@jjohansen manages all of the upstream kernel work - I am not sure if the git branches are all up to date but you can take a look at https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git/log/?h=apparmor-next which is where the most recent/pending upstream pull-request will be staged. Also the request to Linus is usually CC’d to the linux-security-module mailing list - https://lore.kernel.org/linux-security-module/ - ie. https://lore.kernel.org/linux-security-module/167105671974.22509.5991919513100894698.pr-tracker-bot@kernel.org/T/#m3f7509e4abe670bc496f6cb2e4ea416a0ae5f659
1 Like
Yes, as of snapd 2.60, the snapd snap has it’s own apparmor_parser and associated config etc and will use this in preference to the system installed one.
You can check this yourself by running snap debug sandbox-features and looking for the attribute parser:snapd-internal under the apparmor section.
[amurray:~] $ snap version
snap 2.60.1
snapd 2.60.1
series 16
ubuntu 23.04
kernel 6.2.0-24-generic
[amurray:~] $ snap debug sandbox-features
apparmor: kernel:caps kernel:dbus kernel:domain kernel:file kernel:ipc kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:mqueue parser:qipcrtr-socket parser:snapd-internal parser:unsafe parser:userns parser:xdp policy:default support-level:full
confinement-options: classic devmode strict
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: tagging
2 Likes
Does this mean that distros shipping snapd 6.20+ should be able to support strict confinement with the default kernel? Or is there any extra config that must be done first?
(I meant 2.60+, ahah)
I decided to go and test this on a fresh Pop!_OS installation by installing snapd through the apt repos and subsequently installing snapd from the Snap Store, to get the latest version.
Here are the results:
test@pop-os:~$ snap version
snap 2.60.3
snapd 2.60.3
series 16
pop 22.04
kernel 6.5.4-76060504-generic
test@pop-os:~$ snap debug sandbox-features
apparmor: kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:mqueue parser:qipcrtr-socket parser:snapd-internal parser:unsafe parser:userns parser:xdp policy:default support-level:partial
confinement-options: classic devmode
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: tagging
The good news is that parser:snapd-internal does indeed appear. The bad news is that support-level:partial is still reported, with strict missing from confinement-options.
Unfortunately, I’m not extremely familiar with the inner workings of snapd, so if I may ask, what more might need to be done to ensure strict confinement is available on non-Ubuntu distros like Pop!_OS and openSUSE Tumbleweed?
The internal parser means that snapd uses the apparmor parser shipped with snapd, which brings all necessary apparmor userspace. Also debian bookworm also only has partial support with a 6.4 kernel.
The info I from the implementers is that only socket mediation is missing in the mainline kernel.
Getting the ubuntu source via apt source linux and grepping through it, it is still in the ubutu diff and not in the mainline source.
root@t--23-10:~/linux-source# grep -i AF_UNIX linux_6.5.0-7.7.diff | grep mediation
+ - SAUCE: apparmor4.0.0 [06/76]: af_unix mediation
Side Note: dbus mediation was said to require AF_UNIX mediation. But that dbus mediation is listed in sandbox-features ‘dbus: mediated-bus-access’ since a while. I guess they found a way to do mediation without AF_UNIX support (or it is partial?).
One can compile their own kernel with the patch, but caveat emptor and i do not know how to do that in a well maintainable way (auto-patching/compiling new kernels) without needing a lot of infrastructure (own apt repositories, a CI/pipeline for compiling and publishing the modified kernel).
The patches were maintained in apparmor-kernel. As @jdstrand left canonical I am not sure who is carrying the torch for this topic. @jjohansen is working on LSM stacking, but from my outside view does not seem currently to be involved in AF_UNIX mediation topics.
It certainly would be good to know if anybody is actually working on this or if there are usable workarounds.
1 Like
I started this topic three years ago, and we’re still in the same boat that if people want to or need to use strict confinement, or provide strict confinement of snaps within their distros, then the distro or the user needs to have a non-upstream kernel or have manually patched it themselves.
It is really disappointing to me to see that we still need to use a modified kernel to support the snap ecosystem properly.
6 Likes
It is being worked on. A new version of the af_unix patches revised to solve the problems with upstreaming them should land in one of either the 6.7 or 6.8 kernels.
4 Likes
Yep, still sad to see that we are still in the same boat.
I still patch my own kernels to have proper support for snapd, but is there any out-of-tree kernel patches available for 5.16.x and newer?
Currently, I am still on 5.10.y or 5.15.y with Ubuntu Core 20 on my gateways, and would love to run a recent ‘mainline’ kernel (whatever the latest kernel version is, 6.5?) with proper snapd support.
I guess this didn’t land on 6.7 but, do you still think 6.8 might get it?
By the way, thanks for all the hard work!
2 Likes
Sorry to necro this thread…
Quick question, I have a 6.1 imx kernel that I want to patch for full confinement, is there any Apparmor patches required for it to have full ‘strict’ confinement, could someone point me in the right direction?
My knowledge of C is not so polished, much less to port over the AF_UNIX patches from 5.15 to 6.1…
Many thanks.
I know this is not the answer you are looking for but I will be working on updating yocto meta-layers and I plan to get the currently supported versions of Yocto (and the kernels used by default) to work. I know IMX has separate meta-layers but it might come out as a part of that.
Or, one could probably look at the 6.1 Ubuntu kernel sources and try to make a diff patch for the kernel to be patched…
Just a brainwave I had last-night.
I already have some 5.15 and 5.10 patches for mainline? kernels. I cannot promise that I will make a 6.1.y patchset for full snapd confinement support (that includes AF_UNIX for AppArmor) and if I do so, I will make a new post on the forum, linking my patchset for everyone to use.
1 Like
The patches are broken out and apply mostly quite cleanly, since the changes are fairly isolated. Those are in Yocto meta-layer but also in several other places.
Thanks, as soon as I can get some time on my hands, I have a look at the patches, and use them as a reference, for creating a 6.1.x mainline? patchset, and link those on my Github.
BR
This task slips down the week as I’m going to be busy with the snapd point release but I will update this post once I have something specific.
2 Likes
Good day.
I made a experimental 6.1.0 kernel patch, based on Canonical’s kernel sources.
You can find it on Github: https://github.com/RJvdBerg/UbuntuCore-kernelpatches
I hope this can help in getting your custom kernel(s) supported for Ubuntu Core.
NOTE: This has been done over the weekends, I cannot promise you that your kernel will compile successfully, but mine did, and it worked. YMMV.
4 Likes
I just wondered about the patch set in the ubuntu kernel, its like 90 patches for apparmor. Is my assumption correct that you (@ruhan.vanderberg) only needed to apply the ~3 patches for AF_UNIX mediation and the other patches in the ubuntu kernel are for LSM stacking (and not necessary for strict snap confinement)?
And @pachulo no, AF_UNIX mediation did not go into 6.9 (and it does not seem to go into 6.10 either) 
2 Likes
Some good news from @jjohansen : Ask us anything about Ubuntu Kernels! - #179 by jjohansen - Kernel - Ubuntu Community Hub
3 Likes