AppArmor 2.9.3 Release Notes

AppArmor 2.9.3 is an incremental bug fix release over AppArmor 2.9.2 that is focused on fixing issues in the userspace code.

Improvements and Bugs Fixed

aa-logprof, aa-genprof, aa-mergeprof
- ignore (no longer supported) hat declarations (“^foo,”)
- don't forget to write unix rules when saving a profile (, )
- fix handling link events
- fix crash with #include when hitting a capability or network log event ()
- ignore log events that look like file events (based on operation=), but aren't (, , , )
- fix crash on change_hat log events ()
- accept more log formats
- fix crash with hats in included files
- make sure pux, cux and CUx modes are accepted as valid
- fix handling capability rules in aa-mergeprof
- add python to the “no Px rule” list in logprof.conf
- map 'c' (create) log events to 'w' instead of 'a' - if a program opens a file without O_APPEND, 'a' permissions aren't enough
- several fixes on parsing and writing variable definitions
- fix aa-mergeprof crash on files containing more than one profile
- several small bugfixes
aa-complain, aa-enforce, aa-audit, aa-disable
- set the flags for all hats, not only in the main profile
- add a --no-reload parameter (
- work for non-existing binaries ()
- let aa-audit print a warning on disabled profiles ()
- let aa-complain delete the disable symlink
aa-status
- make check if a file is readable more robust ()
aa-notify:
- also display notification for complain mode events
tests
- use in-tree libapparmor by default and add support for USE_SYSTEM variable
- change minitools_test.py to use --no-reload so that they can run as non-root

Updates to the following profiles:

change /bin/ paths in all profiles to also match /usr/bin/
sbin.dhclient: allow executing nm-dhcp-helper and access to some files in /var/lib/dhcp6/ and /var/lib/NetworkManager/
sbin.syslog-ng: add several permissions (abstractions/openssl, reading the journal etc.) which are needed by the latest syslog-ng.
usr.bin.skype: allow reading @{PROC}/@{pid}/net/dev ()
usr.lib.dovecot.auth: allow writing to /var/run/dovecot/user-stats (needed by dovecot >= 2.2.22)
usr.lib.dovecot.lmtp: add openssl and ssl_keys abstractions
usr.lib.dovecot.imap: allow reading /run/dovecot/mounts
usr.lib.dovecot.dovecot-lda:
- allow to write tempfiles ()
- allow to execute sendmail ()
usr.lib.postfix.master: add 'k' permissions for master.pid
usr.sbin.avahi-daemon: allow write access to /run/systemd/notify (needed on systems with systemd)
usr.sbin.dnsmasq:
- allow /bin/sh and /bin/dash in addition to /bin/bash (, non-public)
- allow /dev/tty rw which is needed by the --dhcp-script's shell (, non-public)
- add attach_disconnected flag ()
usr.sbin.nscd: allow reading /proc/self/cmdline, needed for paranoia mode ()
usr.sbin.ntpd:
- add attach_disconnected flag (needed for using nscd)
- allow reading the directory listing of $PATH ()
usr.sbin.smbd: allow capability sys_admin which is needed because smbd stores ACLs in the security.NTACL namespace (Discussion on the Samba mailinglist)
usr.sbin.winbindd:
- update for Samba 4.2 (, )
- allow k for /etc/samba/smbd.tmp/msg/* ()

Updates to the following abstractions:

base: allow reading /usr/share/locale-bundle/ (contains translations in openSUSE)
nameservice: allow reading /run/systemd/resolve/resolv.conf
python: update for python3
samba: update for Samba 4.2 (, )
ssl_certs, ssl_keys: allow reading acmetool-generated certificates in /var/lib/acme/
X: allow unix connections to @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird

apparmor.d manpage:
- document @{pids} and @{apparmorfs}
- document realtime signals
fix incorrect statement in aa_change_profile manpage
aa_change_profile manpage:
- fix description of EPERM
- clarify handling of open file descriptors

fix error handling in rc.apparmor.suse for “rcapparmor kill” (non-public bug report)

AppArmor 2.9.3 includes revisions 3005 through 2911 from the 2.9 branch.