Snapd STILL requires out-of-tree apparmor patches for strict confinement

Hmmm dang the road is longer that even the maintainer expected, which we could find the discussion surrounding it

They seemed pretty close to releasing apparmor 4.1 two months ago (which would include the user space to use the kernel part); there is bug that network mediation did not work as expected for apparmor 4.1 from beta testing which might have delayed that(?). A completely uninformed guess: they want to first make sure that no changes to the kernel are necessary to fix this and hopefully after analyzing/fixing/QA they’ll send a PR to Linus.

hmmm that an another good point, is there even an active PR we can follow or are we still in the baking phase

Not sure what to follow; there is movement for a 4.1.1 release on https://gitlab.com/apparmor/apparmor/-/tree/apparmor-4.1 ; edit: actually, the last revision got tagged v4.1.1, so i guess it is released(?)

And it seems 4.1.0 was actually released in april without me noticing Series 4.1 : AppArmor Also opensuse tumbleweed and leap seems to have adopted it. Also went into debian trixie.

I did not see an official release statement anywhere though.

I was about to comment on Apparmor 4.1.1 releasing, it passed by me through distrowatch. so yeah a bit at a lost where to see what’s up with the final pieces landing upstream aswell

I am actually trying to figure out what patches I need for full snap confinement, Historically it has been the af_unix mediation and one other patch for v2 network compatibility. Now I am using Linux 6.15 and trying to understand what do I need to do to have full confinement.

snapd currently tells me

AppArmor status: apparmor is enabled but some kernel features are missing: network

Just a guess: I think you need the current apparmor in user space (4.1 or 4.1.1); and I would simply take the whole apparmor-next revisions from the apparmor-kernel repo if cherry-picking does not suffice. The other way would be to look at the ubuntu sauce.

edit: 5.x → 4.x

Do you mean 4.1?

I have tried 4.0.3 though that didnt help, will try 4.1.x

Historically we have needed only two patches for snap confinement and I would ideally prefer if we were able to checkin a smaller patch in our github repo instead of putting the whole diff from apparmor-next

yes, AFAIU you need at least 4.1 to work with the af_unix kernel patches after the v9 ABI changes.

well I think that also should work.

I am probably the wrong person to comment, as i am only guessing.

Does snapd not bundle its own userspace apparmor components or am I wrong? I think I saw this in the patch notes a few months ago? Of course, that’s assuming that your in a re-exec environment as otherwise I’d assume using snapd as e.g., a pure .deb wouldn’t as it’s likely building against the distro’s.

  • AppArmor: update to latest 4.0.2 release
  • AppArmor: enable using ABI 4.0 from host parser

yes, it does. If I remember correctly, I think one can also use the host apparmor though like before apparmor got vendored. If that is not possible, we need to wait for a newer snapd too. Edit1: couldnt find an appropiate config or switch for enabling the system apparmor. Also the snapd upcoming release/2.70 bundled apparmor version is 4.0.2

Or maybe the old patches still work for your use case - there were some compatibility issues. Would need to dig into the comments by jjohansen

edit2: here from the reddit link posted above

hmmm so now apparmor 4.1 is released, we need to wait for snapd to vendor 4.1 and the patches to land upstream :thinking:

Based on your error message i think we only need the v2 network compatibility patch but i may be too optimistic (and i can’t find a trace of when the af_unix patches landed if it did)

if i had to guess based on jjohansen’s comment the needed patches can be found around the 18th of jan: https://gitlab.com/apparmor/apparmor-kernel/-/commits/apparmor-next

It might be better to get in touch with the apparmor people, i’ve tried getting comment from jjohansen on reddit but haven’t received an reply yet. According to the gitlab:

Please send all complaints, feature requests, rants about the software, and questions to the AppArmor mailing list.

And JJohansen seems to be on that mailinglist aswell

jjohansen stated that snapd needs to vendor a newer apparmor to be able to use the changed kernel patches currently in linux-next (AFAIU >= 4.1) (and maybe some policy updates?).

If 4.1 works with older kernels it should be possible to publish a snapd which vendors the current apparmor with it. Plucky base system comes already with 4.1

maybe @alexmurray can comment on the plans/discussion on snapd side or help om26er out in a different way?

1 Like

How do you get that output?

I recently switched to Garuda, and here’s what I got so far:

> snap debug sandbox-features 
apparmor:             kernel:caps kernel:domain kernel:domain:attach_conditions kernel:file kernel:io_uring kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:policy:permstable32:allow kernel:policy:permstable32:audit kernel:policy:permstable32:complain kernel:policy:permstable32:cond kernel:policy:permstable32:deny kernel:policy:permstable32:hide kernel:policy:permstable32:kill kernel:policy:permstable32:label kernel:policy:permstable32:prompt kernel:policy:permstable32:quiet kernel:policy:permstable32:subtree kernel:policy:permstable32:tag kernel:policy:permstable32:xindex kernel:policy:unconfined_restrictions kernel:policy:versions kernel:ptrace kernel:query kernel:query:label kernel:rlimit kernel:signal parser:allow-all parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:io-uring parser:mqueue parser:mqueue-posix parser:prompt parser:qipcrtr-socket parser:unconfined parser:unsafe parser:userns parser:xdp policy:default support-level:partial
configfiles:          mediated-configfiles
confinement-options:  classic devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
ldconfig:             mediated-ldconfig
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v2 device-filtering tagging

> snap debug confinement 
partial

> uname -a
Linux Y4M1-II 6.15.3-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Thu, 19 Jun 2025 14:41:01 +0000 x86_64 GNU/Linux

It’s in the journal log of snapd.