Create AppArmorVendoringInSnapd

AppArmorVendoringInSnapd.md

@@ -0,0 +1,49 @@
+AppArmor vendoring in snapd
+===========================
+
+Since snapd 2.59, the snapd snap vendors (ie. ships its own copy of) the apparmor userspace tools and configuration etc. Snapd supports re-execution of itself from the snapd deb into the snapd snap if it detects the snap is a newer version. As such, snapd is able to make use of the vendored apparmor to enable use of newer parser features etc than what is installed on the host system through the use of the vendored apparmor.
+
+Checking whether snapd is using vendored apparmor
+-------------------------------------------------
+
+To determine if snapd is using the vendored apparmor run:
+
+```bash
+snap debug sandbox-features --required=apparmor:parser:snapd-internal && echo "using vendored apparmor" || echo "not using vendored apparmor"
+```
+
+Compiling snap apparmor policies manually
+--------------------------------------------
+
+Sometimes it is useful to be able to manually recompile snap apparmor policies (e.g. when making local changes for testing etc). However, it is important to use the same `apparmor_parser` and configuration etc that is being used by snapd. To determine how snapd is invoking `apparmor_parser` (and which parser binary is being invoked), the following command can be used:
+
+```bash
+snap debug execution apparmor
+```
+
+In the case of using the host `apparmor_parser` this will produce output like the following:
+
+```
+apparmor-parser: /usr/sbin/apparmor_parser
+apparmor-parser-command: /usr/sbin/apparmor_parser --policy-features /etc/apparmor.d/abi/3.0
+internal: false
+```
+
+However, when using the vendored apparmor it would look more like following, which demonstrates the use of the vendored `apparmor_parser` binary along with the configuration and abstractions etc provided by the vendored apparmor.
+
+```
+apparmor-parser: /snap/snapd/24286/usr/lib/snapd/apparmor_parser
+apparmor-parser-command: /snap/snapd/24286/usr/lib/snapd/apparmor_parser --config-file /snap/snapd/24286/usr/lib/snapd/apparmor/parser.conf --base /snap/snapd/24286/usr/lib/snapd/apparmor.d --policy-features /snap/snapd/24286/usr/lib/snapd/apparmor.d/abi/4.0
+internal: true
+```
+
+Updating the vendored apparmor in snapd
+---------------------------------------
+
+The snapd snap is built from the [snapcraft.yaml](https://github.com/canonical/snapd/blob/master/build-aux/snap/snapcraft.yaml) file in the snapd repo. This contains a separate `apparmor` part that details both the [source tarball to use](https://github.com/canonical/snapd/blob/d1b0830cc25283f3435de324b00f46328104d66f/build-aux/snap/snapcraft.yaml#L161) as well as the [commands use to compile the tarball](https://github.com/canonical/snapd/blob/d1b0830cc25283f3435de324b00f46328104d66f/build-aux/snap/snapcraft.yaml#L163) for distribution within the snap.
+
+It is possible to also include additional patches on top of the tarball, and these are maintained directly in the [snapd git repo](https://github.com/canonical/snapd/tree/master/build-aux/snap/local/apparmor) and [explicitly](https://github.com/canonical/snapd/blob/d1b0830cc25283f3435de324b00f46328104d66f/build-aux/snap/snapcraft.yaml#L173) [applied](https://github.com/canonical/snapd/blob/d1b0830cc25283f3435de324b00f46328104d66f/build-aux/snap/snapcraft.yaml#L175) during the build.
+
+To update the vendored apparmor to a newer version, at a minimum, both the `source:` and `source-checksum:` fields in the snapcraft.yaml need to be updated, and likely the set of patches may also need to be updated.
+
+Finally, the snapd build logic also contains [an additional check](https://github.com/canonical/snapd/blob/d1b0830cc25283f3435de324b00f46328104d66f/cmd/configure.ac#L84) to ensure that the vendored apparmor is of the expected version - as such this check will also need to be updated to match the new expected vendored AppArmor version.