14 DAY TRIAL // On November 19, Canonical, through Jamie Strandboge, informs Ubuntu Snappy users that, as of today, the Snappy Ubuntu Core 16.04 LTS (Xenial Xerus) images no longer use the click compatibility hooks for AppArmor ("Application Armor").
According to Mr. Strandboge, the Snappy Ubuntu Core operating system used click compatibility hooks for security policy generation for AppArmor, but they're no longer needed because of the implementation of the secure computing mode. The latest stable release of Snappy Ubuntu Core is based on Ubuntu 15.04 (Vivid Vervet), but the upcoming Ubuntu 16.04 LTS (Xenial Xerus) images will finally drop the click compatibility hooks for AppArmor.
As expected, this change has numerous benefits, among which we can mention more consistent and cleaner implementation for policy generation, which no longer relies on Python tools, easier-to-use and more useful "security-override" mechanism, support for hardware assignments to work with "security-policy"-enabled binaries and services, as well as enhancements to the image upgrade functionality.
"If you are an app developer, nothing has changed for you unless you used the 'security-override' yaml declaration," said Jamie Strandboge, Manager - Ubuntu Security at Canonical. "The new 'security-override' declaration will allow you to work with confinement more easily by letting you declare overrides in the yaml that are applied to whatever templated policy you specify."
But wait, there's more, as the removal of the click compatibility hooks for AppArmor has many other benefits, such as support for transitioning to the SquashFS format, improvements to the shipped system policy, and simplification of the snap checking/reviewing process. Of course, the entire click compatibility code will be removed.