AppArmor patches for 5.10.x kernels


I’d like to know what the current state is around the kernel patches for AppArmor, etc to be supported in Ubuntu Core.

I have recently built a kernel/image for a Pi Zero 2W, but not sure what else is required to get AppArmor working.


My .config on the kernel compiled (AppArmor):


Any help? I would like to have full confinement on this.

I used the latest kernel ‘master’ branch from the Raspbery Pi Foundation’s Github page:

there are infos about the patches at

the last post in that thread links to another, more detailed post …

here is a 5.1 rpi-foundation kernel snap that i once built (i switched to the ubuntu kernel source with the next commit, but it should show you how to add/apply the patches and required configs in a snap context)

You could use the Pi kernel from Ubuntu which should include the necessary AppArmor patches and then add any custom patches on top.

I know that there has been many kernel repos/sources (still there is?), not sure which one to use.

I am not sure if there’s any gadget/kernel support for the new Pi Zero 2W with Ubuntu’s kernel yet, hence I built my own gadget/kernel to boot this board, to see how it would run on it.

I have another CM4 board that needs some AppArmor patches (running a out-of-tree patched kernel to support RS-485).

I am busy compiling the new patched kernel, albeit with some small changes to the patch itself. I will post a 5.10.x compatible? AppArmor patch soon.

cc @waveform is probably best informed of the current status.

Hello, thanks for the links and patches. However, after patching the foundation kernel, it still does not want to start apparmor?

I think the security team can have a look at this and give pointers?


I think I found the problem, I have enabled apparmor at-last.

I have added “lsm=apparmor apparmor=1” to cmdline.txt.

I know it is a dirty hack, but then I know I don’t have to use the Ubuntu-kernel necessarily.

snap debug confinement reports “strict”, happy days.

And with that, here is a link to a 5.10.x compatible AppArmor patch for a custom kernel. (Includes the snappy patches too)

1 Like

You should be able to set that though CONFIG_LSM and CONFIG_SECURITY_APPARMOR in your kernel config.

Here is another link to the same files:

Should anything happen to the other Git repo, this one is still valid, I hope.