Dropping AppArmor Kernel Patches

EbonJaeger

Heya folks! With the next linux-current kernel update, we are dropping the AppArmor patchset from Canonical. This means that Snaps will now be unconfined if you are using the current kernel. Our LTS kernel will still have the AppArmor patches applied. Dropping these patches is the first step in ending support of Snaps on Solus. Snaps will still be supported for the rest of 2024, they will just be running unconfined. Long-term, Snap users are encouraged to explore alternative solutions, such as Flatpak.

We realize that this notice may be rather sudden. Unfortunately, we are in the position where our linux-current kernel 6.8 has reached End of Life, meaning it no longer receives security patches, but Canonical appear to be skipping updating the AppArmor patchset for kernel 6.9, thus preventing us from updating the kernel. So, we're stuck between a rock and a hard place. We've been planning on doing this soon anyway (since the end of last year), but now our hand has been forced.

Dropping the AppArmor patchset has several benefits for us. To start with, the patchset is huge; it is upwards of 60 separate patches, meaning it is a significant maintenance burden. Since the set is maintained and updated by Canonical, we can only update to a new kernel after they've updated all of those patches, which sometimes takes a long time, or even doesn't happen at all, like now.

Not applying the patches means that we can generate ISO images on our infrastructure servers. Right now, ISOs can only be generated on systems using the Solus kernel, due to our AppArmor hooks. This means that every week, someone on the team has to use their system to build all the images, and then upload around 10GB of ISOs to the download server. The same goes for full Solus releases. By dropping the AppArmor patches, we can skip all of that and generate images on the server directly.

Going forward, Flatpaks will be the preferred way of getting software that isn't in our official repository. They are integrated in both GNOME Software and KDE Discover, making it easier than ever to not only install, but also update, Flatpak software on your systems. They also have broader upstream support, since Flatpak is developed by a cross-distribution community, whereas Snap is developed and managed by Canonical, and largely seems to target Ubuntu and Ubuntu derivatives.

EbonJaeger

There is also an open pull request to add unsnap to the repository to help facilitate migrations away from Snaps. You can track its progress here.

Girtablulu

weeee finally, who was the poor soul who had to update snapd? 😃

ermo

Girtablulu weeee finally, who was the poor soul who had to update snapd? 😃

@silke I think?

vemothe

Nice! This was one of the best moves since adding XFCE.

craigtoyoracer

Excellent decision for the Team and Users. Too bad you still have 6 months to go. 🙂

the only good snap is, a Ginger or sweet pea.

BuzzPCSOS

Please excuse if this is a stupid question.
For users who don't use snap, is it reasonable to manually uninstall Snap and AppArmor now using Discover/Software Centre or CLI ?
Always concerned about breaking the install when it comes to removing stuff that Solus comes with.

alfisya

BuzzPCSOS I would wait until all migration phase has been worked out clearly. It is not like it is hindering my system in anyway.

[deleted]

How does this affect end user's security other than Snaps? I see no mention of switching to SELinux in the OP.

brent

[deleted] I see no mention of switching to SELinux in the OP.

SELinux is the one word I was hoping not to see in this discussion. I thought it was mediocre when I have used it, (fedora) and buggy. Good question to ask though.

craigtoyoracer

[deleted] It would not effect anything else. This is only about Snaps. Once gone, the Team will save time and effort, as Flatpak is a better option for users.

Snaps vs Flatpak reminds me of Beta vs VHS

ermo

[deleted] How does this affect end user's security other than Snaps? I see no mention of switching to SELinux in the OP.

The integrated kernel AppArmor support could potentially stay enabled, though I am not aware if this is currently the case. EDIT: It is still enabled.

Personally, I'd rather not have to deal with SELinux if I can avoid it.

ermo

[deleted] How does this affect end user's security other than Snaps? I see no mention of switching to SELinux in the OP.

AppArmor support is still enabled in the kernel; it's only the Ubuntu-specific patchset necessary for snap confinement that has been dropped from my reading of the situation.

JTCPingas

ermo I haven't come across any problems with SELinux, perse. But in Fedora I have to apply a workaround to whitelist L4D2 so that main menu music and other pieces of select music play properly in the game.

https://github.com/ValveSoftware/Source-1-Games/issues/2734#issuecomment-1363552623

[deleted]

ermo Thanks. This was the clarification I was looking for.

JTCPingas

I guess my question is what benefits does apparmor provide over selinux?

ermo

JTCPingas I guess my question is what benefits does apparmor provide over selinux?

... the most obvious answer I can think of is that "It's not SELinux".

EbonJaeger

Heya folks! We just made a new blog post about kernel AppArmor patches and Snap support. Check it out!

brent

EbonJaeger
"Not applying the patches means that we can generate ISO images on our own infrastructure. Right now, ISOs can only be generated on systems using the Solus kernel, due to our AppArmor hooks. This means that every week, someone on the team has to use their system to build all the images and then upload around 10GB of ISOs to the download server for our OpenCollective backers. The same goes for full Solus releases. By dropping the AppArmor patches, we can skip all of that and generate images on the server directly."

how liberating and time-saving, this is great news.