From bd1690bd16c70f9631ee2798514b51ed2dc973d5 Mon Sep 17 00:00:00 2001
From: John Chittum <john.chittum@canonical.com>
Date: Wed, 5 Apr 2023 12:53:32 -0500
Subject: [PATCH] feat: support kernel with different apparmor feats

Jammy HWE is rolling to 5.19. the 5.19 kernel introduced more apparmor
features, specifically ipc. due to the roll, we now must support builds
with 2 different feature sets.

This specifically affects snap-preseeding, where if a snap_preseed is
run with a mismatched apparmor feature set, snap will require a restart
to match the running kernel's feature set. in the clouds, this can add
somehwere between 5-10s (as of checks on 20230404). This is a large boot
time performance hit.

Implementation is done at the `snap_validate_seed` function level. This
function is called in snap scenarios. It checks for an installed kernel
in the chroot, gets the major.min version, and checks for
apparmor/$KERN. If found, it will do a copy of the directory, providing
a naive override mechanism.

For CPC builds, we are adding a call to `snap_validate_seed` at the end
of affected hooks as well. This is a safe procedure to call, as it
reruns the snap_preseed for all snaps. By running at the end of build
processes, it ensures that any kernel changes done during the build are
taken into account.
---
 live-build/functions | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/live-build/functions b/live-build/functions
index d1ce2a61..17f2b075 100644
--- a/live-build/functions
+++ b/live-build/functions
@@ -760,6 +760,17 @@ snap_preseed() {
 snap_validate_seed() {
     local CHROOT_ROOT=$1
 
+    if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then
+        local kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/vmlinuz | grep  --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
+        if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
+            # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
+            # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
+            # basic copy of a directory structure overriding the "generic" feature set
+            # which is tied to the LTS kernel
+            cp -R --verbose /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min}/* /usr/share/livecd-rootfs/live-build/apparmor/generic/
+        fi
+    fi
+
     if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
         snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
         /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")