AppArmor on WSL, #2

It doesn't work. But it can. Here's how.

(As a first step, obviously, you need a custom kernel compiled to support AppArmor, such as the ones I package or one you made yourself. This particular article also assumes that you’re running systemd via my genie or one of the other solutions to do so. We’ll now proceed as if all those things are true.)

If you have tried to run AppArmor under WSL, what you will be noticing is that the apparmor.service exits without loading any AppArmor profiles, with the helpful message “Not starting AppArmor in container.” (As per my old post.)

This is, of course, perfectly accurate. Linux distributions under WSL are containers. Unfortunately, it’s unhelpful, because while they are, there is no accessible host above them that might be setting AppArmor policies to be interfered with, just the WSL distro-management foo. Thus, it makes a lot more sense to treat WSL distributions as not-containers for AppArmor purposes.

(Incidentally, this is reported as Debian bug #988204, here.)

New and improved patch to enable this, which takes advantage of the existing mechanism to exempt certain AppArmor-compatible container environments, is as follows. Apply to /lib/apparmor/rc.apparmor.functions:

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters

	--- rc.apparmor.functions 2021-11-08 13:27:06.461249682 -0600
	+++ rc.apparmor.functions 2021-11-08 13:30:05.766141212 -0600
	@@ -68,7 +68,7 @@
	# something like `systemd-detect-virt --container`.
	#
	# The only known container environments capable of supporting internal policy
	-# are LXD and LXC environment.
	+# are LXD and LXC environments and Windows Subsystem for Linux.
	#
	# Returns 0 if the container environment is capable of having its own internal
	# policy and non-zero otherwise.
	@@ -91,6 +91,11 @@
	local ns_stacked
	local ns_name
	+ # WSL needs to be detected explicitly
	+ if [ $(systemd-detect-virt --container) = "wsl" ]; then
	+ return 0
	+ fi
	+
	if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
	return 1
	fi

view raw apparmor_wsl.patch hosted with ❤ by GitHub

Restart apparmor.service, and off you should go!