Comment 11 for bug 1687079

"The mainline kernel doesn't have the required apparmor patches so you end up in a situation where snapd doesn't generate a profile (because that profile would not load into the kernel anyway)"

Note, this isn't true. The parser is smart enough to 'dumb-down' the policy for the kernel if the kernel doesn't support everything. Of course, you end up with incomplete confinement.

One idea of what could do instead is here: https://forum.snapcraft.io/t/snapd-vs-upstream-kernel-vs-apparmor/1704/8. Ie, do runtime detection, if the kernel has full apparmor support generate normal policy, else generate wide-open policy and log that we are using forced devmode (perhaps listing why it was triggered and what is missing). This will allow a system to boot with different kernels and have the snaps still work, downgrading/upgrading confinement as needed.

Alternately: do runtime detection, always generate profiles like normal, but log that the kernel doesn't support full mediation (perhaps list what is missing).

While the second method is attractive in a lot of ways since you at least get some confinement, but we will *definitely* (ie, this isn't theoretical) have snaps that need additional rules for partial confinement that we wouldn't want in full strict confinement (this could be handled by conditionals in the interfaces though (eg, in AppArmorConnectedPlug() for the interface, if PartialConfinement { add rule }).

I suggest the first for now-- we can always do the second if needed.