Snapd STILL requires out-of-tree apparmor patches for strict confinement

Hmmm dang the road is longer that even the maintainer expected, which we could find the discussion surrounding it

They seemed pretty close to releasing apparmor 4.1 two months ago (which would include the user space to use the kernel part); there is bug that network mediation did not work as expected for apparmor 4.1 from beta testing which might have delayed that(?). A completely uninformed guess: they want to first make sure that no changes to the kernel are necessary to fix this and hopefully after analyzing/fixing/QA they’ll send a PR to Linus.

hmmm that an another good point, is there even an active PR we can follow or are we still in the baking phase

Not sure what to follow; there is movement for a 4.1.1 release on https://gitlab.com/apparmor/apparmor/-/tree/apparmor-4.1 ; edit: actually, the last revision got tagged v4.1.1, so i guess it is released(?)

And it seems 4.1.0 was actually released in april without me noticing Series 4.1 : AppArmor Also opensuse tumbleweed and leap seems to have adopted it. Also went into debian trixie.

I did not see an official release statement anywhere though.

I was about to comment on Apparmor 4.1.1 releasing, it passed by me through distrowatch. so yeah a bit at a lost where to see what’s up with the final pieces landing upstream aswell

I am actually trying to figure out what patches I need for full snap confinement, Historically it has been the af_unix mediation and one other patch for v2 network compatibility. Now I am using Linux 6.15 and trying to understand what do I need to do to have full confinement.

snapd currently tells me

AppArmor status: apparmor is enabled but some kernel features are missing: network

Just a guess: I think you need the current apparmor in user space (4.1 or 4.1.1); and I would simply take the whole apparmor-next revisions from the apparmor-kernel repo if cherry-picking does not suffice. The other way would be to look at the ubuntu sauce.

edit: 5.x → 4.x

Do you mean 4.1?

I have tried 4.0.3 though that didnt help, will try 4.1.x

Historically we have needed only two patches for snap confinement and I would ideally prefer if we were able to checkin a smaller patch in our github repo instead of putting the whole diff from apparmor-next

yes, AFAIU you need at least 4.1 to work with the af_unix kernel patches after the v9 ABI changes.

well I think that also should work.

I am probably the wrong person to comment, as i am only guessing.

Does snapd not bundle its own userspace apparmor components or am I wrong? I think I saw this in the patch notes a few months ago? Of course, that’s assuming that your in a re-exec environment as otherwise I’d assume using snapd as e.g., a pure .deb wouldn’t as it’s likely building against the distro’s.

  • AppArmor: update to latest 4.0.2 release
  • AppArmor: enable using ABI 4.0 from host parser

yes, it does. If I remember correctly, I think one can also use the host apparmor though like before apparmor got vendored. If that is not possible, we need to wait for a newer snapd too. Edit1: couldnt find an appropiate config or switch for enabling the system apparmor. Also the snapd upcoming release/2.70 bundled apparmor version is 4.0.2

Or maybe the old patches still work for your use case - there were some compatibility issues. Would need to dig into the comments by jjohansen

edit2: here from the reddit link posted above

hmmm so now apparmor 4.1 is released, we need to wait for snapd to vendor 4.1 and the patches to land upstream :thinking:

Based on your error message i think we only need the v2 network compatibility patch but i may be too optimistic (and i can’t find a trace of when the af_unix patches landed if it did)

if i had to guess based on jjohansen’s comment the needed patches can be found around the 18th of jan: https://gitlab.com/apparmor/apparmor-kernel/-/commits/apparmor-next

It might be better to get in touch with the apparmor people, i’ve tried getting comment from jjohansen on reddit but haven’t received an reply yet. According to the gitlab:

Please send all complaints, feature requests, rants about the software, and questions to the AppArmor mailing list.

And JJohansen seems to be on that mailinglist aswell

jjohansen stated that snapd needs to vendor a newer apparmor to be able to use the changed kernel patches currently in linux-next (AFAIU >= 4.1) (and maybe some policy updates?).

If 4.1 works with older kernels it should be possible to publish a snapd which vendors the current apparmor with it. Plucky base system comes already with 4.1

maybe @alexmurray can comment on the plans/discussion on snapd side or help om26er out in a different way?