It would be helpful for someone (@zyga-snapd?) to document the required kernel bits/configuration to support full strict confinement when we need to run a mainline kernel.
For example, on my Surface Book I use the kernel build documented at https://github.com/jakeday/linux-surface which means my box isn’t capable of supporting strict confinement currently. I would like to know what I need to change in the build there to get it to a state that fully supports snaps.
This caused us a bit of trouble at the Montreal Snapcraft Summit where I was testing a snap we built that was working for me but not for the author. This was because my box wasn’t strictly confining the snap.
also, here is a patch i’m typically using in my kernel snap builds to set the various config snippets (containers, security, snappy, systemd configs) these are relatively recent and work fine (at least snap debug sandbox-features reports proper strict confinement and i havent seen any issues with it yet)
I think the main issue is the config at the GitHub link I posted is setting CONFIG_DEFAULT_SECURITY_SELINUX=y instead of CONFIG_DEFAULT_SECURITY_APPARMOR=y