Enabling AppArmor on a Linode VPS in enforcement mode
Packages to install
The easy bit was to install a few packages:
apt install grub2 apparmor-profiles-extra apparmor-profiles apparmor
and then adding apparmor=1 security=apparmor to the kernel command line ( GRUB_CMDLINE_LINUX) in /etc/default/grub .
Move away from using Linode‘s kernels
As mentioned in this blog post, I found out that these parameters are ignored by the Linodekernels.
I had to:
login to the LinodeManager (i.e. https://cloud.linode.com/linodes/<linode ID>/configurations ), click the node relevant node, click "Edit" next to the configuration profile, and change the kernel to "GRUB 2 ".
Next I found out that grub doesn’t actually install itself properly because it can’t be installed directly on the virtual drives provided by Linode( KVM ). Manually running this hack worked for me:
grub-install –grub-setup=/bin/true /dev/null
Unbound + Let’s Encrypt fix
Finally, my local Unboundinstallation stopped working because it couldn’t access the Let’s Encrypt certificates anymore.
The solution to this was pretty straightforward. All I needed to do was to add the following to /etc/apparmor.d/local/usr.sbin.unbound :