I'm trying to set
lsm=landlock,lockdown,yama,integrity,apparmor,bpf
on a Arch Linux ARM system.
The options seems to be set in /boot/boot.txt. In its original form, it looks like this:
# After modifying, run ./mkscr
# Set root partition to the second partition of boot device
part uuid ${devtype} ${devnum}:2 uuid
setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=${uuid} rw rootwait smsc95xx.macaddr="${usbethaddr}"
if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /Image; then
if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /dtbs/${fdtfile}; then
if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /initramfs-linux.img; then
booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
else
booti ${kernel_addr_r} - ${fdt_addr_r};
fi;
fi;
fi
From what I understand from the U-boot documentation, bootargs are the command options passed to the binary (the operating system). Based on this, and the list of kernel parameters, I thought that the following would work:
...
setenv bootargs lsm=landlock,lockdown,yama,integrity,apparmor,bpf console=ttyS1,115200 console=tty0 root=PARTUUID=${uuid} rw rootwait smsc95xx.macaddr="${usbethaddr}"
...
After running ./mkscr and rebooting, I expected something different from:
cat /sys/kernel/security/lsm
capability,landlock,yama
which remains consistently frustrating.
I also tried security=lsm= (for backward compatibility) and kernel.lsm, with the same result.
The Arch wiki does not detail this bootloader, ArchLinuxARM wiki is rather limited, and I'm completely new to U-boot configuration, so I feel stuck.
How can I set the lsm kernel parameter through this loader?
If I am missing something obvious, what is it?
Looking at
zcat /proc/config.gz | grep SECURITY
# CONFIG_IP_NF_SECURITY is not set
CONFIG_IP6_NF_SECURITY=m
# CONFIG_NVDIMM_SECURITY_TEST is not set
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_F2FS_FS_SECURITY=y
CONFIG_UBIFS_FS_SECURITY=y
CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFSD_V4_SECURITY_LABEL=y
# CONFIG_CEPH_FS_SECURITY_LABEL is not set
CONFIG_9P_FS_SECURITY=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_HAS_SECURITY_AUDIT=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
# CONFIG_SECURITY_SELINUX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_LOADPIN is not set
CONFIG_SECURITY_YAMA=y
# CONFIG_SECURITY_SAFESETID is not set
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
CONFIG_SECURITY_LANDLOCK=y
# CONFIG_SECURITY_IPE is not set
CONFIG_DEFAULT_SECURITY_DAC=y
it all makes sense. Arch's **linux-aarch64** is simply not compiled for apparmor: the option is simply ignored. Some guy asked 5 years ago for the kernel to be compiled with the option [here](https://archlinuxarm.org/forum/viewtopic.php?f=23&t=15104&p=65715&hilit=apparmor#p65715) but did not receive any response :/