| View previous topic :: View next topic |
| Author |
Message |
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
 Posted: Sun Jun 15, 2025 11:54 am Post subject: My kernel config snippets don't seem to apply |
 |
|
Hey everyone!
I was trying to install AppArmor on my Gentoo install, and I have created a kernel config snippet with the required change in /etc/kernel/config.d. The snippet sets CONFIG_SECURITY_APPARMOR=y and CONFIG_LSM="landlock,yama,apparmor,bpf".
I followed pietinger's advice here, changing the current config through the menu and generating a diff to make sure my snippet has everything it needs, and it does seem to be the only required change. CONFIG_SECURITY_APPARMOR isn't even required since it's already on "y", I'm just putting it there in case a future version of the kernel deactivates it. The savedconfig USE FLAG is not set either. I have sys-kernel/gentoo-kernel installed on my system and not the bin version. Yet, my snippet doesn't seem to be merged. It doesn't seem to appear in the build log at all, and both my .config and my config.gz show the old values. Is there another requirement I missed in order to use config snippets? |
|
| Back to top |
|
 |
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Sun Jun 15, 2025 3:00 pm Post subject: |
|
|
Does you current running kernel match the one you compiled? ... will help to see which kernel is being used.
Normally if you use GRUB as your bootloader/manager the /boot/grub/grb.cfg should be updated automatically.
So in short: ensure you really are running the updated kernel.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
sam_
Developer
Joined: 14 Aug 2020
Posts: 2390
|
| Posted: Sun Jun 15, 2025 3:15 pm Post subject: |
|
|
| Can we see the full build.log, the path to the snippet, and the full contents of the snippet? |
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Mon Jun 16, 2025 7:09 pm Post subject: |
|
|
| Zucca wrote: | Does you current running kernel match the one you compiled? ... will help to see which kernel is being used.
Normally if you use GRUB as your bootloader/manager the /boot/grub/grb.cfg should be updated automatically.
So in short: ensure you really are running the updated kernel. |
Hello Zucca,
"uname -rv" does return 6.12.31, which is the one I rebuilt, and I made sure I was loading the new one in the UEFI panel, but I'm not seeing any change in the config files, unfortunately. I'm also using an EFI stub rather than GRUB.
| sam_ wrote: | | Can we see the full build.log, the path to the snippet, and the full contents of the snippet? |
Hello, sam_,
The path to the snippet is "/etc/kernel/config.d/lsm.config". The content of lsm.config is:
| Code: |
CONFIG_SECURITY_APPARMOR=y
CONFIG_LSM="landlock,yama,apparmor,bpf"
|
And here's my build log.
Last edited by ermor on Thu Jun 19, 2025 11:48 am; edited 1 time in total |
|
| Back to top |
|
|
Banana
Moderator
Joined: 21 May 2004
Posts: 2075
Location: Germany
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Tue Jun 17, 2025 6:41 pm Post subject: |
|
|
| Banana wrote: | | ermor wrote: | | And here's part of my build log, unfortunately it's way too large and it won't let me post everything. |
You can use something like this to provide the complete output of commands or even just files: https://wiki.gentoo.org/wiki/Wgetpaste |
Thanks a lot for the tip, Banana! Here's the log, then. |
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Sun Jun 22, 2025 6:47 pm Post subject: |
|
|
Looking into it some more, it seems I have both | Code: | | sys-kernel/gentoo-sources |
and | Code: | | sys-kernel/gentoo-kernel |
in my world. I'm not sure it has anything to do with it, as far as I understand gentoo-sources is ignored with the distribution kernel enabled, but I wonder if this could be a reason. Unfortunately, I'm out of ideas, I don't know enough about the kernel to understand what's wrong with my snippets or configuration. |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Mon Jun 23, 2025 6:11 pm Post subject: |
|
|
Hm.
It could matter.
What do following commands output in your system: | Code: | qlop -vI gentoo-kernel
qlop -vI gentoo-sources |
?
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Mon Jun 23, 2025 7:45 pm Post subject: |
|
|
| Zucca wrote: | Hm.
It could matter.
What do following commands output in your system: | Code: | qlop -vI gentoo-kernel
qlop -vI gentoo-sources |
? |
Hello, Zucca!
qlop complains about (upper-case i) being an invalid option, so I tried instead (lower-case L).
Curiously, both commands don't output anything. I checked in my logs and I still have the logs for both source and kernel in my build and elog folders, though.
EDIT: In addition, I ran another diff between both config files, just to be sure, and there was another change, from | Code: | | CONFIG_CC_VERSION_TEXT="x86_64-pc-linux-gnu-gcc (Gentoo Hardened 14.3.0 p8) 14.3.0" |
to | Code: | | CONFIG_CC_VERSION_TEXT="gcc (Gentoo Hardened 14.3.0 p8) 14.3.0" |
I though it was just for reference and didn't really pay attention to it, but then again, it's not working so I might be wrong about that. |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Mon Jun 23, 2025 8:47 pm Post subject: |
|
|
| ermor wrote: | | qlop complains |
Oh. Sorry. I meant qlist, instead of qlop. Apologies.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Mon Jun 23, 2025 10:07 pm Post subject: |
|
|
| Zucca wrote: | | ermor wrote: | | qlop complains |
Oh. Sorry. I meant qlist, instead of qlop. Apologies. |
No problem, thanks for helping. ^^
| Code: | qlist -vI gentoo-kernel
=> sys-kernel/gentoo-kernel-6.12.31
qlist -vI gentoo-sources
=> sys-kernel/gentoo-sources-6.12.31 |
|
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Tue Jun 24, 2025 8:36 am Post subject: |
|
|
Ok.
What's inside your /boot?
The log you gave, indeed, indicates that your custom config doesn't get applied.
Let's do a sanity check: | Code: | | zfgrep CONFIG_LSM /proc/config.gz |
... what does that command output.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Wed Jun 25, 2025 9:32 pm Post subject: |
|
|
| Zucca wrote: | Ok.
What's inside your /boot? |
Just a grub directory from back when I had it installed.
| Zucca wrote: |
The log you gave, indeed, indicates that your custom config doesn't get applied.
Let's do a sanity check: | Code: | | zfgrep CONFIG_LSM /proc/config.gz |
... what does that command output. |
| Code: | CONFIG_LSM_MMAP_MIN_ADDR=65535
CONFIG_LSM="landlock,yama,bpf" |
|
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Thu Jun 26, 2025 11:33 am Post subject: |
|
|
| ermor wrote: | | Zucca wrote: | Ok.
What's inside your /boot? |
Just a grub directory from back when I had it installed.
|
Does it contain kernel images (normally containing a string "vmlinuz")? If not, then have you set up some another location for compiled kernel images?
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Thu Jun 26, 2025 11:55 am Post subject: |
|
|
| Zucca wrote: | | ermor wrote: | | Zucca wrote: | Ok.
What's inside your /boot? |
Just a grub directory from back when I had it installed.
|
Does it contain kernel images (normally containing a string "vmlinuz")? If not, then have you set up some another location for compiled kernel images? |
It doesn't. It's an UKI EFI boot stub, so as far as I understand, that would be the appropriate .efi file in my EFI partition ("gentoo-6.12.31-gentoo-dist-hardened.efi"), even though it doesn't have vmlinuz in its name. |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Thu Jun 26, 2025 4:21 pm Post subject: |
|
|
| ermor wrote: | | It doesn't. It's an UKI EFI boot stub, so as far as I understand, that would be the appropriate .efi file in my EFI partition ("gentoo-6.12.31-gentoo-dist-hardened.efi"), even though it doesn't have vmlinuz in its name. |
Ok. This part seems fine then.
You seem to have all correctly set, but for some reason the gentoo-kernel ebuild does not pull in and merge your config snippets.
Let's see the permissions on your config.d -directory: | Code: | | ls -lhFa /etc/kernel/config.d |
Some ebuild phases are not run by root, but as portage user. man 5 ebuild did not tell me which ones (I know I've read that information from somewhere...).
I have world readable content on my config.d -directory. Let's see if ours match.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Thu Jun 26, 2025 7:18 pm Post subject: |
|
|
| Zucca wrote: |
Let's see the permissions on your config.d -directory: | Code: | | ls -lhFa /etc/kernel/config.d |
Some ebuild phases are not run by root, but as portage user. man 5 ebuild did not tell me which ones (I know I've read that information from somewhere...).
I have world readable content on my config.d -directory. Let's see if ours match. |
That might be the reason, actually. I've set my umask so that permissions are given to root only for files created by root.
| Code: | drwx------ 2 root root 24 Jun 25 20:27 ./
drwxr-xr-x 6 root root 74 Jun 3 21:45 ../
-rw------- 1 root root 131 Jun 25 20:27 lsm.config |
I could make it world-readable. I can't test it right now, though, since it takes the entire day to build the kernel, but I'll get back to you in a few days with the results. |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Thu Jun 26, 2025 7:36 pm Post subject: |
|
|
| ermor wrote: | | Code: | drwx------ 2 root root 24 Jun 25 20:27 ./
drwxr-xr-x 6 root root 74 Jun 3 21:45 ../
-rw------- 1 root root 131 Jun 25 20:27 lsm.config |
I could make it world-readable. I can't test it right now, though, since it takes the entire day to build the kernel, but I'll get back to you in a few days with the results. |
Also your /etc/kernel/config.d directory is accessible by root only.
Check the access rights of the parent directories too. EDIT: Those should be ok, since permissions for ../ seem correct.
Also you can abort the kernel build process quite early on. There should be messages on the build.log about applying your custom config snippets.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Thu Jun 26, 2025 8:13 pm Post subject: |
|
|
| Zucca wrote: | | ermor wrote: | | Code: | drwx------ 2 root root 24 Jun 25 20:27 ./
drwxr-xr-x 6 root root 74 Jun 3 21:45 ../
-rw------- 1 root root 131 Jun 25 20:27 lsm.config |
I could make it world-readable. I can't test it right now, though, since it takes the entire day to build the kernel, but I'll get back to you in a few days with the results. |
Also your /etc/kernel/config.d directory is accessible by root only.
Check the access rights of the parent directories too. EDIT: Those should be ok, since permissions for ../ seem correct.
Also you can abort the kernel build process quite early on. There should be messages on the build.log about applying your custom config snippets. |
It works! Thanks a lot! ^^
Turns out, you do need the file to be world-readable, and to give both r and x permissions to all users on config.d (or maybe just to the portage user, I suppose). I tried giving only read permissions on config.d at first, but the build process fails when trying to merge the file if you don't give execute permissions too:
| Code: | Merging /etc/kernel/config.d/lsm.config
The merge file '/etc/kernel/config.d/lsm.config' does not exist. Exit. |
This permission thing seems pretty important to know, especially since the build log doesn't actually tell you why it ignores snippets. Think I should add something about it on the config snippets page?
Last edited by ermor on Thu Jun 26, 2025 8:52 pm; edited 3 times in total |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Thu Jun 26, 2025 8:35 pm Post subject: |
|
|
| ermor wrote: | and to give both r and x permissions to everyone on config.d. I tried giving only read permissions on config.d at first, but the build process fails when trying to merge the file if you don't give execute permissions too :
| Code: | Merging /etc/kernel/config.d/lsm.config
The merge file '/etc/kernel/config.d/lsm.config' does not exist. Exit. |
This permission thing seems pretty important to know, especially since the build log doesn't actually tell you why it ignores snippets. Think I should add something about it on the config snippets page? |
That's strange... I have -rw-r--r-- 1 root root on all files inside my config.d. The directory itself has the executable bit for world set (drwxr-xr-x 2 root root).
Although I'm running mostly 6.6 -series kernels here.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
| Posted: Thu Jun 26, 2025 8:50 pm Post subject: |
|
|
| Zucca wrote: | | ermor wrote: | and to give both r and x permissions to everyone on config.d. I tried giving only read permissions on config.d at first, but the build process fails when trying to merge the file if you don't give execute permissions too :
| Code: | Merging /etc/kernel/config.d/lsm.config
The merge file '/etc/kernel/config.d/lsm.config' does not exist. Exit. |
This permission thing seems pretty important to know, especially since the build log doesn't actually tell you why it ignores snippets. Think I should add something about it on the config snippets page? |
That's strange... I have -rw-r--r-- 1 root root on all files inside my config.d. The directory itself has the executable bit for world set (drwxr-xr-x 2 root root).
Although I'm running mostly 6.6 -series kernels here. |
That seems to match my current settings. I've got all r permissions on my actual config file, and all r and x permissions on the config directory. By "everyone on config.d", I meant "all users", sorry if it was a bit confusing.
I might be dreaming it, but I vaguely remember that I had to create the config directory myself, which might explain why it had less permissions than the usual default. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5829
Location: Bavaria
|
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 4158
Location: Rasi, Finland
|
| Posted: Thu Jun 26, 2025 9:47 pm Post subject: |
|
|
| ermor wrote: | | It works! Thanks a lot! ^^ |
You're most welcome. ;)
We, both, learned.
I think there's a reason to raise a bug against the ebuild if there's nothing in the build.log indicating a failure to to access the config.d directory, aka. "permission denied".
And yes, like Pietinger mentioned, I think the required permissions for config.d should be at least "side noted" on the wiki page.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23584
|
| Posted: Thu Jun 26, 2025 11:53 pm Post subject: |
|
|
eclass/kernel-build.eclass uses a shell glob to find the files to pull in. From some cursory testing, the shell does not return failure when permissions prevent a glob: | Code: | $ ls /root
ls: cannot open directory '/root': Permission denied
$ (a=( /root/*.config ); echo $?)
0 |
The glob necessarily fails since, per the previous line, my user does not have permission to list /root. Despite that failure, $? is still 0. The eclass could still try to detect restrictive permissions and warn, such as by | Code: | $ if ! [[ -r /root ]]; then echo 'Cannot read /root'; fi
Cannot read /root |
|
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 27
|
|
| Back to top |
|
|
|
Kernel & Hardware
