Snap/Apparmor deprecation

[silkeh]

The maintenance of the (almost 60) AppArmor patches adds a significant maintenance burden for our kernels. These patches are only needed for strict confinement of Snaps.

To decrease the maintenance burden we should drop support for Snaps and move users over to Flatpak, seeing as 1) there is little progress on upstreaming the patches, 2) Flatpak seems to have won the battle for the desktop and 3) there is (in my opinion) no value in only supporting unconfined Snaps.

Note that Apparmor support will remain enabled in the kernel. Only the additional patches are removed.

Plan is as follows:

1. Create a plan (this issue) ✔️
2. Enable the migration and improve the QoL around Flatpaks: ✔️
   • unsnap #323
   • host-spawn #322
   • flatpak: Add systemd services for automatic updates solus-packages/flatpak#1
   • Enable flathub by default flatpak: Enable flathub by default #3430
   • Remove snapd from ISOs d20ba5d
3. Create migration documentation ✔️
   • Initially in this issue
   • Followed by an article on the help center (Add docs for Snap help-center-docs#555).
4. Let staff and developers try the migration and gather feedback. ✔️
   • Find issues in the migration documentation and fix them.
   • Are there any packages that are missing? (unsnap: Missing Flatpak/Snap equivalents #3282)
5. Two cut-off dates:
   • On the sync after 2024-07-05 users can voluntarily switch while Snap is fully maintained. After this date the AppArmor patches will be dropped and snaps can only be used without strict confinement. ✔️
   • After 2025-01-01 TDB snap will be completely deprecated. Update: there is some progress on the upstream Apparmor patches, so we're holding off on deprecation for the time being.
6. Communicate this to users via:
   • Socials/Forum: https://discuss.getsol.us/d/10750-dropping-apparmor-kernel-patches/12
   • Warning on the snap command: snapd: Add confinement warning #3211
   • Notification when running GUI snaps: snapd: Add confinement warning #3211

[ReillyBrogan]

70 patches with 6.5 FWIW

[agrrr3]

Hi, is this still something planned?
I am trying to follow the upstream effort for the snap confinement and as far as I understood the snap developers, apparmor 3 has everything upstreamed for snap.
AFAIU the missing piece in the kernel to strict confinement is AF_UNIX mediation (but not sure in which year that will land), but that should not be 60 patches, but rather 3 (?). The related LSM stacking also seems finally to pick up speed again.
I saw there is continued work on unsnap, so I guess it is?

[malfisya]

Hi, is this still something planned? I am trying to follow the upstream effort for the snap confinement and as far as I understood the snap developers, apparmor 3 has everything upstreamed for snap. AFAIU the missing piece in the kernel to strict confinement is AF_UNIX mediation (but not sure in which year that will land), but that should not be 60 patches, but rather 3 (?). The related LSM stacking also seems finally to pick up speed again. I saw there is continued work on unsnap, so I guess it is?

Please read the announcement in the forum

[agrrr3]

Please read the announcement in the forum

Ah thank you for the clarification. The issue wasnt updated so I wasnt sure if this is on the table, but Solus committed publicly to deprecate snap so this is clearly the wrong place to ask about the patch sets.

[joebonrichie]

we need to enable flathub by default as well

[silkeh]

I am trying to follow the upstream effort for the snap confinement and as far as I understood the snap developers, apparmor 3 has everything upstreamed for snap.
AFAIU the missing piece in the kernel to strict confinement is AF_UNIX mediation (but not sure in which year that will land), but that should not be 60 patches, but rather 3 (?). The related LSM stacking also seems finally to pick up speed again.

Our patchset is imported from the Ubuntu kernels (see here for LTS kernel) as far as I know.

It might be the case that not all of those are needed, but part of the problem is that it is difficult to track what is actually needed. The upstream kernel patches only go up to Linux 4.8, but the existence of a patch set that is applied to Ubuntu kernels strongly suggests that it isn't the case that no patches are needed for any newer kernels.

Note that it isn't the case that we're dropping Snap support because we hate snaps, so we'll gladly reverse on the deprecation decision if it turns out that no patches are needed for strict confinement (and things stay that way).

The issue wasnt updated

I've updated the issue to reflect the current status. Note that it will land in stable Solus in the next sync, and we're hard at work to provide tooling and documentation to help people migrate (mainly unsnap).

[agrrr3]

Our patchset is imported from the Ubuntu kernels ...
It might be the case that not all of those are needed, but part of the problem is that it is difficult to track what is actually needed.
... the existence of a patch set that is applied to Ubuntu kernels strongly suggests that it isn't the case that no patches are needed for any newer kernels.

thanks for the clarifications, had a look at the ubuntu sauce for 6.8 ; current patch set for apparmor 4 seems to contain 90 patches (big chunk is the LSM stacking v39 patch set which was intended to land in 6.1 but obviously did not). A current apparmor is included in the snapd snap and i know that apparmor is able to nest; I assume though that only the user space parts (for parsing policies etc) are vendored and I would be surprised if that adds mediation features if the kernel does not support it.

edit: one more datapoint: ruhen.vanderberg extracted the necessary patches for a 6.1 linux kernel, looks like a 2k lines diff. https://github.com/RJvdBerg/UbuntuCore-kernelpatches - looks really like only the AF_UNIX mediation related patches; so my guess is canonical adds a lot extra changes to apparmor probably for LSM stacking and not really necessary for snap

I've updated the issue to reflect the current status.

thanks for that as well