need community help

[osevan]

Maybe someone here know how mkinitcpio or dracut could run apparmor_parser as pid1 before any other init system starts.

Please dont post links for Debian distribution pages with profile everything tutorials.

Im questioning about archlinux and derivates like artix solution.

Something in initramfs creation process. ...

I need to know which config i need to change to solve this on my testing notebook.

Thx and

Best regards.

[roddhjav]

Can you explain your problem clearly. Why do you want to do such a thing?

A few things to notes:

• You don't run anything else than systemd as pid 1
• You can load some profile before pid 1 is started, from the initramfs; however, you do not want to do this with this project as it is not ready for this yet. (btw, this is an old method deprecated in favor of early-policy-loads)
• Some services are already configured to be started after apparmor service is loaded.
• You can enable early policy load: systemd will simply load the profile before anything else. See: https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads. But you may not want to do this if you have issue with some profiles.

[osevan]

Dear roddhjav,

I know already early load method and read your posted links well.

But my Question is everything before systemd - i mean before init - which config i need to modify to do my testing behavior?

If this possible in debian, than it is possible in arch world too.

[osevan]

I want start in my testing lab every init system with apparmor profile!

To enforce later after enough profiles collected

[osevan]

Thank you very much roddhjav,

But this answers not my question :-(

I need initramfs mkinitcpio or dracut method for running apparmor_parser as pid1 everything else what you wrote ofc are usefull, but doesnt help me in my behavior.

And answers like "You don't run anything else than systemd as pid 1" isnt helpfully, because everyone have another security perspective, even when some complication can come in future like unbootable system.

We have test labs for such a thing.

So my question is still alive and im happy when i could get solution ideas.

Because some guys doesn't trust inits as pid1.

And ,yes, systemd and his 2.1 millions LOC doesn't make my opinion of running systemd as pid1 any better.

I will forever classify it as untrustworthy

[roddhjav]

And answers like "You don't run anything else than systemd as pid 1" isnt helpfully...

I meant you should only use an init system as pid 1 nothing else, in reference to your first sentence: could run apparmor_parser as pid1. Anyway, now I am trying to understand what you are looking for, and this does not exist yet (so you are welcome to help).

However, it is important to note that this method of loading a profile for init directly from the initframfs seems to be deprecated in favor of early policy load (even if this is systemd only). This explain why there is nothing for dracut or mkinitcpio.

Last but not least, there is currently no need for it (as part of this project) as apparmor.d does not support full system confinement yet as this generate too many "no new privs" issue to implement full system confinement in a meaningful way. But this will come with time...