Hmmm dang the road is longer that even the maintainer expected, which we could find the discussion surrounding it
They seemed pretty close to releasing apparmor 4.1 two months ago (which would include the user space to use the kernel part); there is bug that network mediation did not work as expected for apparmor 4.1 from beta testing which might have delayed that(?). A completely uninformed guess: they want to first make sure that no changes to the kernel are necessary to fix this and hopefully after analyzing/fixing/QA theyâll send a PR to Linus.
hmmm that an another good point, is there even an active PR we can follow or are we still in the baking phase
Not sure what to follow; there is movement for a 4.1.1 release on https://gitlab.com/apparmor/apparmor/-/tree/apparmor-4.1 ; edit: actually, the last revision got tagged v4.1.1, so i guess it is released(?)
And it seems 4.1.0 was actually released in april without me noticing Series 4.1 : AppArmor Also opensuse tumbleweed and leap seems to have adopted it. Also went into debian trixie.
I did not see an official release statement anywhere though.
I was about to comment on Apparmor 4.1.1 releasing, it passed by me through distrowatch. so yeah a bit at a lost where to see whatâs up with the final pieces landing upstream aswell
I am actually trying to figure out what patches I need for full snap confinement, Historically it has been the af_unix mediation and one other patch for v2 network compatibility. Now I am using Linux 6.15 and trying to understand what do I need to do to have full confinement.
snapd currently tells me
AppArmor status: apparmor is enabled but some kernel features are missing: network
Just a guess: I think you need the current apparmor in user space (4.1 or 4.1.1); and I would simply take the whole apparmor-next revisions from the apparmor-kernel repo if cherry-picking does not suffice. The other way would be to look at the ubuntu sauce.
edit: 5.x â 4.x
Do you mean 4.1?
I have tried 4.0.3 though that didnt help, will try 4.1.x
Historically we have needed only two patches for snap confinement and I would ideally prefer if we were able to checkin a smaller patch in our github repo instead of putting the whole diff from apparmor-next
yes, AFAIU you need at least 4.1 to work with the af_unix kernel patches after the v9 ABI changes.
well I think that also should work.
I am probably the wrong person to comment, as i am only guessing.
Does snapd not bundle its own userspace apparmor components or am I wrong? I think I saw this in the patch notes a few months ago? Of course, thatâs assuming that your in a re-exec environment as otherwise Iâd assume using snapd as e.g., a pure .deb wouldnât as itâs likely building against the distroâs.
- AppArmor: update to latest 4.0.2 release
- AppArmor: enable using ABI 4.0 from host parser
yes, it does. If I remember correctly, I think one can also use the host apparmor though like before apparmor got vendored. If that is not possible, we need to wait for a newer snapd too. Edit1: couldnt find an appropiate config or switch for enabling the system apparmor. Also the snapd upcoming release/2.70 bundled apparmor version is 4.0.2
Or maybe the old patches still work for your use case - there were some compatibility issues. Would need to dig into the comments by jjohansen
edit2: here from the reddit link posted above
hmmm so now apparmor 4.1 is released, we need to wait for snapd to vendor 4.1 and the patches to land upstream
Based on your error message i think we only need the v2 network compatibility patch but i may be too optimistic (and i canât find a trace of when the af_unix patches landed if it did)
if i had to guess based on jjohansenâs comment the needed patches can be found around the 18th of jan: https://gitlab.com/apparmor/apparmor-kernel/-/commits/apparmor-next
It might be better to get in touch with the apparmor people, iâve tried getting comment from jjohansen on reddit but havenât received an reply yet. According to the gitlab:
Please send all complaints, feature requests, rants about the software, and questions to the AppArmor mailing list.
And JJohansen seems to be on that mailinglist aswell
jjohansen stated that snapd needs to vendor a newer apparmor to be able to use the changed kernel patches currently in linux-next (AFAIU >= 4.1) (and maybe some policy updates?).
If 4.1 works with older kernels it should be possible to publish a snapd which vendors the current apparmor with it. Plucky base system comes already with 4.1
maybe @alexmurray can comment on the plans/discussion on snapd side or help om26er out in a different way?