AppArmor kernel patches for 5.x kernels

I’m trying to get strict confinement working using the latest Debian bullseye kernel (5.8.7) under WSL 2. I’ve been looking for the additional kernel patches snapd/AppArmor wants, but the latest version I can find (in this case, shipped with AppArmor) are for kernel 4.8, which obviously won’t patch against 5.8.7.

Do we still need these with 5.x kernels? If not, have they just not been made yet?

The patches should be available for the recent Ubuntu kernels, in Ubuntu 20.04 5.4.0 is available.

you want three additional commits for 5.4 right now:

in the order i posted them …
it might be that one or both of the first ones are not needed with 5.8 anymore … to apply them, put them in a “patches” dir in your source tree and add something like:

    override-pull: |
      snapcraftctl pull
      set -e
      echo "applying required snappy configs"
      git apply -v $SNAPCRAFT_PROJECT_DIR/patches/ubuntu-core-configs.patch

      echo "applying apparmor patches"
      git am $SNAPCRAFT_PROJECT_DIR/patches/apparmor/*
      ...

… to your snapcraft.yaml

4 Likes

Thanks muchly, that worked perfectly!

1 Like

What “features” do we lose without those patches. I ask that because if hardware provider does not support latest kernel, we need to know if running snapd is still feasible for us from a security stand point.

In an ideal world, every hardware provider would officially support Ubuntu Core, but I guess we are not there yet. I do hope that the recent partnership between Canonical and NVIDIA yield some great results soon.

1 Like

i’d rather leave it to the security team to answer this one, they are obviously about network socket mediation though …

I gave a recent status update here: Snapd STILL requires out-of-tree apparmor patches for strict confinement.

3 Likes