Linux Virt aarch64 missing CONFIG_SECURITY_LOCKDOWN_LSM=y
Package Information
- Package name: linux-virt
- Package version: 6.6.27-r0
- Alpine version: 3.19.1
- Alpine architecture: aarch64
Summary
Installed and tested Alpine Linux on both UTM/QEMU (running in virtualization mode on a M1 Mac) and Hetzner Cloud CAX series.
After performing a sys install (detailed below), I checked:
-
/sys/kernel/security/lsm
only hascapability,landlock
(a x86_64 virt install hascapability,landlock,lockdown
) -
/boot/config-virt
does haveCONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity"
same as x86_64, but - the
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
onaarch64
, whileCONFIG_SECURITY_LOCKDOWN_LSM=y
on x86_64
This all boils down to installing and running AppArmor on aarch64-virt. The same setup on a x86_64 virt install works fine (with cryptsetup and apparmor), but the lack of lockdown seems to make apparmor module not load?
I've tried specifying lsm
in the GRUB command line but I don't think lockdown can be enabled without CONFIG_SECURITY_LOCKDOWN_LSM?
For now we'll run on x86_64 virt, and will soon test a aarch64 compiled kernel version with CONFIG_SECURITY_LOCKDOWN_LSM=y
to see if it works. Now the question is, "Is CONFIG_SECURITY_LOCKDOWN_LSM not set on aarch64 for a reason?", I wasn't able to find any issues around this.
Steps to reproduce
-
Mount install media
- On Hetzner: mount ISO Image
Alpine Virtual 3.19 (aarch64) id=105354 alpine-virt-3.19.1-aarch64.iso
- On VM: https://dl-cdn.alpinelinux.org/alpine/v3.19/releases/aarch64/alpine-virt-3.19.1-aarch64.iso
- On Hetzner: mount ISO Image
-
Run
setup-alpine
without any extra flags, env vars or ANSWERFILE- Pick
us us
keymap, dhcp for networking,localhost
as hostname, UTC timezone, no proxy, chrony for NTP, dropbear for SSH - Enable community APK, and pick CDN repositories
- At disk setup, pick (for now) none (diskless), with no configs store and no apk cache
- Pick
-
Install
apk add mkinitfs
- Append
kernel/drivers/gpu/drm/virtio
to/etc/mkinitfs/features.d/virtio.modules
to have console output during init
- Append
-
Run
KERNELOPTS="quiet console=tty0" setup-disk -s 0 -eL -m sys /dev/sda
- Tested this without
-eL
(encrypted lvm), doesn't seem to change anything
- Tested this without
-
poweroff
, remove installation media, and boot back into the system -
Run
apk add apparmor apparmor-utils apparmor-profiles
-
Edit
/etc/default/grub
and appendapparmor=1 security=apparmor
toGRUB_CMDLINE_LINUX_DEFAULT
-
Run
grub-mkconfig -o /boot/grub/grub.cfg
and reboot -
aa-status
andaa-enabled
report apparmor as not present -
/sys/kernel/security/lsm
only hascapability,landlock
-
no
/sys/modules/apparmor
present