69 Release_Notes_3.0

John Johansen edited this page 2020-11-09 21:34:49 +00:00

Table of Contents

• Introduction
• Highlighted new features
• Important Notes
• Obtaining the Release
• gitlab release
• Launchpad Tarball
• Changes in this Release
• General improvments
• Build Infrastructure
• Policy Compiler (a.k.a apparmor_parser)
• Init
• Library
• Utils
• Policy
• abstractions
• profiles
• Documentation
• Translations
• Tests
• Note

AppArmor 3.0 was released 2020-10-01.

Introduction

AppArmor 3.0 is a major new release of the AppArmor user space that makes an important change to policy development and support. Its focus is transitioning policy to the new features abi and as such other new features have been limited.

Apprmor 3.0 is a bridge release between older AppArmor 2.x policy and the newer AppArmor 3 style policy which requires the declaration of a features abi. As such AppArmor 3.0 will be a short lived release, and will not receive long term support. The following AppArmor 3.1 feature release is planned to be a regular release, please take this into account when including AppArmor 3.0 into a distro release.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied). And supports features released in the 4.20 kernel.

The kernel portion of the project is maintained and pushed separately.

Highlighted new features

• Policy now must declare the feature abi it was developed for if it is to use any new features. For further information please see the wiki.
• The use of profile names that are based on pathnames are deprecated. For further information please see the wiki.
• Support for new kernel features (requires appropriate features abi tagging in policy)
  • upstream v8 network socket rules
  • xattr attachment conditionals
  • capabilities PERFMON and BPF
• rewritten aa-status
  • supports use in systems/images where python is not available
  • supports kill, unconfined and mixed profile modes
• rewritten aa-notify
  • move from perl to python 3
  • shared backend with other python tools
  • support use of aa.CONFDIR instead of hard coded /etc/apparmor
  • improved message layout
• improved support for kernels that support LSM stacking
• support profile modes
  • enforce (default when no mode flag is supplied)
  • kill (experimental)
  • unconfined (experimental)
• reference policy updated for 3.0 feature abi
• basic support for systemd v246 early load of apparmor policy.
• new tool aa-features-abi for extracting feature abis from the kernel

Important Notes

• gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

  • libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
  • the docs for everything but libapparmor have already been built

• Potentially breaking change: AppArmor will now issue warning about policy that does not specify a feature abi if that policy is not pinned to a specific feature abi. AppArmor will compile such policy using a default feature abi instead of the kernels abi. For more information see the wiki.

• Potentially breaking change: AppArmor no longer loads snapd policy by default. It is expected that snapd users are using the snapd unit file. If this is not the case distros will need to revert 0164fd05 init: stop loading snap policy OR take advantage of systemd v246 early load of apparmor policy.

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

• libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
• the docs for everything but libapparmor have already been built

gitlab release

• https://gitlab.com/apparmor/apparmor/-/releases/v3.0.0

Launchpad Tarball

• https://launchpad.net/apparmor/3.0/3.0/+download/apparmor-3.0.0.tar.gz
• sha256sum: 66fd751fe51eb427d2aa864ee035b12d01d212fd595579275219b0148c43755e
• signature: https://launchpad.net/apparmor/3.0/3.0/+download/apparmor-3.0.0.tar.gz.asc

Changes in this Release

These release notes cover all changes between 2.13 (f97782b100) and 3.0 (5d51483bfe) apparmor-3.0 branch.

Includes all the bug fixes and improvements in

• 2.13.1
• 2.13.2
• 2.13.3
• 2.13.4
• 2.13.5

And the following improvements

General improvments

• drop obsolete code (MR:423,LP:692406,MR:416)
• remove use of perl as dependency for regular use (still required as a build/test dependency)
• fix typos, and formating
• update comments
• update references to wiki, and gitlab

Build Infrastructure

• Fix coverity scans (MR:145)
• cleanup Makefiles (MR:272,)
• CI Drop specifying python and pyflakes version (MR:483)
• cleanup compiler flags and make consistent

Policy Compiler (a.k.a apparmor_parser)

• make --config-file so it is no longer required to be the first option passed to the parser
• move default location of cache to /var/cache/apparmor/ (MR:156,debug904637)
• output deprecated warning when using filenames as a profile name (MR:506)
• Add the ability to turn off jobs to ease with debugging (MR:105)
• Improve warn flags and add support for -Werror (MR:600)
• improve capability handling so it is not variable to which kernel headers are installed (MR:578)
• support experimental enforce, kill and unconfined profile modes (MR:440,AABUG:7)
• add support for out-of-band transitions (MR:414)
• Support xattr exec attachment conditional (MR:270)
• improve static attachment overlap analysis providing better resolution when profile attachments overlap during exec (MR:326)
• improve cache handling when optimizations are used (MR:385)
• limit the number of passes expr tree simplification does to avoid degenerate cases.
• add missing permissions generation for using new kernel interfaces used by LSM stacking
• fix various build errors, warnings, and refactor code (MR:196,MR:196,MR:196,MR:616,MR:608,MR:569,MR:590,MR:561,MR:146)
• Fix debug builds MR:609
• remove resource leaks (MR:439)
• fix cross compilation with libintl (MR:485)
• remove deprecated dynamic exception specifications (MR:356)
• Improve error message format (MR:610)
• cleanups and distro compatibility improvements (MR:512)
• fix python deprecation warnings (MR:492)

Init

• drop dead code (MR:269,MR:263)
• cleanup handling of mountpoints (MR:394)
• add is_container_with_internal_policy() function. (MR:252,debug917874,LP:1377338)
• set SFS_MOUNTPOINT in is_container_with_internal_policy() (MR:363)
  • Adjust cache paths in apparmor.service (MR:134)
• fix return codes (MR:256)
• ignore .orig and .rej files when loading profiles (MR:282)
• fix issues detected by shellcheck (MR:293)
• Don't try to list files in a non-existent directories (MR:252,debug917874,LP:1377338)
• add support for an additional profiles directory, defaulting to /var/lib/snapd/apparmor/profiles (MR:252,debug917874,LP:1377338)
• warn when the profiles directory cannot be found (MR:252,debug917874,LP:1377338)
• suppress warnings when booting in quiet mode (MR:252,debug917874,LP:1377338)
• use the parser's automatic parallelization (MR:252,debug917874,LP:1377338)
• make posix-compatible (MR:355,LP:1377338)
• improve slackware support (MR:432)
• aa-teardown
  • install in /usr/sbin not /sbin (MR:97)
  • use /bin/sh instead of /bin/bash (MR:115)

Library

• build with -fPIC (MR:422)
• make compile flags consistent, and add -Wimplicit-fallthrough (MR:549,MR:403)
• fix signed vs unsigned comparison issues (MR:549,MR:558)
• fix warning from new compiler warn flags (MR:561)
• require python3 (MR:481)
• support new apparmor proc attr interfaces
• Make libapparmor LSM stacking aware
• Support alternate libc implementations (MR:245,debug909966,debug798955)
• improve CI integration (MR:434,MR:433)
• Fix cross compilation (MR:462)
• update API documentation (MR:559)
• new api fn to lookup of features value (MR:578)
• add log testcases for exec with and without target= (MR:405)

Utils

• fix cross compilation with libintl (MR:485)
• fix build to use compiler warning flags (MR:542)
• fix cleanup
• aa-enabled
  • make LSM stacking aware
• aa-status
  • rewrite so it standalone and doesn't have external dependencies so it can be used in minimal installs (MR:473,LP:1865519)
  • make LSM stacking aware
  • support mixed, kill, and unconfined profile modes
  • bump json version
• aa-exec
  • Improve error, debug and verbose messages (MR:128)
  • Improve handling of errors when changing profiles fail (MR:129)
  • Error out on conflicting aa-exec parameters (MR:540)
  • fix warning from new compiler warn flags (MR:561)
• aa-decode
  • rewrite in python (MR:321)
• aa-notify
  • Re-implement aa-notify in Python (MR:341,AABUG:16)
  • use aa.CONFDIR to find configuration (MR:372)
• genprof, logprof and aa python library,
  • error out when alias declared inside of a profile (MR:116)
  • add support for xattr attachment conditionals (MR:285)
  • Extend common DebugLogger with option to log to stderr (MR:325)
  • fully support 'include if exists' (MR:499,MR:507,LP:1738879)
  • support abi rules (MR:525)
  • rewrite handling of alias rules (MR:526, MR:550)
  • rewrite handling of include rules (MR:537)
  • rewrite handling of variable rules (MR:544, LP:1331856)
  • merge and remove duplicated code from aa-mergeprof (MR:536)
  • let logprof only propose abstractions without '# LOGPROF-SUGGEST: no' (MR:254)
  • Get rid of is_covered_aare_compat() (MR:478)
  • rewrite log handling and simplify converting log events to aa-logprof proposals (MR:377)
  • rewrite handling of link rules (handled in FileRule now) (MR:371)
  • add change_profile support ([MR:631](MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/631))
  • lots of cleanup and improvements

Policy

• improve CI integration of shipped policy (MR:449)
• add permissions to access new apparmor api interfaces where necessary
• use @{PROC} and @{run} throughout policy (MR:455)
• adjust local include to use "include if exists" (MR:489
• tag policy with te AppArmor 3.0 abi (MR:491,MR:555)
• move from "#include" to "include" (MR:553,MR:563)
• new @{etc_ro} and @{etc_rw} variables and use in policy (MR:585)

abstractions

• General changes
  • update abstractions to support local additions directory
  • test abstractions against apparmor_parser (MR:237)
• apache2-common
  • fix path for apache2 stapling-cache (MR:133)
• base
  • allow mr on .so in common library paths (MR:345,Tails16414)
  • support suse /usr/etc/ (MR:447,BOO:1161756)
  • add FIPS-140-2 lib validation hmac files to abstractions/base (MR:595,Bug: LP:1891664)
• dbus-session-strict
  • make x11 socket read-only(MR:281)
• dri-common
  • added ability to read /usr/share/drirc.d/ directory (MR:314,MR:308)
• exo-open
  • new abstrction (MR:404,MR:467,AABUG:)
• fonts
  • updat for Debian and openSUSE (MR:96)
• freedesktop.org
  • treat Flatpak exports the same way as bits shipped by the distro (MR:71)
• gio-open
  • new abstrction (MR:404)
• gvfs-open
  • new abstrction (MR:404)
• hosts_access
  • new abstraction for tcpwrappers style access to hosts files (MR:605,LP:1864466)
• kde
  • treat Flatpak exports the same way as bits shipped by the distro (MR:71)
• kde-open
  • new abstrction (MR:404)
• launchpad-integration
  • disallow writes to thumbnailer dir (MR:203,LP:1788929)
• mesa
  • new abstraction (MR:137)
  • allow locking shader cache (MR:148)
• nameservice
  • allow accessing the libnss-systemd VarLink sockets and DBus APIs (MR:480)
  • support suse /usr/etc/ (MR:447,BOO:1161756)
• nvidia
  • allow reading application profiles (MR:125)
• nss-systemd
  • allow accessing the libnss-systemd VarLink sockets and DBus APIs (MR:480)
• opencl
  • new abstraction support for POCL, Mesa Clover, Intel Beignet and NVIDIA CUDA (MR:124)
• opencl-nvidia
  • disallow writes to thumbnailer dir (MR:203,LP:1788929)
• php-fpm
  • fix worker name (MR:619)
• private_files
  • deny access to mutt files (MR:276)
  • disallow writes to thumbnailer dir (MR:203,LP:1788929)
• private_files_strict
  • deny access to aws files (MR:276)
  • disallow writes to thumbnailer dir (MR:203,LP:1788929)
• qt5
  • new abstraction with common rules for qt5 based applications (MR:99)
• qt5-compose-cache-write
  • fix anonymous shared memory access (MR:302)
• qt5-settings-write
  • fix anonymous shared memory access (MR:302)
• samba
  • allow smbd to load new shared libraries (MR:121,BOO:1092099)
  • allow winbindd to read and write new kerberos cache location (MR:121,BOO:1092099)
  • support Arch (MR:411)
• ssl_certs
  • add letsencrypt support (MR:283)
  • update for dehydrated (MR:299)
  • add dehydrated certificate location (MR:161)
  • add for CertBot on openSUSE Leap (MR:397)
• ssl_keys
  • add letsencrypt support (MR:283)
  • update for dehydrated (MR:299)
  • add dehydrated certificate location (MR:161)
  • add for CertBot on openSUSE Leap (MR:397)
• ubuntu-browsers
  • remove obsolete NPAPI support (MR:417)
  • disallow writes to thumbnailer dir (MR:203,LP:1788929)
• ubuntu-email
  • support launching Thunderbird
• Vulkan
  • add new abstraction (MR:126)
• wayland
  • make x11 socket read-only (MR:281)
• X
  • make x11 socket read-only (MR:281)
• xdg-open
  • new abstrction (MR:404)

profiles

• General changes
  • move profiles to short names with attachments instead of file pathnames ([MR:565](https://gitlab.com/apparmor
  • support distributions which merge sbin into bin /apparmor/-/merge_requests/565),MR:620)
• chromium profile
  • import from ubuntu and fixup to be more generic (MR:606)
  • cleanup comments, /lib/ and /usr/lib cleanups, suport lib{32,64} (MR:611)
• dhclient
  • Add path for Fedora/RHEL/CentOS/Oracle Linux (MR:291)
  • Support correct path for lease file on IPv6 (MR:291)
  • fix for debian buster (MR:570)
• dhcpd
  • Support lease file for IPv6 (MR:291)
• dnsmasq
  • Add pid file used by NetworkManager (MR:288)
  • Adjust pattern for log files to comply SELinux (MR:288)
  • allow peer=libvirtd to support named profile (MR:304,BOO:1118952)
  • add paths for NetworkManager connection sharing
• dovecot
  • allow access to suid_dumpable (MR:286)
  • move from ssl to OpenSSL access (MR:337)
  • auth processes need to read from postfix auth socket (MR:336)
  • let dovecot/anvil rw the auth-penalty socket (MR:336)
  • allow chroot'ing the auth processes (MR:336)
  • allow FD passing between dovecot and dovecot's anvil (MR:336)
  • align {pop3,managesieve}-login to imap-login (MR:338)
  • restrict access by owner to the dovecot/config socket (MR:338)
  • align {pop3,managesieve}-login to imap-login (MR:338)
  • add configuration files created by openresolv (MR:457)
  • allow apparmor api access (MR:566)
• fingerd
  • needs lock access on /run/utmp (MR:153)
• freshclam
  • add pidfile and /var/lib/clamav access (MR:381)
• lighttpd
  • minor updates, added Debian/Ubuntu integration (MR:153)
• lsb_release
  • added permissions needed by openSUSE implementation (MR:154)
• mysqld
  • Allow mysqld directory for MySQL PID file (MR:450)
• nmdb
  • support Arch (MR:411)
• ntpd
  • allow access to ntp clockstat
  • add openntpd drift and socket files
  • support void linux binary location
• ping
  • support void linux binary location
• php-fpm
  • allow only one pid file (MR:601)
  • fix profile name in signal and change_profile rule (MR:601)
  • profile: adjust /run paths (MR:601)
  • Add php-fpm isolation with apparmor hats (MR:577)
  • allow only one pid file (MR:617,AABUG:115)
• postdrop
  • • Allow to read icu *.dat files in postfix-related profiles (MR:546)
• postfix
  • Allow access to dynamicmaps (MR:284)
  • eliminate redundant rules (MR:284)
  • allow reading icu *.dat (MR:615)
• postmap
  • Allow to read icu *.dat files in postfix-related profiles (MR:546)
• postqueue
  • Allow to read icu *.dat files in postfix-related profiles (MR:546)
• sendmail
  • Allow to read icu *.dat files in postfix-related profiles (MR:546)
• smbd
  • support Arch (MR:411)
• sshd
  • need write access to Kerberos ticket cache (MR:153)
• statd
  • updated so that it works on modern env (MR:153)
• traceroute
  • support void linux binary location
• useradd
  • support usr-merge (MR:152)
• windbindd
  • support Arch (MR:411)
• wireshark (MR:143)
  • allow saving pcaps with optional gzip compression
  • allow creating QT compose cache
  • restrict hidden file creation under ~/.config/
  • drop useless/redundant rules
  • fix access to configuration profiles
  • add a comment for QtProject.conf rules
  • mention that dri rules were backported from abstraction/dri-enumerate
  • incorporate feedback from Talkless an cboltz

Documentation

• update bug reporting and documentation to use gitlab
• apparmor.d
  • update language description with over arching info, eg. declarative
  • update network address family names list [6b2765637e]
  • add info on profile header (MR:505)
  • add info on kill and unconfined profile modes (MR:440,AABUG:7)
  • add info on xattr attachment conditionals MR:270
  • add info on feature abis (MR:491)
  • add info on pinning and feature abi interation (MR:570)
  • fix dbus example
  • fix typos and whitespacing issues
• apparmor_parser
  • Add info on disabling jobs ([MR:105]:https://gitlab.com/apparmor/apparmor/merge_requests/105)
  • Add info on config-file
  • Add info on feature abi options (MR:491](https://gitlab.com/apparmor/apparmor/-/merge_requests/491),579)
  • Add info on -Werror and warn flags (MR:600)
• apparmor
  • Document various debugging options (debug:826218)
• aa-status
  • document kill, unconfined and mixed modes
• libapparmor
  • document aa_features_new_from_file() (MR:491)
  • document aa_features_value() (MR:578)
• new xattrs man page

Translations

• sync translation from launchpad

Tests

• Add tests for aa-notify (MR:324)
• Add some tests for complex profile names (MR:360)
• Add tests for shared aa library functions used in command line scripts (MR:328)
• Add testcases for 'owner link' rules (MR:369)
• fix policy cache test to work correctly with hierarchial caches (MR:348)
• fix usr-merge failures in test-aa.py (MR:331,LP:1390592) -regression tests
  • Add a build-dep target to Makefile to aid in setup
  • fix swap test permission warning (MR:108)
  • Add NO_NEW_PRIVS regression tests (MR:408,MR:424)
  • support building policy cache tests against older versions of libapparmor (MR:407)
  • make LSM stacking aware (MR:504)
  • use --config-file in tests so they are unaffected by the system parser.conf file
  • add FIPS-140-2 lib validation hmac files (MR:595,Bug: LP:1891664)
  • fix usr-merge failures, use realpath when generating inierpreter profile (MR:331,LP:1390592)

Note

There is a semantic change in the 4.8 kernel (commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46) that affects apparmor policy enforcement. Specifically it affects when the m permission bit is checked for elf binary executables. Policy and tests within apparmor 2.12 and later have been updated to support running on pre 4.8 and 4.8+ kernels.