I understand that Jamie is no longer working with Canonical. So could anyone from the Snapd OR Ubuntu Security team please clarify an update on the plan proposed by Jamie there ?
We currently patch the Linux kernel with these 3 patches in our snapd Yocto recipe, I am wondering when can we drop those.
The progress of vendoring apparmor into snapd can be seen in https://github.com/snapcore/snapd/pull/9939 - this is pretty close but for now we are only targeting the snap build of snapd for this to avoid making too much work for downstream distributors of snapd etc.
The upstreaming of AF_UNIX is still ongoing - regarding those 3 patches, is the first one strictly required? It looks more like utility functions being added and I can’t see those being referenced by the other 2 so I suspect this may be able to be dropped. The second one is only needed if you are using apparmor 2.x in userspace - if you are using apparmor 3 then that should also be able to be dropped. This then leaves only the third one which adds the actual AF_UNIX support - this is still needed for now.
The changes to vendor apparmor into snapd have been merged but subsequently reverted twice now - unfortunately the complexity involved here is larger than initially realised - so that is still ongoing but I hope to have another stab at it again in near future.
As far as getting the various AppArmor kernel features merged upstream, that work is still ongoing as well. With any luck both should hopefully happen within the first few months of this year
Yes, as of snapd 2.60, the snapd snap has it’s own apparmor_parser and associated config etc and will use this in preference to the system installed one.
You can check this yourself by running snap debug sandbox-features and looking for the attribute parser:snapd-internal under the apparmor section.
Does this mean that distros shipping snapd 6.20+ should be able to support strict confinement with the default kernel? Or is there any extra config that must be done first?
(I meant 2.60+, ahah)
I decided to go and test this on a fresh Pop!_OS installation by installing snapd through the apt repos and subsequently installing snapd from the Snap Store, to get the latest version.
The good news is that parser:snapd-internal does indeed appear. The bad news is that support-level:partial is still reported, with strict missing from confinement-options.
Unfortunately, I’m not extremely familiar with the inner workings of snapd, so if I may ask, what more might need to be done to ensure strict confinement is available on non-Ubuntu distros like Pop!_OS and openSUSE Tumbleweed?
The internal parser means that snapd uses the apparmor parser shipped with snapd, which brings all necessary apparmor userspace.
Also debian bookworm also only has partial support with a 6.4 kernel.
The info I from the implementers is that only socket mediation is missing in the mainline kernel.
Getting the ubuntu source via apt source linux and grepping through it, it is still in the ubutu diff and not in the mainline source.
Side Note: dbus mediation was said to require AF_UNIX mediation. But that dbus mediation is listed in sandbox-features ‘dbus: mediated-bus-access’ since a while. I guess they found a way to do mediation without AF_UNIX support (or it is partial?).
One can compile their own kernel with the patch, but caveat emptor and i do not know how to do that in a well maintainable way (auto-patching/compiling new kernels) without needing a lot of infrastructure (own apt repositories, a CI/pipeline for compiling and publishing the modified kernel).
The patches were maintained in apparmor-kernel. As @jdstrand left canonical I am not sure who is carrying the torch for this topic. @jjohansen is working on LSM stacking, but from my outside view does not seem currently to be involved in AF_UNIX mediation topics.
It certainly would be good to know if anybody is actually working on this or if there are usable workarounds.
I started this topic three years ago, and we’re still in the same boat that if people want to or need to use strict confinement, or provide strict confinement of snaps within their distros, then the distro or the user needs to have a non-upstream kernel or have manually patched it themselves.
It is really disappointing to me to see that we still need to use a modified kernel to support the snap ecosystem properly.
It is being worked on. A new version of the af_unix patches revised to solve the problems with upstreaming them should land in one of either the 6.7 or 6.8 kernels.
Yep, still sad to see that we are still in the same boat.
I still patch my own kernels to have proper support for snapd, but is there any out-of-tree kernel patches available for 5.16.x and newer?
Currently, I am still on 5.10.y or 5.15.y with Ubuntu Core 20 on my gateways, and would love to run a recent ‘mainline’ kernel (whatever the latest kernel version is, 6.5?) with proper snapd support.
Quick question, I have a 6.1 imx kernel that I want to patch for full confinement, is there any Apparmor patches required for it to have full ‘strict’ confinement, could someone point me in the right direction?
My knowledge of C is not so polished, much less to port over the AF_UNIX patches from 5.15 to 6.1…
I know this is not the answer you are looking for but I will be working on updating yocto meta-layers and I plan to get the currently supported versions of Yocto (and the kernels used by default) to work. I know IMX has separate meta-layers but it might come out as a part of that.
Or, one could probably look at the 6.1 Ubuntu kernel sources and try to make a diff patch for the kernel to be patched…
Just a brainwave I had last-night.
I already have some 5.15 and 5.10 patches for mainline? kernels. I cannot promise that I will make a 6.1.y patchset for full snapd confinement support (that includes AF_UNIX for AppArmor) and if I do so, I will make a new post on the forum, linking my patchset for everyone to use.