Package Details: linux-hardened-apparmor-docs 4.15.17.a-1

Git Clone URL: https://aur.archlinux.org/linux-hardened-apparmor.git (read-only)
Package Base: linux-hardened-apparmor
Description: Kernel hackers manual - HTML documentation that comes with the Linux-hardened-apparmor kernel
Upstream URL: https://github.com/copperhead/linux-hardened
Keywords: Apparmor Audit Grsec Kernel linux-hardened Security
Licenses: GPL2
Replaces: linux-grsec
Submitter: IrvineHimself
Maintainer: IrvineHimself
Last Packager: IrvineHimself
Votes: 2
Popularity: 0.336628
First Submitted: 2017-10-29 18:38
Last Updated: 2018-04-17 01:12

Pinned Comments

IrvineHimself commented on 2017-10-29 18:43

This is a clone of the official “linux-hardened” package with both “apparmor” and “audit” enabled. In addition to the "linux-hardened-apparmor" package, it also creates the associated "headers" and "docs" packages. For information only, I’ve pasted the difference between this, (apparmor enabled,) "config.x86_64" and the official “linux-hardened” "config.x86_64" below.

You can reference the official package build files at https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/linux-hardened

Note: When running "namcap PKGBUILD", the warnings and suggested errors were inherited from the official linux-hardened PKGBUILD. Ie, they are false positives.

Some tips:

1) Compilation can take a "very" long time... As pointed out by @anthraxx, this can be sped up by setting the MAKEFLAGS option in /etc/makepkg.conf. For example, for an Intel I7 processor, use: MAKEFLAGS="-j4"

2) For minor releases, you can conserve your data usage by copy/pasting the kernel source from a previous build into your build folder. I.e. for the release cycle at the time of writing, that would be “linux-4.13.tar.xz”

3) If you are not actively writing profiles and "audit spam" is a problem, you can edit your boot loader to set the audit kernel parameter to "audit=0". See: https://wiki.archlinux.org/index.php/Kernel_parameters

4) Similarly, by editing the boot loader, it is possible to switch the default security between "selinux" and "apparmor". See the respective wiki pages: https://wiki.archlinux.org/index.php/Apparmor#Installation https://wiki.archlinux.org/index.php/Selinux#Changing_boot_loader_configuration Untested, but I believe the correct kernel parameters to enable selinux would be: "apparmor=0 security=selinux selinux=1". Note: To restore apparmor as the default security, you would simply delete those kernel parameters.

In the future, barring accidents or illness, I will probably be about 12 hours behind updates to the official "linux-hardened" package. Let me know if there are any problems or improvements I can make to the PKGBUILD

All the best Irvine

# Difference between "config.x86_64" for the “linux-hardened” and “linux-hardened-apparmor” packages:

56c56
< CONFIG_LOCALVERSION="-hardened-apparmor"
---
> CONFIG_LOCALVERSION="-hardened"
659c659
< CONFIG_CMDLINE="audit=1"
---
> CONFIG_CMDLINE="audit=0"
7810,7814c7810
< CONFIG_SECURITY_APPARMOR=y
< CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
< CONFIG_SECURITY_APPARMOR_HASH=y
< CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
< # CONFIG_SECURITY_APPARMOR_DEBUG is not set
---
> # CONFIG_SECURITY_APPARMOR is not set
7823,7825c7819,7820
< CONFIG_DEFAULT_SECURITY_APPARMOR=y
< # CONFIG_DEFAULT_SECURITY_DAC is not set
< CONFIG_DEFAULT_SECURITY="apparmor"
---
> CONFIG_DEFAULT_SECURITY_DAC=y
> CONFIG_DEFAULT_SECURITY=""

Latest Comments

IrvineHimself commented on 2018-01-26 03:38

4.14.15 UPDATE: The signed patch was finally released, and I have updated the PKGBUILD accordingly. However, possibly because linux-hardened-apparmor is now slightly ahead of linux-hardened, I had to make a choice about whether or not to enable "CONFIG_LOCAL_SANITIZE", which zero-fills uninitialized local variables. The default is 'NO'. and since the option requires compiler support, I went with this choice. If this is a problem, let me know. (NOTE: When linux-hardened is next updated, whether or not this option is enabled will be up to @Anthrax)

Hopefully, 4.14.16 will see a return to the normal release cycle and linux-hardened-apparmor will be fully in sync with linux-hardened... I apologise for any inconvenience, but it was brought about by things beyond my control and the only alternative would have been to delay the update.

Irvine

IrvineHimself commented on 2018-01-25 11:14

Note on 4.14.15:

Upstream didn't provided the usual linux-hardened patch, so this release is being built directly from the source code found at https://github.com/copperhead/linux-hardened/releases/tag/4.14.15.a Also, upstream failed to sign the above release....

However, on the plus side, I have calculated the proper sha256sum for the release, and also applied the appropriate Arch patch sets.

If upstream updates the release with a rolling patch and/or signatures, I will update the PKGBUILD accordingly

See https://github.com/copperhead/linux-hardened/releases

IrvineHimself commented on 2017-12-13 12:43

Information

Noting I use "nconfig" to generate the new "config.x86_64", In "4.14.5" there were some changes to the difference file between the official linux-hardened and linux-hardened-apparmor configuration file..... (fixed in 4.14.6)

PS @anthraxx, thanks for the tip.

anthraxx commented on 2017-12-13 10:06

section 1) can be fully deleted. setting MAKEFLAGS in makepkg.conf is the proper way to do this, that's exactly what it is for and is implicitly being used.

michaelkempff commented on 2017-10-31 23:29

Nice work. Thank you very much!

IrvineHimself commented on 2017-10-29 18:43

This is a clone of the official “linux-hardened” package with both “apparmor” and “audit” enabled. In addition to the "linux-hardened-apparmor" package, it also creates the associated "headers" and "docs" packages. For information only, I’ve pasted the difference between this, (apparmor enabled,) "config.x86_64" and the official “linux-hardened” "config.x86_64" below.

You can reference the official package build files at https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/linux-hardened

Note: When running "namcap PKGBUILD", the warnings and suggested errors were inherited from the official linux-hardened PKGBUILD. Ie, they are false positives.

Some tips:

1) Compilation can take a "very" long time... As pointed out by @anthraxx, this can be sped up by setting the MAKEFLAGS option in /etc/makepkg.conf. For example, for an Intel I7 processor, use: MAKEFLAGS="-j4"

2) For minor releases, you can conserve your data usage by copy/pasting the kernel source from a previous build into your build folder. I.e. for the release cycle at the time of writing, that would be “linux-4.13.tar.xz”

3) If you are not actively writing profiles and "audit spam" is a problem, you can edit your boot loader to set the audit kernel parameter to "audit=0". See: https://wiki.archlinux.org/index.php/Kernel_parameters

4) Similarly, by editing the boot loader, it is possible to switch the default security between "selinux" and "apparmor". See the respective wiki pages: https://wiki.archlinux.org/index.php/Apparmor#Installation https://wiki.archlinux.org/index.php/Selinux#Changing_boot_loader_configuration Untested, but I believe the correct kernel parameters to enable selinux would be: "apparmor=0 security=selinux selinux=1". Note: To restore apparmor as the default security, you would simply delete those kernel parameters.

In the future, barring accidents or illness, I will probably be about 12 hours behind updates to the official "linux-hardened" package. Let me know if there are any problems or improvements I can make to the PKGBUILD

All the best Irvine

# Difference between "config.x86_64" for the “linux-hardened” and “linux-hardened-apparmor” packages:

56c56
< CONFIG_LOCALVERSION="-hardened-apparmor"
---
> CONFIG_LOCALVERSION="-hardened"
659c659
< CONFIG_CMDLINE="audit=1"
---
> CONFIG_CMDLINE="audit=0"
7810,7814c7810
< CONFIG_SECURITY_APPARMOR=y
< CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
< CONFIG_SECURITY_APPARMOR_HASH=y
< CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
< # CONFIG_SECURITY_APPARMOR_DEBUG is not set
---
> # CONFIG_SECURITY_APPARMOR is not set
7823,7825c7819,7820
< CONFIG_DEFAULT_SECURITY_APPARMOR=y
< # CONFIG_DEFAULT_SECURITY_DAC is not set
< CONFIG_DEFAULT_SECURITY="apparmor"
---
> CONFIG_DEFAULT_SECURITY_DAC=y
> CONFIG_DEFAULT_SECURITY=""