I’d like to know what the current state is around the kernel patches for AppArmor, etc to be supported in Ubuntu Core.
I have recently built a kernel/image for a Pi Zero 2W, but not sure what else is required to get AppArmor working.
My .config on the kernel compiled (AppArmor):
I would like to have full confinement on this.
I used the latest kernel ‘master’ branch from the Raspbery Pi Foundation’s Github page:
there are infos about the patches at
I’m trying to get strict confinement working using the latest Debian bullseye kernel (5.8.7) under WSL 2. I’ve been looking for the additional kernel patches snapd/AppArmor wants, but the latest version I can find (in this case, shipped with AppArmor) are for kernel 4.8, which obviously won’t patch against 5.8.7.
Do we still need these with 5.x kernels? If not, have they just not been made yet?
the last post in that thread links to another, more detailed post …
here is a 5.1 rpi-foundation kernel snap that i once built (i switched to the ubuntu kernel source with the next commit, but it should show you how to add/apply the patches and required configs in a snap context)
You could use the Pi kernel from Ubuntu which should include the necessary AppArmor patches and then add any custom patches on top.
I know that there has been many kernel repos/sources (still there is?), not sure which one to use.
I am not sure if there’s any gadget/kernel support for the new Pi Zero 2W with Ubuntu’s kernel yet, hence I built my own gadget/kernel to boot this board, to see how it would run on it.
I have another CM4 board that needs some AppArmor patches (running a out-of-tree patched kernel to support RS-485).
I am busy compiling the new patched kernel, albeit with some small changes to the patch itself.
I will post a 5.10.x compatible? AppArmor patch soon.
@waveform is probably best informed of the current status.
Hello, thanks for the links and patches.
However, after patching the foundation kernel, it still does not want to start apparmor?
I think the security team can have a look at this and give pointers?
I think I found the problem, I have enabled apparmor at-last.
I have added “lsm=apparmor apparmor=1” to cmdline.txt.
I know it is a dirty hack, but then I know I don’t have to use the Ubuntu-kernel necessarily.
snap debug confinement reports “strict”, happy days.
And with that, here is a link to a 5.10.x compatible AppArmor patch for a custom kernel. (Includes the snappy patches too)
You should be able to set that though
CONFIG_SECURITY_APPARMOR in your kernel config.
Here is another link to the same files:
Should anything happen to the other Git repo, this one is still valid, I hope.