我有 Ubuntu 12.04,内核为 3.2(64 位)
我下载了 apparmor-2.8.0.tar.gzhttps://launchpad.net/apparmor/2.8/2...r-2.8.0.tar.gz
解压后,我进入 apparmor-2.8.0/kernel-patches/3.2/,里面有 3 个文件:
0001-AppArmor-compatibility-patch-for-v5-network-controll.patch
0002-AppArmor-compatibility-patch-for-v5-interface.patch
0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch
我试过:
patch -p1 < 0001-AppArmor-compatibility-patch-for-v5-network-controll.patch
can't find file to patch at input line 26
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|From 125fccb600288968aa3395883c0a394c47176fcd Mon Sep 17 00:00:00 2001
|From: John Johansen <[email protected]>
|Date: Wed, 10 Aug 2011 22:02:39 -0700
|Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
|
|Add compatibility for v5 network rules.
|
|Signed-off-by: John Johansen <[email protected]>
|---
| include/linux/lsm_audit.h | 4 +
| security/apparmor/Makefile | 19 +++-
| security/apparmor/include/net.h | 40 +++++++++
| security/apparmor/include/policy.h | 3 +
| security/apparmor/lsm.c | 112 ++++++++++++++++++++++++
| security/apparmor/net.c | 170 ++++++++++++++++++++++++++++++++++++
| security/apparmor/policy.c | 1 +
| security/apparmor/policy_unpack.c | 48 +++++++++-
| 8 files changed, 394 insertions(+), 3 deletions(-)
| create mode 100644 security/apparmor/include/net.h
| create mode 100644 security/apparmor/net.c
|
|diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
|index 88e78de..c63979a 100644
|--- a/include/linux/lsm_audit.h
|+++ b/include/linux/lsm_audit.h
--------------------------
File to patch:
但随后它询问我“要修补的文件:”。
我该怎么办?
编辑:我这样做的原因是,当我尝试使用时aa-enforce,我收到以下消息:
Setting /bin/ping to enforce mode. Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override.
当我尝试启动 Apparmor 时,出现以下信息:
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /bin/ping network rules not enforced
答案1
首先,您使用哪个 3.2 内核源?
- 上游内核?
- Ubuntu 内核已经修补了 apparmor 吗?
Ubuntu 12.04 (3.2) 内核应该已经应用了 apparmor 补丁,因此无需进行修补。但是,如果需要进行修补,则应该位于内核源目录的根目录中,而不是补丁目录中。
此错误
警告:无法在 /proc/mounts 中找到合适的 fs,它是否已安装?请使用 --subdomainfs 覆盖。
告诉我 apparmor 内核模块未内置、未启用,或者未安装 securityfs。
该目录是否/sys/module/apparmor存在?
- 如果存在,apparmor 已经内置但可能未启用,其值是什么
sudo cat /sys/module/apparmor/parameters/? 如果是,那么 apparmor 在内核加载时启用,但所需的文件系统可能未挂载? securityfs 是否挂载?该命令
Y返回什么?mount- 您将寻找类似这样的一行:
none on /sys/kernel/security type securityfs (rw) - 如果安装了 securityfs 并且启用了 apparmor 那么输出是什么
ls -a /sys/kernel/security/apparmor?
- 您将寻找类似这样的一行:
如果/sys/module/apparmor目录不存在,则表示您的内核未启用 apparmor。您需要安装或构建内置 apparmor 的内核。如果您不想,则不必将其启用为默认 LSM,在这种情况下,将其security=apparmor作为内核启动参数提供将启用 apparmor。