Introduction

AppArmor 3.1.1 is a new release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately. It encompasses all the changes of the AppArmor 3.1 release (that was discarded due to a late stage library versioning) and the library versioning fix

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied).

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad.

Important note: the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
the docs for everything but libapparmor have already been built

gitlab

https://gitlab.com/apparmor/apparmor/-/releases/v3.1.1

Launchpad

https://launchpad.net/apparmor/3.1/3.1.1/+download/apparmor-3.1.1.tar.gz
sha256sum: cd52a5643c115b223c199e96ab03d6d5d7d72c266ac23cf74a08f32f003af9d7
signature: https://launchpad.net/apparmor/3.1/3.1.1/+download/apparmor-3.1.1.tar.gz.asc

Changes in this Release

These release notes cover all changes between 3.0 (5d51483bfe) ) and 3.1.1 (ea127f13cd) on the apparmor-3.1 branch.

Init

rc.apparmor.functions: only use systemd-detect-virt if it's present (MR:896)
profile-load: use safer and less ambiguous shell constructs (MR:849, LP:1058356)
Make the systemd unit a no-op in containers with no internal policy (MR:840, (LP:978297))
Import profile-load script from Debian (MR:841)
Lint and fix shell code and add shellcheck CI job (MR:842)
Remove unused init scripts, minor improvement to Slackware init script output (MR:845)
Drop unused failstop_system() from rc.apparmor.functions (MR:835)
Simplify profiles_names_list() (MR:834)
Drop now-obsolete comment about skip_profile() (MR:833)
Enable AppArmor to run properly under WSL/systemd (MR:812)
make xargs invocation busybox-compatible (MR:828)
drop use of xargs as fallback when loading profiles (LP:1377338)

Library

Cleanup Python Style Guide Infractions (MR:906)
Fix setuptools version detection in buildpath.py (MR:904, AABUG:39)
Support setuptools >= 61.2 in Python tests (MR:897)
Remove Python 2 support (MR:894)
fix debug build of log parsing ((https://gitlab.com/apparmor/apparmor/-/merge_requests/799), AABUG:196)
fix log parsing for socklogd ((https://gitlab.com/apparmor/apparmor/-/merge_requests/799), AABUG:196)
fix memory leaks in logparsing ((https://gitlab.com/apparmor/apparmor/-/merge_requests/799), AABUG:196)
fix debug build of log parsing ((https://gitlab.com/apparmor/apparmor/-/merge_requests/799), AABUG:196)
fix error value returned from features_lookup functions. (MR:780)
fix stacking and avaiable interface checks (MR:713, AABUG:150)
Do not abuse AC_CHECK_FILE (MR:728, debug984582)
look up python-config using AC_PATH_TOOL (MR:729, debug984582)
fix setting proc_attr_base (MR:701)
Honor global LDFLAGS when building python library (MR:689, AABUG:129)
add missing include for socklen_t (MR:642)
update Symbol visibility (MR:643)
update rules around the library version
fix handling of failed symlink traversal (MR:850, AABUG:215)
fix building with link time optimization (lto) (MR:831, AABUG:214)
Fix ruby 3.1 build for libapparmor (AABUG:206)
alphasort directory traversals (MR:706, AABUG:147)
fix failure in procattr accesses due to domain change (MR:681, AABUG:131)

Policy Compiler (a.k.a apparmor_parser)

fix build failure by adding missing include (MR:882)
fix building with link time optimization (lto) (MR:851, AABUG:214)
Add support for 'mctp' network domain keyword (MR:832)
Move to pregenerated af_names.h similar to cap_names.h (MR:808, AABUG:195)
Fix unknown state condition RLIMIT_MODEINCLDE (MR:803)
add implicit rules for apparmor api checks (MR:713, AABUG:150)
fix handling of jobs (MR:775)
fix comments (MR:752)
add include dedup cache to handle include loops (MR:743, BOS:1184779)
speedup dfa generation by replacing dynamic_casts (MR:711)
Add support for CAP_CHECKPOINT_RESTORE (MR:654)
Fix warning message when complain mode is forced (MR:649, LP:1899218)
fix min length calculation for inverse character sets
begin deprecation process for #include
fix LTO build (MR:901, AABUG:214)
fix cache time stamp check to include dir time stamps (MR:760)
CAP_AUDIT_READ is only available after Linux 3.16 (MR:767)
move ifdefs for capabilities to single common file (MR:768)
Fix invalid reference to name in attachment warning
fix filter slashes for profile attachments (MR:727, AABUG:154)
Fix make DEBUG=1 (MR:745)
fix filter slashes for link targets (MR:723, AABUG:153)
fix rule downgrade for unix rules (MR:700, BOO:1180766)
fix build issue with REALLOCARRAY check (MR:712)
fix --jobs so jobs scaling is applied correctly (MR:703)
enable the parser to do some rough tuning based on memory and cpu (MR:702)
fix warning for rule not enforced (MR:699, AABUG:144)
don't abort profile compile if the kernel is missing caps/mask (MR:691, AABUG:140)

Bin Utils

aa-feature-abi
- fix failure to close fd due to shadowed var decl (MR:804)
- make -f short arg actually be accepted (MR:804)
aa-status
- Fix build issue with musl MR:647
- fix crash due to \n in profile name (MR:824, AABUG:211)

Utils

Cleanup Python Style Guide Infractions (MR:906)
check if abstractions exist (MR:683, BOO:1178527)
support and use --configdir in all aa-* utils (MR:670)
Ensure opened files are closed. (MR:885, MR:898, AABUG:239, AABUG:239)
Remove Python 2 support (MR:894)
Speed up list creations, and change lists to tuples where appropriate. (MR:889)
Avoid unnecessary memory copies when enlarging lists. (MR:886)
inline check_profile_dir() into init() (MR:874)
add a common reload_profile() function to aa.py (MR:855)
reduce and improve subprocess calls (MR:856)
Lint and fix shell code and add shellcheck CI job (MR:842)
Drop superfluous shebang from python module (MR:846)
Add support for 'mctp' network domain keyword (MR:832)
convert utils to use dicts (MR:817, MR:764)
Add support for reading s390x and aarch64 wtmp file (MR:809, BOO:1181155)
cleanup and use more broadly imports from apparmor.common (MR:794)
use internal which implementation (MR:784)
Store empty xattrs as empty string (MR:786)
Fix crash when prompting user about an exec (MR:763)
remove unnecessary flag parameters, and use correct amout of whitespace around kept flags (MR:759, MR:757)
preserve comments, profile and hat keywords in parse (MR:758, MR:756)
cleanup profile storage code (MR:754, MR:751)
Rework internal profile storage and handling in the aa-* tools (MR:736, MR:749, MR:734, MR:733, MR:709)
Detect endless #include loop when parsing profiles (MR:742, BOS:1184779)
don't return empty AUDIT section (MR:731)
Use parse() instead of _parse() in LogprofHeaderTest (MR:718)
drop superfluous parameters in ask_conflict_mode (MR:732)
Improve and simplify profile parsing (MR:719)
only load tunables and abstractions (MR:714)
Simplify handling of in_contained_hat (MR:710)
add preamble_ruletypes (MR:708)
support boolean variable definitations (MR:693)
Fix hotkey conflict in utils de.po, id.po and sv.po (MR:675)
Add CAP_CHECKPOINT_RESTORE to severity.db (MR:656)
replace deprecated distutils with setuptools (MR:813, AABUG:202)
fix make -C profiles check-logprof fails (MR:663, AABUG:36)
split linting with PYFLAKES into a separate target (AABUG:121)
aa-autodep
- load abstractions on start (MR:682, BOO:1178527)
aa-decode use grep -E instead of egrep (MR:792)
aa-logprof
- Add new python versions to logprof.conf (MR:795, AABUG:193)
aa-notify
- Add .desktop file (MR:839)
- avoid crash on log events without operation= (MR:797, AABUG:194)
- Skip test if it can not access /var/log/wtmp (MR:641, AABUG:120)
- don't crash if the logfile is not present due to rotation (MR:688, AABUG:130)
- Stop aa-notify from exit after 100s of polling (MR:660, AABUG:126)
aa-remove-unknown
- abort on parser failure (MR:836)
- Drop superfluous $0 parameter from usage() (MR:785)
aa-unconfined
- Improve fallback handling to attr/current (MR:801, AABUG:199)

apparmor.vim

add support for abi rules (MR:690)

Policy

tunables

Define @{HOMEDIRS} before using it in @{HOME} (MR:820, debug1003158)

abstractions

apache2-common
- update so that other processes can trace the hats that include the abstraction (MR:852, debug1003153)
authentication
- Allow reading /etc/login.defs.d/ (MR:774, BOO:1188296)
crypto
- create new abstraction refactor other abstractions to use it (MR:772)
exo-open
- Remove dbus deny rule (MR:884)
fonts
- Add Fontmatrix (MR:657)
gtk
- new GTK abstraction (MR:825, AABUG:168)
- add support for gtk4. (MR:857)
ibus
- Allow access to socket directory used by recent ibus-daemon (MR:837)
is_enabled
- new apparmor api abstraction is_enabled (MR:713, AABUG:150)
mesa
- Update to support current versions (MR:879)
- tightens cache location and add fallback (MR:652, AABUG:91)
nss-systemd
- Allow access for systemd-machined names (MR:861, LP:1964325)
ntpd
- use abstraction/ssl_certs (MR:698)
openssl
- allow /etc/ssl/{engdef,engines}.d/ (MR:818)
php
- Allow reading all of /etc/php[578]/** (MR:876, AABUG:229, BOO:1186267#c11)
- support PHP 8 (MR:755, BOO:1186267)
python
- update perms and merge /usr/ and /usr/local/ rules (MR:814)
- update for python 3.10 (MR:783, AABUG:187)
private-files-strict
- new deny path for kwallet (used in KDE 5) (MR:704)
samba
- Squash noisey setsockopt calls. (MR:867)
- allow libldb2 paths (MR:821, BOO:1192684)
- allow use of /run/lock/samba (MR:805)
snap_browsers
- add new snap-browsers abstraction (MR:806
- update to support newer browsers (MR:877)
ssl_certs
- extend pki/trust directories (MR:864)
- allow reading crypto policies (MR:720)
- add /etc/ca-certificates/ and /etc/libressl/ (MR:698)
trash
- new abstraction (MR:738, AABUG:160)
ubuntu-browsers
- Add support from brave (MR:667)
ubuntu-browsers.d/ubuntu-integration
- use abstractions/exo-open (MR:666)
ubuntu-browsers.d/user-files
- new deny path for kwallet (used in KDE 5) (MR:704)
ubuntu-helpers
- Fix: Opening links with Chrome (MR:830)
- Include local customization (MR:796, debug990499)
- Add support from brave (MR:667)
video
- sys rule (MR:791)
- update for latest permissions (MR:740, AABUG:159)
wayland
- fix for compositors based on wlroots (MR:725, AABUG:143)
wutmp
- Add missing rule in wutmp abstraction (MR:724, AABUG:152)
X
- Allow (only) reading X compose cache (MR:685)
- make x11 socket writable again (MR:664)
- Adjust for new ICEauthority path in /run (MR:668)

profiles

update for python 3.10 (MR:783, AABUG:187)
avahi-daemon
- Add missing /proc permissions (MR:811, AABUG:203)
dhclient
- Fix invalid Pux (should be PUx) permissions in dhclient-script (MR:676)
- fix to work on debian buster (MR:645)
- allow setting task comm name (LP:1918410)
dhcpd
- add rule for port_range (MR:726, LP:1901373)
dnsmasq
- Add missing r permissions for libvirt_leaseshelper (MR:905, BOO:1202161)
- allow paths for podman dnsname plugin in rootless mode (MR:909)
- allow paths for podman dnsname plugin (MR:800, BOO:1190271)
- Permit access to /proc/self/fd/ (MR:659)
dovecot
- Add missing permissions for dovecot-{imap,lmtp,pop3} (MR:881, BOO:1199535)
- Allow dovecot to use all signals (MR:865)
- allow Prometheus metrics end-point in dovecot/stats (MR:776)
- allow reading dh.pem (MR:671, debug10)
- allow kill signal
firefox
- Add support for widevine DRM (MR:684)
nscd
- service fails with apparmor 3.0.0-2 on Arch Linux (MR:651, AABUG:124)
- fix conflict with systemd-homed (MR:707, AABUG:145)
postfix
- update for current versions (MR:753, MR:717)
- allow access to *.lmdb files (MR:717)
samba
- Add profile for samba-bgqd (MR:871, BOO:1191532)
- support paths used by Arch Linux (MR:883)
- update samba-dceprpc & samba-rpcd-* (MR:880, BOO:1198309)
- support samba-4.16 (MR:871, BOO:1198309)
- Fix read access denied on /proc/*/fd (MR:860)
- allow reading openssl.cnf (MR:862, BOO:1195463)
- allow reading under /usr/share/samba (MR:853)
- include snippet generated at runtime on Debian and openSUSE (MR:838)
- Fix file_mmap violation for MR:819, BOO#1192336)
rpc.statd
- add hosts_access abstraction and /etc/nfs.conf{,.d/} (MR:866)
syslogd
- Update support for inetutils-syslogd (MR:888)
zgrep
- new profile (MR:870)
- allow executing egrep and fgrep (MR:892)
- allow zstd (MR:878)
- allow executing /usr/bin/expr (MR:873, BOO:1198531)

Tests

Cleanup Python Style Guide Infractions (MR:906)
Fix utils testing of parser. Set (instead of compare) exresult (MR:907)
dirtest.sh: don't rely on apparmor_parser -N's output sort order to be deterministic (MR:900)
Remove Python 2 support (MR:894)
Fix inconsistent return length when testing the parser (MR:890)
Speed up list creations, and change lists to tuples where appropriate. (MR:889)
Add empty and cut-off bad abi rule tests (MR:875)
parser test dirtest.sh: error out on unexpected success (MR:868)
make test-aa-notify test_help_contents () less strict (MR:848, AABUG:220)
shellcheck: skip files generated during libapparmor build (MR:847)
Lint and fix shell code and add shellcheck CI job (MR:842)
add attach_disconnected tests (MR:810)
disable file query test for kernels that don't provide the query feature (MR:769)
Make order of variable replacements constant (MR:790)
fix aa_policy_cache when using system parser (MR:782)
add options to skip specific profiles (MR:677)
Fix location of config dir (MR:762, AABUG:177)
test recursive include in preamble (MR:750)
Rewrite gen-dbus in python (MR:747)
utils: Increase include and abi rule test coverage to 100% (MR:741, MR:735)
severity.py: bump test coverage to 100% (MR:737)
Enable minitools tests (MR:696)
add re_match_include_parse() test with invalid rule name (MR:695)
Add missing test for ProfileList add_alias() (MR:694)
Convert gen-xtrans from perl to python (MR:673)
Fix regression tests when using in tree parser (MR:653)
Test for full parser error messages, not parts (MR:632)
fix aa_policy_cache when using system parser (MR:788)
check for loopback module on pivot_root test (MR:781)
fix test failure due to mmap semantic changes
fix i18n.sh regression test on arm64 (MR:765, LP:1932331)
Add README on tests regarding single test execution (MR:761)

infastructure

gitlab-ci: enable Secret-Detection and a few SAST analyzers (MR:844)
gitlab-ci: parallelize across multiple jobs, only install necessary dependencies (MR:843)
gitlab-ci: Lint shell code and add shellcheck CI job (MR:842)
add built test files to gitignore (MR:826)
CI: always collect test artifacts (MR:787)
Generate and keep html in utils coverage-regression (MR:771)
Add aa-features-abi and utils coverage files to .gitignore (MR:748)
enable utils coverage-regression checks in CI (MR:697)

Documentation

tree wide spelling, comment and typo fixes (MR:687, MR:887, MR:789, AABUG:192, MR:692, MR:669, MR:650, MR:646, MR:777)
Improve AARE documentation in apparmor.d manpage (MR:715)
fix parser.conf commenting on pinning an abi (MR:648)
update generated pot files
apparmor.7 add info about complain mode and kernel parameters (MR:722)