It is being worked on. A new version of the af_unix patches revised to solve the problems with upstreaming them should land in one of either the 6.7 or 6.8 kernels.
4 Likes
Yep, still sad to see that we are still in the same boat.
I still patch my own kernels to have proper support for snapd, but is there any out-of-tree kernel patches available for 5.16.x and newer?
Currently, I am still on 5.10.y or 5.15.y with Ubuntu Core 20 on my gateways, and would love to run a recent āmainlineā kernel (whatever the latest kernel version is, 6.5?) with proper snapd support.
I guess this didnāt land on 6.7 but, do you still think 6.8 might get it?
By the way, thanks for all the hard work!
2 Likes
Sorry to necro this threadā¦
Quick question, I have a 6.1 imx kernel that I want to patch for full confinement, is there any Apparmor patches required for it to have full āstrictā confinement, could someone point me in the right direction?
My knowledge of C is not so polished, much less to port over the AF_UNIX patches from 5.15 to 6.1ā¦
Many thanks.
I know this is not the answer you are looking for but I will be working on updating yocto meta-layers and I plan to get the currently supported versions of Yocto (and the kernels used by default) to work. I know IMX has separate meta-layers but it might come out as a part of that.
Or, one could probably look at the 6.1 Ubuntu kernel sources and try to make a diff patch for the kernel to be patchedā¦
Just a brainwave I had last-night.
I already have some 5.15 and 5.10 patches for mainline? kernels. I cannot promise that I will make a 6.1.y patchset for full snapd confinement support (that includes AF_UNIX for AppArmor) and if I do so, I will make a new post on the forum, linking my patchset for everyone to use.
1 Like
The patches are broken out and apply mostly quite cleanly, since the changes are fairly isolated. Those are in Yocto meta-layer but also in several other places.
Thanks, as soon as I can get some time on my hands, I have a look at the patches, and use them as a reference, for creating a 6.1.x mainline? patchset, and link those on my Github.
BR
This task slips down the week as Iām going to be busy with the snapd point release but I will update this post once I have something specific.
2 Likes
Good day.
I made a experimental 6.1.0 kernel patch, based on Canonicalās kernel sources.
You can find it on Github: https://github.com/RJvdBerg/UbuntuCore-kernelpatches
I hope this can help in getting your custom kernel(s) supported for Ubuntu Core.
NOTE: This has been done over the weekends, I cannot promise you that your kernel will compile successfully, but mine did, and it worked. YMMV.
4 Likes
Hi again! @jjohansen will this be included in kernel 6.9?
Thanks!
1 Like
I just wondered about the patch set in the ubuntu kernel, its like 90 patches for apparmor. Is my assumption correct that you (@ruhan.vanderberg) only needed to apply the ~3 patches for AF_UNIX mediation and the other patches in the ubuntu kernel are for LSM stacking (and not necessary for strict snap confinement)?
And @pachulo no, AF_UNIX mediation did not go into 6.9 (and it does not seem to go into 6.10 either) 
2 Likes
Some good news from @jjohansen : Ask us anything about Ubuntu Kernels! - #179 by jjohansen - Kernel - Ubuntu Community Hub
3 Likes
Seems it did not make 6.12 either
dang
what blocked it?