yeah once this lands, LSM stacking is last missing piece to finally be “universal”
the most recent information that i can find on this is: https://lwn.net/Articles/919059
the discussed patchset seems to be merged by now: https://lkml.org/lkml/2023/10/26/1089
there is no sign yet of the “next step” afaict
The changes got pulled into linux-next ; so guess it is available as 6.14-rc1
oh wow that’s sooner than expected, i was looking at this, https://www.reddit.com/r/Ubuntu/comments/zoz5qd/comment/m8866es , expecting it in 6.15
found this: it appears that it is not yet available in 6.14-rc2 but perhaps the next RC
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log/
A333
February 11, 2025, 12:27pm
43
Yes.
Stacking support is currently only mainlined for minor security modules (i.e. not AppArmor/SELinux).
I thought Fedora would support running their kernels with AppArmor instead of SELinux like RHEL does (AFAIK choosing the LSMs as a kernel parameter), but it seems Fedora does not. I think the kernel has to be build to allow for that. So, bummer. Maybe I’ll switch to Arch on that machine.
A333
February 11, 2025, 12:35pm
44
yes, the missing peace to be able to run confined snaps on SELinux systems. Not sure what works out of the box though. Snap vendors its own apparmor, so hopefully there is not much to do.
its there since rc1; search for apparmor in the revision log;
its this commit:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=26c200e28a322b308518cda764307c18d7df705d
That is the correct commit, however look at the date: February 10th
rc2 was cut out on February 9th: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?h=v6.14-rc2&id=a64dcfb451e254085a7daee5fe51bf22959d52d3
yes snapd vendors apparmor, the challenge is running apparmor on top of SELinux, this does not work currently as far as i know
A333
February 13, 2025, 11:27am
46
That is the date of the then-current linux-next, which Stephen Rothwell recreates several times a week. It’s not the date it was merged the first time into linux-next. The important part it is in linux-next at the time 6.14 gets released and there is no indication that won’t happen
if that’s not enough for you, then here is linus’s tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/
The RC2 tag on here is the same tag as the rc2 tag on the linux-next tree, so if it has been in since rc1, the commit should also be in this tree
yes this is the important part
Now i wonder if we can reach out to the solus people to get some positive PR
opened 09:19PM - 02 Sep 23 UTC
Priority: High
Type: Chore
The maintenance of the ([almost 60](https://github.com/solus-packages/linux-curr… ent/tree/master/files/apparmor)) AppArmor patches adds a significant maintenance burden for our kernels. These patches are only needed for strict confinement of Snaps.
To decrease the maintenance burden we should drop support for Snaps and move users over to Flatpak, seeing as 1) there is [little progress](https://forum.snapcraft.io/t/snapd-still-requires-out-of-tree-apparmor-patches-for-strict-confinement) on upstreaming the patches, 2) Flatpak seems to have won the battle for the desktop and 3) there is (in my opinion) no value in only supporting unconfined Snaps.
Note that Apparmor support will remain enabled in the kernel. Only the additional patches are removed.
Plan is as follows:
1. Create a plan (this issue) :heavy_check_mark: .
1. Enable the migration and improve the QoL around Flatpaks:
- #323
- #322
- https://github.com/solus-packages/flatpak/pull/1
- Enable flathub by default https://github.com/getsolus/packages/pull/3430
- Remove `snapd` from ISOs https://github.com/getsolus/packages/commit/d20ba5dcfd259054f1d69e9042ec8d7c56012bed
1. Create migration documentation
- <del>Initially in this issue</del>
- Followed by an article on the help center (https://github.com/getsolus/help-center-docs/pull/555).
1. Let staff and developers try the migration and gather feedback.
- Find issues in the migration documentation and fix them.
- Are there any packages that are missing? (https://github.com/getsolus/packages/issues/3282)
1. Two cut-off dates:
- On the sync after **2024-07-05** users can voluntarily switch while Snap is fully maintained. After this date the AppArmor patches will be dropped and snaps can only be used without strict confinement.
- After **2025-01-01** snap will be completely deprecated.
1. Communicate this to users via:
- Socials/Forum: https://discuss.getsol.us/d/10750-dropping-apparmor-kernel-patches/12
- Warning on the snap command: https://github.com/getsolus/packages/pull/3211
- Notification when running GUI snaps: https://github.com/getsolus/packages/pull/3211
Note that it isn’t the case that we’re dropping Snap support because we hate snaps, so we’ll gladly reverse on the deprecation decision if it turns out that no patches are needed for strict confinement (and things stay that way).
A333
February 13, 2025, 8:20pm
48
hm, yes it is not there. and the merge window is closed, so i am not sure it gets into 6.14 sigh
We should not tell the Solus people before it is released (definitly not before it is in linus tree); AFAIU they have nobody/not enough manpower to care about the kernel so it would not speed up anything even in the best case.
hmmm so it might be a 6.15 release after all
hmmm but given they did do the patches before, and apparently not knowing which patches were actually needed, they likely could take this smaller patch until 6.15
at least we could slow their snap deprecation down hehe
snap deprecation in solus has been delayed:
opened 09:19PM - 02 Sep 23 UTC
Priority: High
Type: Chore
The maintenance of the ([almost 60](https://github.com/solus-packages/linux-curr… ent/tree/master/files/apparmor)) AppArmor patches adds a significant maintenance burden for our kernels. These patches are only needed for strict confinement of Snaps.
To decrease the maintenance burden we should drop support for Snaps and move users over to Flatpak, seeing as 1) there is [little progress](https://forum.snapcraft.io/t/snapd-still-requires-out-of-tree-apparmor-patches-for-strict-confinement) on upstreaming the patches, 2) Flatpak seems to have won the battle for the desktop and 3) there is (in my opinion) no value in only supporting unconfined Snaps.
Note that Apparmor support will remain enabled in the kernel. Only the additional patches are removed.
Plan is as follows:
1. Create a plan (this issue) :heavy_check_mark:
1. Enable the migration and improve the QoL around Flatpaks: :heavy_check_mark:
- #323
- #322
- https://github.com/solus-packages/flatpak/pull/1
- Enable flathub by default https://github.com/getsolus/packages/pull/3430
- Remove `snapd` from ISOs https://github.com/getsolus/packages/commit/d20ba5dcfd259054f1d69e9042ec8d7c56012bed
1. Create migration documentation :heavy_check_mark:
- <del>Initially in this issue</del>
- Followed by an article on the help center (https://github.com/getsolus/help-center-docs/pull/555).
1. Let staff and developers try the migration and gather feedback. :heavy_check_mark:
- Find issues in the migration documentation and fix them.
- Are there any packages that are missing? (https://github.com/getsolus/packages/issues/3282)
1. Two cut-off dates:
- On the sync after **2024-07-05** users can voluntarily switch while Snap is fully maintained. After this date the AppArmor patches will be dropped and snaps can only be used without strict confinement. :heavy_check_mark:
- After ~~**2025-01-01**~~ **TDB** snap will be completely deprecated. **Update**: there is some progress on the upstream Apparmor patches, so we're holding off on deprecation for the time being.
1. Communicate this to users via:
- Socials/Forum: https://discuss.getsol.us/d/10750-dropping-apparmor-kernel-patches/12
- Warning on the snap command: https://github.com/getsolus/packages/pull/3211
- Notification when running GUI snaps: https://github.com/getsolus/packages/pull/3211
Tho it appears they may need need help to get it working with the upstream work
