Skip to content

many: switch to apparmor master with 5 ABI (DO NOT MERGE)#16780

Open
zyga wants to merge 11 commits intocanonical:masterfrom
zyga:rfc/apparmor-master
Open

many: switch to apparmor master with 5 ABI (DO NOT MERGE)#16780
zyga wants to merge 11 commits intocanonical:masterfrom
zyga:rfc/apparmor-master

Conversation

@zyga
Copy link
Copy Markdown
Contributor

@zyga zyga commented Mar 18, 2026
edited
Loading

This is a perpetual branch that we will rebase from time to time. It aims to check if apparmor master has any regressions as observed by the snapd test suite.

Failure does not immediately indicate a bug in apparmor. It may be a bug in the test suite on snapd as well.

Please never merge this :)

For apparmor master with 5 abi please see: #16780
For apparmor 5.x with 5 ABI please see: #15967
For apparmor 5.x with 4 ABI please see: #16781

Copilot AI review requested due to automatic review settings March 18, 2026 09:03
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the snapd snap build to track AppArmor userspace “master” and extends snapd’s internal AppArmor parser ABI selection to prefer ABI 5 when available, so the snapd test suite can be used to detect regressions against upstream AppArmor changes.

Changes:

  • Prefer internal AppArmor parser ABI 5.0 (fallback to 4.0, then 3.0) when selecting --policy-features.
  • Refactor internal-parser test setup and add coverage for ABI 5 selection.
  • Update snapcraft recipe to build AppArmor from the upstream git master branch and adjust the libapparmor/parser build flags accordingly.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
sandbox/apparmor/apparmor.go Prefer ABI 5 policy features for the internal apparmor_parser when present.
sandbox/apparmor/apparmor_test.go Deduplicate internal-parser test setup and add ABI 5 selection test.
cmd/configure.ac Pin snapcraft build to a libapparmor 5.x pkg-config version for snap builds.
build-aux/snap/snapcraft.yaml Switch AppArmor source to upstream git master and build the parser/library with static-linking-related flags.

You can also share your feedback on Copilot code review. Take the survey.

sandbox/apparmor/apparmor.go
Comment on lines 918 to 925
@@ -923,9 +924,12 @@ func AppArmorParser() (cmd *exec.Cmd, internal bool, err error) {
// older apparmor, use that instead so that things
// don't generally fail.
cmd/configure.ac
Comment on lines +85 to +89
# Expect AppArmor 5 when building as a snap under snapcraft
AS_IF([test "x$SNAPCRAFT_PROJECT_NAME" = "xsnapd"], [
PKG_CHECK_MODULES([APPARMOR4], [libapparmor = 4.1.7], [
AC_DEFINE([HAVE_APPARMOR], [1], [Build with apparmor4 support])], [
AC_MSG_ERROR([unable to find apparmor4 for snap build of snapd])])], [
PKG_CHECK_MODULES([APPARMOR4], [libapparmor = 5.0.0~beta1], [
AC_DEFINE([HAVE_APPARMOR], [1], [Build with apparmor 5 support])], [
AC_MSG_ERROR([unable to find apparmor 5 for snap build of snapd])])], [
@zyga zyga mentioned this pull request Mar 18, 2026
Open
@zyga zyga changed the title build-aux: use apparmor master with ABI 5 many: switch to apparmor master with 5 ABI (DO NOT MERGE) Mar 18, 2026
@zyga zyga mentioned this pull request Mar 18, 2026
Open
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 18, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.62%. Comparing base (f7a2921) to head (3470daa).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #16780      +/-   ##
==========================================
+ Coverage   77.56%   77.62%   +0.06%     
==========================================
  Files        1366     1356      -10     
  Lines      188489   188391      -98     
  Branches     2446     2446              
==========================================
+ Hits       146199   146247      +48     
+ Misses      33460    33325     -135     
+ Partials     8830     8819      -11
Flag Coverage Δ
unittests 77.62% <100.00%> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 18, 2026
edited
Loading

Mon Mar 23 09:46:02 UTC 2026
The following results are from: https://github.com/canonical/snapd/actions/runs/23354329670

Failures:

Executing:

  • openstack:centos-9-64:tests/main/selinux-clean
  • openstack:fedora-42-64:tests/main/selinux-clean
  • openstack:ubuntu-25.10-64:tests/main/server-snap:goServer

Skipped tests from snapd-testing-skip

  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • garden:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • garden:ubuntu-25.10-64:tests/main/apparmor-prompting-support
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack-arm:ubuntu-24.04-arm-64:tests/main/i18n
  • openstack-arm:ubuntu-core-24-arm-64:tests/main/i18n
  • openstack:debian-sid-64:tests/main/interfaces-network-status-classic
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-20.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-22.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-24.04-64:tests/main/i18n
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-flag-restart
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-prompt-restoration
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_allow_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_allow_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_allow_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_allow_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_deny_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_deny_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_deny_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:camera_deny_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_allow_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_allow_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_allow_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_allow_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_deny_forever
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_deny_session
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_deny_single
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-smoke:home_deny_timespan
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-snapd-startup
  • openstack:ubuntu-25.10-64:tests/main/apparmor-prompting-support
  • openstack:ubuntu-25.10-64:tests/main/interfaces-requests-activates-handlers
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-flag-restart
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-prompt-restoration
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_allow_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:audiorecord_deny_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_allow_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_allow_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_allow_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_allow_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_deny_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_deny_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_deny_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:camera_deny_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_allow_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_allow_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_allow_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_allow_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_deny_forever
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_deny_session
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_deny_single
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-smoke:home_deny_timespan
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-snapd-startup
  • openstack:ubuntu-26.04-64:tests/main/apparmor-prompting-support
  • openstack:ubuntu-26.04-64:tests/main/i18n
  • openstack:ubuntu-26.04-64:tests/main/interfaces-requests-activates-handlers
  • openstack:ubuntu-core-26-64:tests/main/debug-confinement
  • openstack:ubuntu-core-26-64:tests/main/interfaces-posix-mq
  • openstack:ubuntu-core-26-64:tests/main/security-device-cgroups-jailmode
  • openstack:ubuntu-core-26-64:tests/main/snaps-state
  • openstack:ubuntu-core-26-64:tests/regression/lp-1641885
  • openstack:ubuntu-core-26-64:tests/regression/lp-1667385:jailmode
  • openstack:ubuntu-core-26-64:tests/smoke/sandbox

@zyga zyga force-pushed the rfc/apparmor-master branch from a0d77c4 to da90c6f Compare March 20, 2026 09:16
zyga added 7 commits March 20, 2026 18:15
@zyga
build-aux: bump to apparmor 5.0.0 alpha 2
a2a7f3b 
Switch the copy of apparmor bundled with snapd snap to the new 5 alpha 2
release. This keeps the old ABI intact so our profiles should retain old
semantics.

Jira: https://warthogs.atlassian.net/browse/SNAPDENG-35412

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
cmd: expect apparmor 5 alpha 2
65c4d5e 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
build-aux: update to apparmor 5 alpha 6
db1112f 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
cmd: expect apparmor 5 alpha 6
96b16b0 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
build-aux: update to apparmor 5 beta 1
28d5370 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
cmd: expect apparmor 5 beta 1
0058421 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
build-aux: link apparmor_parser with libapparmor statically
c9742e3 
Disable support for building libapparmor.so and force static linking
of libapparmor.a into apparmor_parser.

Note that early in the 5.x series, apparmor userspace depends on libzstd
for loading compressed profiles.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga zyga force-pushed the rfc/apparmor-master branch 2 times, most recently from 0995d6c to 778cd8c Compare March 20, 2026 17:17
zyga added 4 commits March 20, 2026 18:18
@zyga
sandbox/apparmor: use abi 5.0 if possible
6c7a594 
Use 5.0 ABI when available. This may affect a few profiles so it's
likely to be coupled with additional changes after the first round of
testing.

Jira: https://warthogs.atlassian.net/browse/SNAPDENG-35413

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
sandbox/apparmor: refactor internal parser test setup
2927698 
Extract duplicated internal apparmor parser fixture setup and assertions into
shared test helpers. Rework TestAppArmorInternalAppArmorParserAbi3/4 to use
helpers and add ABI 5 coverage with TestAppArmorInternalAppArmorParserAbi5.
Reuse the helper in TestInternalParser and
TestSetupConfCacheDirsWithInternalApparmor to remove duplicate fixture code.
Rename helper to setupInternalAppArmorParserEnv for clearer scope.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
tests: expect apparmor 5 in snap-debug-execution-apparmor
5a73b9e 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga
build-aux: update to apparmor master
3470daa 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga zyga force-pushed the rfc/apparmor-master branch from 778cd8c to 3470daa Compare March 20, 2026 17:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zyga