Pin AppArmor ABI to 3.0 and remove gdbus sub-profile in beta/dev#500
Merged
Conversation
On kernel 6.17+ with AppArmor's new ABI (v9), rule semantics change in ways that can silently break profiles — e.g. blanket `network,` no longer implies `network unix,` (containerd/containerd#12897). Our profiles aren't practically affected by that specific change since the main profile already lists explicit network types and the git sub-profile inherits unix socket access via `abstractions/base`, but it illustrates the broader risk. The ABI pin is a contract that guarantees all rules in our profiles are interpreted under known semantics. Without it, any future kernel ABI change to how capability, signal, deny, or other rule types work would silently affect us. We noticed `network,` only because containerd hit it first, but the same class of problem applies to everything. The cost is low — abi/3.0 ships on every system where we use AppArmor (HAOS with AppArmor 3.1.x, Debian 12+ with 3.0.8+). The abi file has been available since 2020. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
gdbus is no longer present in the Supervisor container since home-assistant/supervisor#3234. Remove the `cx` transition rule and the entire gdbus sub-profile. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
frenck
approved these changes
Mar 30, 2026
sairon
approved these changes
Mar 30, 2026
sairon
left a comment
Member
There was a problem hiding this comment.
LGTM, I just updated the PR title for better traceability in Git history.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On kernel 6.17+ with AppArmor's new ABI, rule semantics can silently change for unpinned profiles. The known example is network, no longer implying network unix (see containerd/containerd#12897), which our profiles aren't practically affected by (main profile lists explicit network types, git sub-profile gets unix via abstractions/base), but the same class of breakage could hit any rule type. Pinning abi/3.0 locks interpretation to known semantics. The cost is minimal —
abi/3.0ships on every system where we use AppArmor (HAOS 3.1.x, Debian 12+ 3.0.8+), and has been available since 2020.Also remove the gdbus sub-profile and cx transition rule — gdbus was removed from the Supervisor container in home-assistant/supervisor#3234.