I've been trying to get UFW started on Arch arm, but been having issues ufw initiating:
Result from sudo ufw enable
Code:
ERROR: problem running ufw-init
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/5.10.19-1-danctnix
modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/5.10.19-1-danctnix
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/5.10.19-1-danctnix
iptables-restore v1.8.7 (legacy): Couldn't load match 'limit':No such file or directory
Result from uname -r
Result from pacman -Q linux
Code:
linux-pine64 5.10.19-1
I ls'd into the module directory and did no see anything related to nf modules.
Things I've tried:
Rebooted many times, power cycled, sudo reboot, etc
Re-installed ufw, iptables, etc
Iptables disabled from systemd
I'm starting to guess that this is not enabled in the kernel? ie. modules aren't configured in the kernel to be enabled?
Any thoughts?
You're right, this is not enabled in the kernel.
I'll enable this and push a new kernel release soon.
(03-03-2021, 07:53 AM)Danct12 Wrote: [ -> ]You're right, this is not enabled in the kernel.
I'll enable this and push a new kernel release soon.
Thanks!
I started to look into how to add options to the kernel via the arch wiki as well, incase I find something else not enabled. Was going to take the stab at it myself but in the arch wiki method 2 using the kernel command line is referenced the most which I assume I need to get access to the bootloader in the pinephone (I don't think there is a method is there? I tried the volume up + power, didn't do anything). Anyways then I saw this method of modifying modprobe files instead
https://wiki.archlinux.org/index.php/Ker...odprobe.d/
I was also trying to install apparmor + firejail integration. This time I got an error saying it needs a kernel compatibility patch 2.6 , odd. But googling around suggested that it was a masked error and it just needed another option in the kernel enabled for apparmor such as below:
Code:
apparmor=1 security=apparmor
Would I be on the right-ish track? Sorry for the beginner questions
.
EDIT: Having dug through the wiki and google, not sure now how to actually set the kernel parameters myself. As for option 2 the method of getting to a bootloader doesn't seem to exist for the phone, nor is "u-boot" part of the options they provide since this is unofficial arch anyways. And option 3 to use sysctl, listing the kernel parameters with sysctl -a, doesn't show any parameter relating to lsm or apparmor. Guess this may need to be pushed in another kernel release? Unless there is a way to get to the bootloader and use the kernel command line for the phone?
You can modify /boot/boot.txt and run ./mkscr to regenerate the script then reboot.
(03-03-2021, 06:44 PM)Danct12 Wrote: [ -> ]You can modify /boot/boot.txt and run ./mkscr to regenerate the script then reboot.
I was justtt about to post that I figured out how to edit it using uboot-tools lol. I used the mkimage tool though (was there a difference in one working?):
Code:
mkimage -A arm -T script -O linux -d boot.txt boot.scr
I added the parameters
Code:
apparmor=1 security=apparmor
so the boot.txt setenv line became like this
Code:
setenv bootargs loglevel=4 console=${console} console=tty0 root=/dev/mmcblk${linux_mmcdev}p${rootpart} rw rootwait apparmor=1 security=apparmor quiet bootsplash.bootfile=bootsplash-themes/danctnix/bootsplash
Then using the mkimage, regenerated it. Then rebooted. But still fails to to load
Code:
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Condition: start condition failed at Wed 2021-03-03 18:18:51 PST; 1min 21s ago
└─ ConditionSecurity=apparmor was not met
Cat'ing the proc cmdline, confirms it did get the entry:
Code:
$ cat /proc/cmdline
loglevel=4 console=ttyS0,115200 console=tty0 root=/dev/mmcblk2p2 rw rootwait apparmor=1 security=apparmor quiet bootsplash.bootfile=bootsplash-themes/danctnix/bootsplash
I have added support for these NF modules, please update your device. And sorry for the delay!