mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
Page: Kernel_Feature_Matrix
Pages
2.12.4_Signatures 2.13.10_Signatures 2.13.11_Signatures 2.13.3_signature 2.13.4_signature 2.13.7_Signatures 2.13.8_Signatures 2.13.9_Signatures 3.0.10_Signatures 3.0.11_Signatures 3.0.12_Signatures 3.0.13_Signatures 3.0.8_Signatures 3.0.9_Signatures 3.1.1_Signatures 3.1.2_Signatures 3.1.3_Signatures 3.1.4_Signatures 3.1.5_Signatures 3.1.6_Signatures 3.1.7_Signatures 4.0.0 alpha2_Signatures 4.0.0 alpha3_Signatures 4.0.0 beta4_Signatures 4.0.1_Signatures 4.0.2_Signatures 4.0.3_Signatures 4.1.0 beta1_Signatures 4.1.0 beta4_Signatures About AbstractionsGuide AlternativeMethodsforSystemWideRestrictions AppArmor and Kubernetes AppArmor2FeatureABI AppArmorAPIs AppArmorAuditing AppArmorClassNumbers AppArmorDBus AppArmorDelegation AppArmorDynamicIncludes AppArmorFeatureABI AppArmorFeatureABIinteractions AppArmorGSettings AppArmorInSystemd AppArmorInterfaces AppArmorJournald AppArmorLabelsandTypes AppArmorLinuxNamespaces AppArmorLog AppArmorMLS AppArmorMonitoring AppArmorNamespaces AppArmorObjectDelegation AppArmorPolicy AppArmorPolicyScope AppArmorPolicyTOC AppArmorPolicyView AppArmorPortals AppArmorProfileSpec AppArmorProgramaticApplicationPolicy AppArmorRBAC AppArmorSandboxing AppArmorSnappyDesktop AppArmorStacking AppArmorSystemWideRestrictions AppArmorTrustedHelpers AppArmorUpdateGuidelines AppArmorUserDefinedPolicy AppArmorWine AppArmorXace AppArmor_Core_Policy_Reference AppArmor_Failures AppArmor_History AppArmor_Model AppArmor_Presentations AppArmor_versions AppArmor_versions_2.1 AppArmor_versions_2.10 AppArmor_versions_2.11 AppArmor_versions_2.12 AppArmor_versions_2.13 AppArmor_versions_2.3 AppArmor_versions_2.4 AppArmor_versions_2.5 AppArmor_versions_2.6 AppArmor_versions_2.7 AppArmor_versions_2.8 AppArmor_versions_2.9 AppArmor_versions_3.0 AppArmor_versions_3.1 AppArmor_versions_4.0 AppArmor_versions_4.1 AppArmorpolicyfeaturesDev AppArmorpolicyversioning Apparmor_parser Apparmorbinarypolicy Apparmorearlypolicy Apparmorinitrd Apparmorpolicycache Apparmorpolicymanagement Apparmorpolicymanagement2x Binary_Profile_Language Binary_profile_format BugTracking Coding Style CollaborativeProfileDevSpec CombiningStackingAndNamespaces CommitPolicy CompilerImprovements Complain Mode Confining_all_tasks Controlling_Profile_State CreatingPolicy DeprecateProfilePathName DevelopmentRoadmap Distro_CentOS Distro_debian Distro_suse Distro_ubuntu Documentation EnvironmentVariables ExampleProfiles Extended_profiling_example FAQ Firejail FullSystemPolicy GettingStarted Gittutorial IRC_meeting_2010 IRC_meeting_2011 IRC_meeting_2012 09 25 IRC_meeting_2012 11 06 IRC_meeting_2012 12 04 IRC_meeting_2012 IRC_meeting_2013 01 08 IRC_meeting_2013 02 05 IRC_meeting_2013 03 01 IRC_meeting_2013 05 14 IRC_meeting_2013 06 11 IRC_meeting_2013 07 09 IRC_meeting_2013 08 13 IRC_meeting_2013 10 08 IRC_meeting_2013 11 13 IRC_meeting_2013 IRC_meeting_2014 02 24 IRC_meeting_2014 06 10 IRC_meeting_2014 07 08 IRC_meeting_2014 09 09 IRC_meeting_2014 10 14 IRC_meeting_2014 11 05 IRC_meeting_2014 12 09 IRC_meeting_2014 IRC_meeting_2015 02 10 IRC_meeting_2015 03 10 IRC_meeting_2015 04 14 IRC_meeting_2015 05 12 IRC_meeting_2015 06 09 IRC_meeting_2015 07 14 IRC_meeting_2015 11 17 IRC_meeting_2015 IRC_meeting_2016 01 19 IRC_meeting_2016 09 13 IRC_meeting_2016 IRC_meeting_2017 10 10 IRC_meeting_2017 11 25 IRC_meeting_2017 12 13 IRC_meeting_2017 IRC_meeting_2018 01 16 IRC_meeting_2018 02 15 IRC_meeting_2018 12 11 IRC_meeting_2018 IRC_meeting_2019 04 09 IRC_meeting_2019 06 13 IRC_meeting_2019 10 08 IRC_meeting_2019 IRC_meeting_2020 01 14 IRC_meeting_2020 02 11 IRC_meeting_2020 02 12 IRC_meeting_2020 03 10 IRC_meeting_2020 04 10 IRC_meeting_2020 04 28 IRC_meeting_2020 06 09 IRC_meeting_2020 09 08 IRC_meeting_2020 10 13 IRC_meeting_2020 IRC_meeting_2021 07 13 IRC_meeting_2021 11 09 IRC_meeting_2021 12 14 IRC_meeting_2022 02 08 IRC_meeting_2022 08 09 IRC_meeting_2022 10 11 IRC_meeting_2022 11 08 IRC_meeting_2022 12 13 IRC_meeting_2022 4 12 IRC_meeting_2022 7 12 IRC_meeting_2023 02 14 IRC_meeting_2023 06 13 IRC_meeting_2023 08 08 IRC_meeting_2023 09 12 IRC_meeting_2023 10 10 IRC_meeting_2024 01 09 IRC_meeting_2024 04 09 IRC_meeting_2024 06 11 IRC_meeting_2024 08 13 IRC_meeting_2024 09 10 IRC_meeting_2024 10 08 IRC_meeting_2024 11 12 IRC_meeting_2025 01 14 IRC_meeting_2025 02 18 Integrating Test plan Kernel_Feature_Matrix Kernel_interfaces Launchpadtutorial Libvirt ManPages MeetingAgenda Mod_apparmor Mod_apparmor_example Multi Category Security (MCS) Pam_apparmor Pam_apparmor_example PerformanceImprovements Policy_Layout ProfileLanguage Profile_repo Profile_variants Profiles Profiling_by_hand Profiling_with_tools QuickProfileLanguage RBAC_2_0 RBAC_2_1 RBAC_2_3 RBAC_2_5 README Raising_Task_Capabilities ReleaseProcess Release_Notes_2.10.1 Release_Notes_2.10.2 Release_Notes_2.10.3 Release_Notes_2.10.4 Release_Notes_2.10.5 Release_Notes_2.10.6 Release_Notes_2.10 Release_Notes_2.11.1 Release_Notes_2.11.2 Release_Notes_2.11.3 Release_Notes_2.11.4 Release_Notes_2.11 Release_Notes_2.12.0 Release_Notes_2.12.1 Release_Notes_2.12.2 Release_Notes_2.12.3 Release_Notes_2.12.4 Release_Notes_2.12 Release_Notes_2.13.1 Release_Notes_2.13.10 Release_Notes_2.13.11 Release_Notes_2.13.2 Release_Notes_2.13.3 Release_Notes_2.13.4 Release_Notes_2.13.5 Release_Notes_2.13.6 Release_Notes_2.13.7 Release_Notes_2.13.8 Release_Notes_2.13.9 Release_Notes_2.13 Release_Notes_2.14 Release_Notes_2.4 Release_Notes_2.5.1 Release_Notes_2.5.2 Release_Notes_2.5 Release_Notes_2.6.0 Release_Notes_2.6.1 Release_Notes_2.7.1 Release_Notes_2.7.2 Release_Notes_2.7 Release_Notes_2.8.1 Release_Notes_2.8.2 Release_Notes_2.8.3 Release_Notes_2.8.4 Release_Notes_2.8.5 Release_Notes_2.8 Release_Notes_2.9.0 Release_Notes_2.9.1 Release_Notes_2.9.2 Release_Notes_2.9.3 Release_Notes_2.9.4 Release_Notes_2.9.5 Release_Notes_3.0.1 Release_Notes_3.0.10 Release_Notes_3.0.11 Release_Notes_3.0.12 Release_Notes_3.0.13 Release_Notes_3.0.2 Release_Notes_3.0.3 Release_Notes_3.0.4 Release_Notes_3.0.5 Release_Notes_3.0.6 Release_Notes_3.0.7 Release_Notes_3.0.8 Release_Notes_3.0.9 Release_Notes_3.0 Release_Notes_3.1.1 Release_Notes_3.1.2 Release_Notes_3.1.3 Release_Notes_3.1.4 Release_Notes_3.1.5 Release_Notes_3.1.6 Release_Notes_3.1.7 Release_Notes_3.1 Release_Notes_4.0 alpha1 Release_Notes_4.0 alpha2 Release_Notes_4.0 alpha3 Release_Notes_4.0 alpha4 Release_Notes_4.0 beta1 Release_Notes_4.0 beta2 Release_Notes_4.0 beta3 Release_Notes_4.0 beta4 Release_Notes_4.0.1 Release_Notes_4.0.2 Release_Notes_4.0.3 Release_Notes_4.0.4 Release_Notes_4.1 beta1 Release_Notes_4.1 beta2 Release_Notes_4.1 beta3 Release_Notes_4.1 beta4 Release_Notes_4.1 beta5 Release_Notes_4.1 beta6 Release_Notes_4.1.0 beta1 Release_Notes_5.0 Revising_and_fine_tuning_policy_and_abstractions Sandstorm StackingConfiningUsers TechnicalDoc TechnicalDoc_DBusRuleEncoding TechnicalDoc_DFA TechnicalDoc_FileRuleEncoding TechnicalDoc_HFA TechnicalDoc_HFA_Layout TechnicalDoc_HFA_permissions TechnicalDoc_Kernel TechnicalDoc_MountRuleEncoding TechnicalDoc_Mount_Flags TechnicalDoc_NetworkRuleEncoding TechnicalDoc_PolicyDB TechnicalDoc_Policy_Layout TechnicalDoc_Proc_and_ptrace TechnicalDoc_RulePathEncoding TechnicalDoc_XWindowsRuleEncoding Translations Unconfined, the unconfined flag and default allow Userconditional Users in AppArmor Userspace_Feature_Matrix Versioning WorkItems _sidebar aparmor_policy_development_guide apparmor 5 config layout spec apparmor_compiler_development_guide apparmor_kernel_development_guide apparmor_kernel_development_guide_notifications apparmor_library_development_guide apparmor_profile_tools_guide apparmordynamicpolicy apparmorpolicyfeaturesABI apparmorversioning bubblewrap clearcontainers containers docker flatpak gVisor home how to setup a policy namespace for containers io_uring rules kata containers kubernetes manpage_aa audit.8 manpage_aa autodep.8 manpage_aa cleanprof.8 manpage_aa complain.8 manpage_aa decode.8 manpage_aa disable.8 manpage_aa easyprof.8 manpage_aa enabled.1 manpage_aa enforce.8 manpage_aa exec.1 manpage_aa features abi.1 manpage_aa genprof.8 manpage_aa logprof.8 manpage_aa mergeprof.8 manpage_aa notify.8 manpage_aa remove unknown.8 manpage_aa status.8 manpage_aa teardown.8 manpage_aa unconfined.8 manpage_aa_change_hat.2 manpage_aa_change_profile.2 manpage_aa_features.3 manpage_aa_find_mountpoint.2 manpage_aa_getcon.2 manpage_aa_kernel_interface.3 manpage_aa_policy_cache.3 manpage_aa_query_label.2 manpage_aa_splitcon.3 manpage_aa_stack_profile.2 manpage_apparmor.7 manpage_apparmor.d.5 manpage_apparmor_parser.8 manpage_apparmor_parser manpage_apparmor_xattrs.7 manpage_logprof.conf.5 manpage_mod_apparmor.8 mqueue rules nabla containers no_new_privs profileflags prompt v3 interface rule operations rule prefixes and modes runV runc sanitized_helper security@apparmor template reply unprivileged_unconfined_restriction unprivileged_userns_restriction wip conditional policy
29 Kernel_Feature_Matrix
John Johansen edited this page 2021-11-16 09:03:16 +00:00
Table of Contents

Upstream kernel

Kernel Version Feature Required userspace version and notes
2.6.36 Base functionality lands upstream mediation of1:
  • File
    • owner conditional
    • read, write, link, lock, mmap exec
  • Execute
    • [pP]x, [cC]x, ix, ux, [pP]ix, [pP]ux named transitions
    • attachment conditional separate from profile name
  • Change hat
    • single hat
  • Change Profile
  • Capability
  • policy namespaces created through policy load
  • rlimit
  • Bug fixes and code cleanups
 1 AppArmor 2.5.1
2.6.37 - 3.3 Bug fixes and code cleanups
3.4
  • Add support for extensible policydb1
  • feature set
    • add features/ directory as a userspace api to discover kernel supported feature set
    • add file mediation details
    • add capability mediation details
    • export known rlimit mappings
 1 AppArmor 2.8
3.5 Fail exec transitions due to no_new_privs
  • unconfined is allowed to transition to anything
  • inherit is allowed when task has nnp set
  • all other domain transitions are blocked when a task has nnp set
  • Bug fixes and code cleanups
3.6 - 3.10 Bug fixes and code cleanups
3.11
  • relax restrictions on setting rlimits
  • Bug fixes and code cleanups
3.12
  • support unconfined flag on any profile4
  • support multiple profiles being loaded in a single write1
  • introspection interface
    • add ability to query whether apparmor is enabled?
    • allow introspecting the loaded set of profiles virtualized to the opening tasks namespace via the profiles file?
    • add policy/ directory which can be used to introspect profiles and namespaces of loaded policy?
      • add policy/namespaces/ dir to introspect policy namespaces
      • add policy/profiles/ dir to report on profiles loaded into the current namespace
        • report profile name policy/profiles/PROFILE/name
        • report profile mode policy/profiles/PROFILE/mode
        • report sha1 of profile policy/profiles/PROFILE/sha1
        • allow human readable attachment string to be loaded and reported in the policy/profiles/PROFILE/attach
  • feature set
    • export set of capabilities supported
  • Bug fixes and code cleanups
 1 AppArmor 2.10
2 ???
3 ????
4 AppArmor 3.0
3.13 - 4.7 Bug fixes and code cleanups
4.8
  • allow CAP_SYS_RESOURCE to prlimit another task
  • add kernel parameter and kconfig to allow controlling if profile hashing is used
  • Bug fixes and code cleanups
4.9 - 4.10 Bug fixes and code cleanups
4.11
    • add /sys/kernel/security/lsm to enable detecting currently in use lsm
    • kernel parameters
      • remove paranoid load parameter - all policy loads now do full checking
    • speedup mediation by use of percpu buffers
    • add sysctl /proc/sys/kernel/unprivileged_userns_apparmor_policy to allow disabling user namespaces from loading policy
    • add query interface for extended profile key,value data store1
  • allow profile hashing to be disabled with a kconfing2
  • policy namespaces
    • add namespace view support and restrictions on visibility
    • add per namespace policy interface file to directly load policy into a namespace
      • policy/namespaces/NAMESPACE/.load
      • policy/namespaces/NAMESPACE/.replace
      • policy/namespaces/NAMESPACE/.remove
  • allow introspecting and checkpoint and restore of loaded profile data via
    • policy/profiles/PROFILE/raw_abi
    • policy/profiles/PROFILE/raw_data
    • policy/profiles/PROFILE/raw_sha1
  • on exec dup2 opened files that the task won't have permission to access to a special .null device file3
  • Complain mode
    • support force complain flag1
    • try to create null profiles using the exec name null-EXECNAME
  • feature set
    • add features/domain/fix_binfmt_elf_mmap to enable userspace to detect the semantic change caused by 9f834ec18def
  • report namespace name in audit messages
  • Bug fixes and code cleanups
 1 AppArmor 3.0
2 Disables kernel profile load dedup to improve initial profile load performance
3 Does not change file access permissions, just where the check is done. Can result in mediation that would not occur under the old scheme due to some inherited fds never being accessed.
4 gen/logprof support???
4.12
  • kernel parameters
    • make path_max readonly
  • Bug fixes and code cleanups
4.13
  • add v7 abi1
  • speedup path lookups with preallocated buffers
  • revalidate files at exec transition time
  • fine grained ptrace mediation
  • domain bounding through profile stacking1
    • profile stacking api
    • extended change_profile to support profile stacking
    • support profile stacks in exec transitions
    • nnp restrictions loosened to any transition that is a strict subset. New profiles can be added to the stack but profiles can not be transitioned.
  • apparmorfs interface
    • apparmorfs policy virtualization
      • the policy/ entry is now a special symlink to a virtualized policy directory
      • policy/ directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view
    • add namespace level rawdata files
      • unique profile based rawdata files for each namespace in policy/raw_data/
      • profile raw_data files are now a symlink to the appropriate policy/raw_data/ files.
    • mkdir/rmdir fs based interface for creating namespaces
      • mkdir policy/namespaces/NAMESPACE
      • rmdir policy/namespaces/NAMESPACE
    • revision file interface2
      • read current policy revision and select/poll for when policy changes via
        • revision for reading the current task's policy namespace revision
        • policy/revision for the current namespace revision
        • policy/namespaces/NAMESPACE/revision for a given namespace policy revision
    • query interface
      • support multiple queries per query transaction3
      • support querying if a profile supports a given mediation type4
  • features set
    • add namespace support to available feature set
    • add label data query availability to feature set
  • Bug fixes and code cleanups
 1 AppArmor 2.10
2 library interface added to AppArmor 3.0, can be used directly with any version apparmor
3 AppArmor 3.0
4 AppArmor 3.0????
4.14
  • mount mediation1
    • new mount
    • remount
    • bind mount
    • change type
    • umount
    • pivot_root
  • signal mediation2
  • policy unpack log extended error messages
  • Bug fixes and code cleanups
 1 AppArmor 2.8
2 AppArmor 2.9
4.15 - 4.16 Bug fixes and code cleanups
4.17
  • v8 abi1
  • generic socket mediation (ie. basic network mediation)1
  • improved profile attachment logic
    • handle overlapping expression resolution up to 8 characters dynamic overlap in kernel2
    • xattr attachment conditional1
    • no_new_privs improved attachment with subset test based on confinement at time no_new_privs was entered3
  • signal mediation of profile stacks4
  • Bug fixes and code cleanups
 1 AppArmor 3.0 and requires policy using feature abi rules
2 Any userspace that supports attachment conditionasl 2.5+
3 no userspace requirements, reduces cases where nnp prevents a transition
4Same userspace as regular signal mediation AppArmor 2.9
4.18
  • add support for secids and using secctxes
  • the ability to get a task's secid
  • add support for audit rules filtering. AppArmor task label can be used in audit rule filters
  • Bug fixes and code cleanups
 No apparmor userspace requirements.
4.19 Bug fixes and code cleanups
4.20
  • Secmark mediation for custom policy1
  • Bug fixes and code cleanups
 1 Custom patch not in upstream apparmor
5.0 Bug fixes and code cleanups
5.1
  • LSM stacking with generic blobs (sara/landlock). Does not include secids so insufficient to stack with selinux and smack.
  • Bug fixes and code cleanups
 no userspace requirements. There is a new kernel parameter lsm= that is used in place of the old security= parameter
5.2 bug fixes
5.5
  • raw policy data compression
  • buffer allocation converted to memory pool instead of per cpu buffers
  • increase left match history buffer to 24
5.6 kunit tests for policy unpack
5.7 memory leak bug fixes
5.8
  • add out of band transitions
  • more kunit tests
  • fix introspection of unconfined tasks
  • fix nonewprivs subset test for unconfined
5.16
  • improved locking on the query interface
  • fix capability checks when LSM stacking is used

SUSE/openSUSE kernel

Network rules are supported since sles11-sp1 (source: https://bugzilla.suse.com/show_bug.cgi?id=917431#c10)

Ubuntu Kernel