Yes.
Stacking support is currently only mainlined for minor security modules (i.e. not AppArmor/SELinux).
I thought Fedora would support running their kernels with AppArmor instead of SELinux like RHEL does (AFAIK choosing the LSMs as a kernel parameter), but it seems Fedora does not. I think the kernel has to be build to allow for that. So, bummer. Maybe I’ll switch to Arch on that machine.
yes, the missing peace to be able to run confined snaps on SELinux systems. Not sure what works out of the box though. Snap vendors its own apparmor, so hopefully there is not much to do.
its there since rc1; search for apparmor in the revision log;
its this commit:
That is the date of the then-current linux-next, which Stephen Rothwell recreates several times a week. It’s not the date it was merged the first time into linux-next. The important part it is in linux-next at the time 6.14 gets released and there is no indication that won’t happen
The RC2 tag on here is the same tag as the rc2 tag on the linux-next tree, so if it has been in since rc1, the commit should also be in this tree
yes this is the important part
Now i wonder if we can reach out to the solus people to get some positive PR
Note that it isn’t the case that we’re dropping Snap support because we hate snaps, so we’ll gladly reverse on the deprecation decision if it turns out that no patches are needed for strict confinement (and things stay that way).
hm, yes it is not there. and the merge window is closed, so i am not sure it gets into 6.14 sigh
We should not tell the Solus people before it is released (definitly not before it is in linus tree); AFAIU they have nobody/not enough manpower to care about the kernel so it would not speed up anything even in the best case.
hmmm but given they did do the patches before, and apparently not knowing which patches were actually needed, they likely could take this smaller patch until 6.15
at least we could slow their snap deprecation down hehe
Tho it appears they may need need help to get it working with the upstream work
We won’t really need help as long as everything actually makes it into upstream releases. Our patch sets for apparmor and snapd are fairly small and well-maintainable. We just need versions of those that actually result in strict confinement with a ‘vanilla’ Linux kernel.
oh hey good to see you here, i intentionally said “may”. My hope with the post is that a good collaboration will result in an actually working strict confinement with a vanilla Linux kernel.
it seems they are shaping up for a 4.1.0 release (release notes etc WIP…)
Development is currently very active.
The next major release will be 5.0 (its possible there will be a minor 4.2 before 5.0 releases). … The goal is to have betas out this fall, and a release by the start of the year.
with these upstream relevant changes marked as “implementations exist and are relatively close to landing, should likely land”:
upstream v9 af_unix mediation (this is in linux-next)
yes, every time Stephen Rothwell is publishing the current version of linux-next (i.e. doing a git rebase) the commit revision will change. So in average every two days.
The January commits are the “original patches”, the February changes are coming from the feedback via linux-next. Everybody is supposed to test against linux next to find integration issues before merging into the release branch.
git tags always mean one “immutable” revision; the revision changes on a rebase (but stays the same with a merge). I agree that merging the released kernel into linus-next should keep the revisions. But maybe they did not copy the tags over. I think i’ll have a look on command line. edit: I checked for 6.15 and the linus-next is lagging behind on tags; but history is as expected
else still waiting, nothing in 6.16 (and nothing in linus-next for 6.17)
There was some development on apparmor-next (unrelated to af_unix), this could mean that its getting more important to merge that branch into the kernel and some work on af_unix by amazon (which might mean some destabilization)