Skip to content

many: switch to apparmor 5.x with 5 ABI#15967

Open
zyga wants to merge 10 commits intocanonical:masterfrom
zyga:rfc/apparmor-5
Open

many: switch to apparmor 5.x with 5 ABI#15967
zyga wants to merge 10 commits intocanonical:masterfrom
zyga:rfc/apparmor-5

Conversation

@zyga
Copy link
Copy Markdown
Contributor

@zyga zyga commented Sep 11, 2025
edited
Loading

This is extremely early work as we need to align some stars before we get to hit the bugs and fix them:

  1. we need apparmor 5.0.0 alpha 2 for upstream af_unix features
  2. we need to actively use abi 5 across our profiles
  3. interfaces will likely need some changes
  4. there's no abi 5.0 file in the release we are using so that part of the code is dormant

Then we get to test and see what breaks.

For apparmor master with 5 abi please see: #16780
For apparmor 5.x with 5 ABI please see: #15967
For apparmor 5.x with 4 ABI please see: #16781

@github-actions github-actions bot added the Run only one system Only runs spread tests on one system label Sep 11, 2025
@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 11, 2025
edited
Loading

Mon Mar 23 10:48:38 UTC 2026
The following results are from: https://github.com/canonical/snapd/actions/runs/23354322034

Failures:

Preparing:

  • openstack-ext:ubuntu-22.04-64:tests/nested/manual/hybrid-remodel

Executing:

  • openstack:centos-9-64:tests/main/selinux-clean
  • openstack:fedora-42-64:tests/main/selinux-clean
  • openstack:opensuse-tumbleweed-selinux-64:tests/main/cgroup-devices-v2
  • openstack:ubuntu-25.10-64:tests/main/server-snap:goServer

Skipped tests from snapd-testing-skip

  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • garden:ubuntu-25.10-64:tests/main/apparmor-prompting-support
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/i18n
  • openstack-arm:ubuntu-core-24-arm-64:tests/main/i18n
  • openstack-ext:ubuntu-26.04-64:tests/nested/manual/minimal-smoke:secboot_disabled
  • openstack-ext:ubuntu-26.04-64:tests/nested/manual/minimal-smoke:secboot_enabled
  • openstack:debian-sid-64:tests/main/interfaces-network-status-classic
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-24.04-64:tests/main/i18n
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-flag-restart
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-prompt-restoration
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_allow_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_allow_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_allow_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_allow_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_deny_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_deny_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_deny_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_deny_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_allow_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_allow_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_allow_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_allow_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_deny_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_deny_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_deny_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_deny_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-snapd-startup
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-support
  • openstack:ubuntu-25.10-64:tests/main/interfaces-requests-activates-handlers
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-flag-restart
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-prompt-restoration
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_allow_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_allow_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_allow_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_allow_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_deny_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_deny_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_deny_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_deny_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_allow_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_allow_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_allow_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_allow_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_deny_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_deny_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_deny_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_deny_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-snapd-startup
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-support
  • openstack:ubuntu-26.04-64:tests/main/i18n
  • openstack:ubuntu-26.04-64:tests/main/interfaces-requests-activates-handlers
  • openstack:ubuntu-core-26-64:tests/main/debug-confinement
  • openstack:ubuntu-core-26-64:tests/main/interfaces-posix-mq
  • openstack:ubuntu-core-26-64:tests/main/security-device-cgroups-jailmode
  • openstack:ubuntu-core-26-64:tests/main/snaps-state
  • openstack:ubuntu-core-26-64:tests/regression/lp-1641885
  • openstack:ubuntu-core-26-64:tests/regression/lp-1667385:jailmode
  • openstack:ubuntu-core-26-64:tests/smoke/sandbox

@codecov
Copy link
Copy Markdown

codecov bot commented Sep 11, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.63%. Comparing base (f7a2921) to head (5a73b9e).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #15967      +/-   ##
==========================================
+ Coverage   77.56%   77.63%   +0.07%     
==========================================
  Files        1366     1352      -14     
  Lines      188489   188228     -261     
  Branches     2446     2446              
==========================================
- Hits       146199   146136      -63     
+ Misses      33460    33278     -182     
+ Partials     8830     8814      -16
Flag Coverage Δ
unittests 77.63% <100.00%> (+0.07%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@zyga zyga changed the title many: switch to apparmor 5.0.0 alpha 1 and use abi 5 many: switch to apparmor 5.0.0 alpha 2 and use abi 5 Oct 21, 2025
@olivercalder
Copy link
Copy Markdown
Member

olivercalder commented Oct 24, 2025

This is surprisingly green. Maybe it would be best to have two separate draft PRs in parallel, one with 5.0.0 but with still ABI v4, then one which switches to ABI v5, so we can ensure that there's actually anything different in that switch (as there should be).

@zyga zyga changed the title many: switch to apparmor 5.0.0 alpha 2 and use abi 5 many: switch to apparmor 5.0.0 alpha 3 and use abi 5 Nov 20, 2025
@zyga
Copy link
Copy Markdown
Contributor Author

zyga commented Feb 12, 2026

I have updated this to 5 alpha 6.

@olivercalder I would like to return to this after 4.1.6 lands and after we have a sane 6.19 kernel

@zyga zyga marked this pull request as ready for review February 12, 2026 10:57
Copilot AI review requested due to automatic review settings February 12, 2026 10:57
@github-actions github-actions bot removed the Run only one system Only runs spread tests on one system label Feb 12, 2026
Copilot AI reviewed Feb 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates snapd’s AppArmor userspace integration to start consuming AppArmor 5 (alpha) and prefer ABI 5 policy features when using the internal apparmor_parser, as part of early enablement work toward ABI 5 profiles.

Changes:

  • Prefer the internal apparmor.d/abi/5.0 file (falling back to 4.0/3.0) when selecting --policy-features for the internal parser.
  • Pin snap-confine’s snap-build dependency to libapparmor 5 alpha.
  • Update snapcraft to fetch/build AppArmor 5 alpha (and stop applying the previously-carried local patches during that build).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
sandbox/apparmor/apparmor.go Prefer ABI 5.0 for internal apparmor_parser policy features when available.
cmd/configure.ac Pin snap-build libapparmor requirement to AppArmor 5 alpha.
build-aux/snap/snapcraft.yaml Fetch/build AppArmor 5 alpha6 tarball for the snap build.
Comments suppressed due to low confidence (1)

sandbox/apparmor/apparmor.go:920

  • The comment above this logic still says we "ensure we use the 4.0 feature ABI", but the code now prefers ABI 5.0 when present. Please update the comment so it matches the new selection order (5.0 → 4.0 → 3.0).
			snapdAbi50File := filepath.Join(prefix, "/apparmor.d/abi/5.0")

			// When using the internal apparmor_parser also use its own
			// configuration and includes etc plus also ensure we use the 4.0
			// feature ABI to get the widest array of policy features across

@zyga zyga changed the title many: switch to apparmor 5.0.0 alpha 3 and use abi 5 many: switch to apparmor 5.0.0 alpha 6 and use abi 5 Feb 16, 2026
@zyga zyga added the Run nested The PR also runs tests inluded in nested suite label Feb 23, 2026
@zyga zyga closed this Feb 23, 2026
@zyga zyga reopened this Feb 23, 2026
@zyga zyga changed the title many: switch to apparmor 5.0.0 alpha 6 and use abi 5 many: switch to apparmor 5.0.0 beta 1 and use abi 5 Feb 23, 2026
@zyga
Copy link
Copy Markdown
Contributor Author

zyga commented Feb 23, 2026

I've updated this to apparmor 5 beta 1 which is also available as a classic debian package in Ubuntu 26.04 now.

@zyga zyga requested a review from Copilot February 23, 2026 09:13
Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

sandbox/apparmor/apparmor.go:921

  • The comment on line 919 states "ensure we use the 4.0 feature ABI" but the code now supports ABI 5.0. This comment should be updated to reflect that the code now preferentially uses ABI 5.0 when available, with fallbacks to 4.0 and 3.0.
			// When using the internal apparmor_parser also use its own
			// configuration and includes etc plus also ensure we use the 4.0
			// feature ABI to get the widest array of policy features across
			// the widest array of kernel versions.

@zyga zyga requested a review from Copilot February 23, 2026 09:30
Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated no new comments.

@zyga zyga force-pushed the rfc/apparmor-5 branch 2 times, most recently from a83531c to 3ac1f54 Compare March 18, 2026 09:07
@zyga zyga mentioned this pull request Mar 18, 2026
Open
@zyga zyga changed the title many: switch to apparmor 5.0.0 beta 1 and use abi 5 many: switch to apparmor 5.x with 5 ABI Mar 18, 2026
@zyga zyga mentioned this pull request Mar 18, 2026
Open
zyga added 10 commits March 20, 2026 18:15
@zyga
build-aux: bump to apparmor 5.0.0 alpha 2
a2a7f3b 
Switch the copy of apparmor bundled with snapd snap to the new 5 alpha 2
release. This keeps the old ABI intact so our profiles should retain old
semantics.

Jira: https://warthogs.atlassian.net/browse/SNAPDENG-35412

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
cmd: expect apparmor 5 alpha 2
65c4d5e 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
build-aux: update to apparmor 5 alpha 6
db1112f 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
cmd: expect apparmor 5 alpha 6
96b16b0 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
build-aux: update to apparmor 5 beta 1
28d5370 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
cmd: expect apparmor 5 beta 1
0058421 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
build-aux: link apparmor_parser with libapparmor statically
c9742e3 
Disable support for building libapparmor.so and force static linking
of libapparmor.a into apparmor_parser.

Note that early in the 5.x series, apparmor userspace depends on libzstd
for loading compressed profiles.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
sandbox/apparmor: use abi 5.0 if possible
6c7a594 
Use 5.0 ABI when available. This may affect a few profiles so it's
likely to be coupled with additional changes after the first round of
testing.

Jira: https://warthogs.atlassian.net/browse/SNAPDENG-35413

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
sandbox/apparmor: refactor internal parser test setup
2927698 
Extract duplicated internal apparmor parser fixture setup and assertions into
shared test helpers. Rework TestAppArmorInternalAppArmorParserAbi3/4 to use
helpers and add ABI 5 coverage with TestAppArmorInternalAppArmorParserAbi5.
Reuse the helper in TestInternalParser and
TestSetupConfCacheDirsWithInternalApparmor to remove duplicate fixture code.
Rename helper to setupInternalAppArmorParserEnv for clearer scope.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
tests: expect apparmor 5 in snap-debug-execution-apparmor
5a73b9e 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Run nested The PR also runs tests inluded in nested suite

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zyga @olivercalder