Snapd STILL requires out-of-tree apparmor patches for strict confinement

fuseteam · June 3, 2025, 11:50am

Hmmm dang the road is longer that even the maintainer expected, which we could find the discussion surrounding it

A333 · June 5, 2025, 10:47am

They seemed pretty close to releasing apparmor 4.1 two months ago (which would include the user space to use the kernel part); there is bug that network mediation did not work as expected for apparmor 4.1 from beta testing which might have delayed that(?). A completely uninformed guess: they want to first make sure that no changes to the kernel are necessary to fix this and hopefully after analyzing/fixing/QA they’ll send a PR to Linus.

fuseteam · June 5, 2025, 12:08pm

hmmm that an another good point, is there even an active PR we can follow or are we still in the baking phase

A333 · June 10, 2025, 9:09am

Not sure what to follow; there is movement for a 4.1.1 release on https://gitlab.com/apparmor/apparmor/-/tree/apparmor-4.1 ; edit: actually, the last revision got tagged v4.1.1, so i guess it is released(?)

And it seems 4.1.0 was actually released in april without me noticing Series 4.1 : AppArmor Also opensuse tumbleweed and leap seems to have adopted it. Also went into debian trixie.

I did not see an official release statement anywhere though.

fuseteam · June 10, 2025, 11:14am

I was about to comment on Apparmor 4.1.1 releasing, it passed by me through distrowatch. so yeah a bit at a lost where to see what’s up with the final pieces landing upstream aswell

om26er · June 10, 2025, 3:40pm

I am actually trying to figure out what patches I need for full snap confinement, Historically it has been the af_unix mediation and one other patch for v2 network compatibility. Now I am using Linux 6.15 and trying to understand what do I need to do to have full confinement.

snapd currently tells me

AppArmor status: apparmor is enabled but some kernel features are missing: network

A333 · June 10, 2025, 3:57pm

Just a guess: I think you need the current apparmor in user space (4.1 or 4.1.1); and I would simply take the whole apparmor-next revisions from the apparmor-kernel repo if cherry-picking does not suffice. The other way would be to look at the ubuntu sauce.

edit: 5.x → 4.x

om26er · June 10, 2025, 4:18pm

Do you mean 4.1?

I have tried 4.0.3 though that didnt help, will try 4.1.x

Historically we have needed only two patches for snap confinement and I would ideally prefer if we were able to checkin a smaller patch in our github repo instead of putting the whole diff from apparmor-next

A333 · June 10, 2025, 4:37pm

yes, AFAIU you need at least 4.1 to work with the af_unix kernel patches after the v9 ABI changes.

well I think that also should work.

I am probably the wrong person to comment, as i am only guessing.

James-Carroll · June 10, 2025, 6:13pm

Does snapd not bundle its own userspace apparmor components or am I wrong? I think I saw this in the patch notes a few months ago? Of course, that’s assuming that your in a re-exec environment as otherwise I’d assume using snapd as e.g., a pure .deb wouldn’t as it’s likely building against the distro’s.

AppArmor: update to latest 4.0.2 release

AppArmor: enable using ABI 4.0 from host parser

A333 · June 10, 2025, 9:18pm

yes, it does. If I remember correctly, I think one can also use the host apparmor though like before apparmor got vendored. If that is not possible, we need to wait for a newer snapd too. Edit1: couldnt find an appropiate config or switch for enabling the system apparmor. Also the snapd upcoming release/2.70 bundled apparmor version is 4.0.2

Or maybe the old patches still work for your use case - there were some compatibility issues. Would need to dig into the comments by jjohansen

edit2: here from the reddit link posted above

jrjohansen

• vor 5 Monaten

snapd is vendoring apparmor userspace, though it will need to move to a newer version to support what is working its way towards the upstream kernel.

Upstream kernel support is still missing, the patches have caused regressions on non-Ubuntu systems because policy was not updated for those systems but still claimed to support the rules. This has resulted in the patches being reworked some and moved behind a new abi. The patches are in apparmor-next, but they probably won’t land in 6.14, but should land in 6.15 assume no more major regressions are reported (this shouldn’t happen because of the abi bump).

snapd will have to vendor a new version of the apparmor userspace that supports the new abi, and also update its policy. This shouldn’t be an issue as the policy is compatible.

fuseteam · June 11, 2025, 12:16pm

hmmm so now apparmor 4.1 is released, we need to wait for snapd to vendor 4.1 and the patches to land upstream

Based on your error message i think we only need the v2 network compatibility patch but i may be too optimistic (and i can’t find a trace of when the af_unix patches landed if it did)

if i had to guess based on jjohansen’s comment the needed patches can be found around the 18th of jan: https://gitlab.com/apparmor/apparmor-kernel/-/commits/apparmor-next

It might be better to get in touch with the apparmor people, i’ve tried getting comment from jjohansen on reddit but haven’t received an reply yet. According to the gitlab:

Please send all complaints, feature requests, rants about the software, and questions to the AppArmor mailing list.

And JJohansen seems to be on that mailinglist aswell

A333 · June 11, 2025, 12:34pm

jjohansen stated that snapd needs to vendor a newer apparmor to be able to use the changed kernel patches currently in linux-next (AFAIU >= 4.1) (and maybe some policy updates?).

If 4.1 works with older kernels it should be possible to publish a snapd which vendors the current apparmor with it. Plucky base system comes already with 4.1

maybe @alexmurray can comment on the plans/discussion on snapd side or help om26er out in a different way?

YamiYukiSenpai · July 1, 2025, 5:01am

How do you get that output?

I recently switched to Garuda, and here’s what I got so far:

> snap debug sandbox-features 
apparmor:             kernel:caps kernel:domain kernel:domain:attach_conditions kernel:file kernel:io_uring kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:policy:permstable32:allow kernel:policy:permstable32:audit kernel:policy:permstable32:complain kernel:policy:permstable32:cond kernel:policy:permstable32:deny kernel:policy:permstable32:hide kernel:policy:permstable32:kill kernel:policy:permstable32:label kernel:policy:permstable32:prompt kernel:policy:permstable32:quiet kernel:policy:permstable32:subtree kernel:policy:permstable32:tag kernel:policy:permstable32:xindex kernel:policy:unconfined_restrictions kernel:policy:versions kernel:ptrace kernel:query kernel:query:label kernel:rlimit kernel:signal parser:allow-all parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:io-uring parser:mqueue parser:mqueue-posix parser:prompt parser:qipcrtr-socket parser:unconfined parser:unsafe parser:userns parser:xdp policy:default support-level:partial
configfiles:          mediated-configfiles
confinement-options:  classic devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
ldconfig:             mediated-ldconfig
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v2 device-filtering tagging

> snap debug confinement 
partial

> uname -a
Linux Y4M1-II 6.15.3-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Thu, 19 Jun 2025 14:41:01 +0000 x86_64 GNU/Linux

mborzecki1 · July 1, 2025, 6:35am

It’s in the journal log of snapd.