packages
packages copied to clipboard
getsolus
Snap/Apparmor deprecation
The maintenance of the (almost 60) AppArmor patches adds a significant maintenance burden for our kernels. These patches are only needed for strict confinement of Snaps.
To decrease the maintenance burden we should drop support for Snaps and move users over to Flatpak, seeing as 1) there is little progress on upstreaming the patches, 2) Flatpak seems to have won the battle for the desktop and 3) there is (in my opinion) no value in only supporting unconfined Snaps.
Note that Apparmor support will remain enabled in the kernel. Only the additional patches are removed.
Plan is as follows:
- Create a plan (this issue) :heavy_check_mark:
- Enable the migration and improve the QoL around Flatpaks: :heavy_check_mark:
- #323
- #322
- https://github.com/solus-packages/flatpak/pull/1
- Enable flathub by default https://github.com/getsolus/packages/pull/3430
- Remove
snapdfrom ISOs https://github.com/getsolus/packages/commit/d20ba5dcfd259054f1d69e9042ec8d7c56012bed
- Create migration documentation :heavy_check_mark:
Initially in this issue- Followed by an article on the help center (https://github.com/getsolus/help-center-docs/pull/555).
- Let staff and developers try the migration and gather feedback. :heavy_check_mark:
- Find issues in the migration documentation and fix them.
- Are there any packages that are missing? (https://github.com/getsolus/packages/issues/3282)
- Two cut-off dates:
- On the sync after 2024-07-05 users can voluntarily switch while Snap is fully maintained. After this date the AppArmor patches will be dropped and snaps can only be used without strict confinement. :heavy_check_mark:
- After ~~2025-01-01~~ TDB snap will be completely deprecated. Update: there is some progress on the upstream Apparmor patches, so we're holding off on deprecation for the time being.
- Communicate this to users via:
- Socials/Forum: https://discuss.getsol.us/d/10750-dropping-apparmor-kernel-patches/12
- Warning on the snap command: https://github.com/getsolus/packages/pull/3211
- Notification when running GUI snaps: https://github.com/getsolus/packages/pull/3211
Hi, is this still something planned? I am trying to follow the upstream effort for the snap confinement and as far as I understood the snap developers, apparmor 3 has everything upstreamed for snap. AFAIU the missing piece in the kernel to strict confinement is AF_UNIX mediation (but not sure in which year that will land), but that should not be 60 patches, but rather 3 (?). The related LSM stacking also seems finally to pick up speed again. I saw there is continued work on unsnap, so I guess it is?
Hi, is this still something planned? I am trying to follow the upstream effort for the snap confinement and as far as I understood the snap developers, apparmor 3 has everything upstreamed for snap. AFAIU the missing piece in the kernel to strict confinement is AF_UNIX mediation (but not sure in which year that will land), but that should not be 60 patches, but rather 3 (?). The related LSM stacking also seems finally to pick up speed again. I saw there is continued work on unsnap, so I guess it is?
Please read the announcement in the forum
Please read the announcement in the forum
Ah thank you for the clarification. The issue wasnt updated so I wasnt sure if this is on the table, but Solus committed publicly to deprecate snap so this is clearly the wrong place to ask about the patch sets.
I am trying to follow the upstream effort for the snap confinement and as far as I understood the snap developers, apparmor 3 has everything upstreamed for snap. AFAIU the missing piece in the kernel to strict confinement is AF_UNIX mediation (but not sure in which year that will land), but that should not be 60 patches, but rather 3 (?). The related LSM stacking also seems finally to pick up speed again.
Our patchset is imported from the Ubuntu kernels (see here for LTS kernel) as far as I know.
It might be the case that not all of those are needed, but part of the problem is that it is difficult to track what is actually needed. The upstream kernel patches only go up to Linux 4.8, but the existence of a patch set that is applied to Ubuntu kernels strongly suggests that it isn't the case that no patches are needed for any newer kernels.
Note that it isn't the case that we're dropping Snap support because we hate snaps, so we'll gladly reverse on the deprecation decision if it turns out that no patches are needed for strict confinement (and things stay that way).
The issue wasnt updated
I've updated the issue to reflect the current status. Note that it will land in stable Solus in the next sync, and we're hard at work to provide tooling and documentation to help people migrate (mainly unsnap).
Our patchset is imported from the Ubuntu kernels ... It might be the case that not all of those are needed, but part of the problem is that it is difficult to track what is actually needed. ... the existence of a patch set that is applied to Ubuntu kernels strongly suggests that it isn't the case that no patches are needed for any newer kernels.
thanks for the clarifications, had a look at the ubuntu sauce for 6.8 ; current patch set for apparmor 4 seems to contain 90 patches (big chunk is the LSM stacking v39 patch set which was intended to land in 6.1 but obviously did not). A current apparmor is included in the snapd snap and i know that apparmor is able to nest; I assume though that only the user space parts (for parsing policies etc) are vendored and I would be surprised if that adds mediation features if the kernel does not support it.
edit: one more datapoint: ruhen.vanderberg extracted the necessary patches for a 6.1 linux kernel, looks like a 2k lines diff. https://github.com/RJvdBerg/UbuntuCore-kernelpatches - looks really like only the AF_UNIX mediation related patches; so my guess is canonical adds a lot extra changes to apparmor probably for LSM stacking and not really necessary for snap
I've updated the issue to reflect the current status.
thanks for that as well
Adding with high priority to 4.8 since we have communicated publicly that snaps would stop working in early January 2025
for what it is worth, the patches needed for snap to work has now been pulled into linux-next: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=26c200e28a322b308518cda764307c18d7df705d
So it will either land in 6.14 or 6.15
sources that these are the patches: the maintainer of the apparmor tree: https://www.reddit.com/r/Ubuntu/comments/zoz5qd/comment/m8866es the apparmor tree: https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git/log/?h=apparmor-next
@Fuseteam thanks for the heads up. Seems like things are (slowly) coming together for running snaps with strict confinement without patches, which is great news!
I tried to see if it actually works with all the updated pieces (snap 2.68 master, linux-next 20250228, apparmor 4.1.0-beta5), but unfortunately it still reports partial confinement. We're pretty far from the actual kernel release though, so I don't think it means too much.
Considering these developments, I think it makes sense to at least delay deprecation until Linux 6.15 has been released.
Moving to the 5.0 milestone, since the required upstream work will likely not be done before we're ready to release 4.8
The last pieces are now in the kernel 6.17RC1 so very probably that will be mainlined soon. But it needs apparmor 4.1 (and I think solus is on apparmor 3). Note that snapd snap vendors its own apparmor which is < 4.1 at the moment (snapd 2.71) - not sure how this interacts; and also dont know if solus supports updating snapd via the snap. I asked about the requirement in snapd roadmap at the snapcraft forum