Apparmorservice not working - missing Kernelpatch?

Helo,
this is my first posting in this forum.
Some days ago I installed Endeavouros KDE Plasma Version 5.25.5 in a Virtualbox as a first approach to it and for to learn more about Arch step-by-step and to get updates faster for security reasons unlike other Arch forks.

Until now it works fine, except a problem with apparmor.
I want to use it together with Firejail.
My Kernel Version: 5.19.7-arch1-1 (64-bit)
I found some threads concerning apparmor errors e.g. like here:

  • but no solution for my problem.

I tried following commands and got error messages as listed:

aa-status
apparmor module is loaded.
apparmor filesystem is not mounted

cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-linux root=UUID=463a8504-cbb5-48ce-9def-9727d3146320 rw loglevel=3 nowatchdog nvme_load=YES

journalctl -u apparmor.service
Load AppArmor profiles was skipped because of a failed condition check (ConditionSecurity=apparmor).

firecfg
(Kernel needs AppArmor 2.4 compatibility patch.)

Grub contains:
GRUB_CMDLINE_LINUX_DEFAULT="quiet udev.log_priority=3 apparmor=1 security=apparmor lsm=lockdown,yama,apparmor

follwing some hints in differnet threads to complete this line in grub.

Now, I have no more idea. Please let me know how to solve this error considering please that I am a newbie in Endeavouros in as a close Arch fork and have no experience until now with issues like Kernel compilation.
Thanks a lot in advance.

You probably want this:

GRUB_CMDLINE_LINUX_DEFAULT="quiet udev.log_priority=3 lsm=landlock,lockdown,yama,integrity,apparmor,bpf"

Then you need to run sudo grub-mkconfig -o /boot/grub/grub.cfg and reboot.

If you are still getting an error after that, please share the exact error message.

1 Like

To integrate firejail with apparmor, you have to run this command only once:
apparmor_parser -r /etc/apparmor.d/firejail-default
…before you run:
sudo firecfg

Then firejail will pic-up apparmor, too.

A look into the Arch-Wiki, when setting up firejail, also can’t hurt:

Tip: A pacman hook can be used to automatically run firecfg on pacman operations:

/etc/pacman.d/hooks/firejail.hook

[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/local/bin/*
Target = usr/share/applications/*.desktop

[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config…
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c ‘firecfg >/dev/null 2>&1’

The same (can’t hurt) also goes for apparmor, of course!

Thanks a lot dalto and ivanhoe for reply and help!
I followed your instructions, dalto - and yes, now apparmor is running!
I used the apparmor parsing command, ivanhoe, but obviously firejail-default was implemented already before.
I am missing preconfigured apparmor profiles for Firefox, Thunderbird and Torbrowser
especially. Maybe Endeavouros users are used to install them by themselves?
Or have incompatibilities to be expected moreover using Apparmor and Firejail together for some applications? A hint in the wiki seems to point out you have to consider problems in some cases.

1 Like

Arch and EndeavourOS don’t ship with apparmor so there are no profiles. You need to setup your own profiles. There are some predefined ones in AUR such as krathalans-apparmor-profiles-git but it is up to you if you want to use those or not.

Thanks again for reply, dalto.
I found it a bit different, because I could download apparmor (Arch Repo). After apparmor is working about 60 applications are listed running in enforce mode spontaneously.
But yes, as mentioned some are missing like Firefox e.g.