "AppArmor Support"
-check "Enable the securityfs filesystem"
-check "Socket and Networking Security Hooks"
-check "Security hooks for pathname based access control"
-"Default Security Module" select "AppArmor"
-disable "NSA Selinux Support"
-Put "0" in "AppArmor boot parameter default value" (we will enable it via parameters in grub.cfg)
You can proceed now to tune the rest of the kernel options to your liking.
06. on "/usr/src/linux-2.6.36.3"
run make-kpkg clean(sudo not needed)
07. If all went fine now run:
sudo fakeroot make-kpkg --initrd --append-to-version=kernel-apparmor kernel-image kernel-headersIt will take hours to finish. Go watch a movie.
08. When the last command finishes, you will have in "/usr/src/" two .deb packages. Install them with
sudo dpkg -i KERNEL_PACKAGE_NAME.deb09. We will now add the parameter at boot to load AppArmor. "sudo nano /boot/grub/grub.cfg" and search for the line that loads the kernel you just installed. It looks like this:
linux /vmlinuz-2.6.39.3KERNEL_NAME_APPARMOR root=/dev/whatever ro quiet splash
Add at the end of this line append
apparmor=1
If didn't compile your kernel and have the Liquorix Kernel add
security=apparmor apparmor=1
to the line launching the Liquorix Kernel.
This ends with the kernel part. Now we will install the AppArmor packages that are in Debian Sid repos.
10. Add Sid repos to your sources list:
sudo nano /etc/apt/sources.listAdd this line:
deb http://ftp.de.debian.org/debian/ sid main
This is very important, if you try to install the package "apparmor-utils" now, apt-get will ask to update a lot of packages. All of them from Sid (unstable).
We will try to avoid that in order to stay as much possible in Debian Stable.
Do "sudo apt-get update"
11. Install AppArmor packages that don't require extra packages that f*ck your system.
sudo apt-get install apparmor apparmor-docs apparmor-profiles12. Backup preferences file:
sudo mv /etc/apt/preferences /etc/apt/preferences.bakEdit
sudo nano /etc/apt/preferences (restore original when you finish the tutorial) and add this:
####
Package: *
Pin: release n=statler
Pin-Priority: 1001
Package: *
Pin: release n=squeeze
Pin-Priority: 500
Package: *
Pin: release a=testing
Pin-Priority: 10
Package: *
Pin: release a=unstable
Pin-Priority: 10
####14. We will modify some packages so they don't require packages from stable. Don't worry, they will work without problems anyway.
Download the following .deb packages:
http://packages.debian.org/sid/libapparmor1
http://packages.debian.org/sid/libapparmor-perl
For the "libapparmor1" package, I got libapparmor1_2.6.1-4_i386.deb, I uncompressed it with "File roller" or "Midnight Commander" to
a directory. In the "DEBIAN/" directory there I edited the file named "control" and modified the
line that says "libc6 > (2.something)" change the number "2" for a "0".
Go to the parent directory of the directory that has "DEBIAN/". Rebuild the package:
dpkg-deb --build /libapparmor113. Do the same you did in step 14 to "libapparmor-perl" package. For this package replace the line in the control file that starts with "depends" with this and you will be fine
Depends: perl (>= 0.12.3-7), libapparmor1 (>= 2.6~devel), libc6 (>= 0.4)
14. Install those packages you edited, if you get a dependency error, go back an edit the control file.
To install
sudo dpkg -i package_name.deb15. Install the rest of the AppArmor packages.
sudo apt-get update
sudo apt-get install apparmor-utils apparmor-notifyOnly a few (10 or so) other packages will be installed. BEWARE that if there are a lot of packages to be updated probably there was a error following the instructions, don't update you system to unstable, it breaks lot of things.
16. Reboot with the Kernel with Apparmor support. If you run the Liquorix kernel you will receive
an error about the securityfs filesystem and you wont be able to see the profiles currently loaded.
That was long.
Hope you didn't have any troubles.
If you find any error in this guide post in this thread and I will correct it. Thanks.
iye