WARNING this is an alpha - NOT released targeted to fall 2023

AppArmor 4.0-alpha4 was released 2024-02-02.

Introduction

AppArmor 4.0 is a major new release of the AppArmor that is in development, these are not complete release notes of everything in alpha4 but just highlighting new or important developments

Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release. For questions around compatibility see the compatibility matrix.

These release notes cover changes between AppArmor-4.0~alpha3 and AppArmor-4.0~alpha4

Note

Some features will work with older kernels but many of the features in apparmor 4 with require a development kernel.
The kernel portion of the project is maintained and pushed separately.
AppArmor 4.0 contains all bug fixes and policy updates from apparmor 3.1
Some new features will not be fully supported in some utilities. In these cases it was decided that releasing a new feature earlier had more benefit than delaying it for full utility support. Please see the feature support matrix.

Highlighted new features in alpha 4

New Profile Flag

New Mediation Rules

utils

aa-status
- fix json output
- separate error messages from regular output
apparmor development utilities (aa-logprof, ...)
- support all rule
- exec events in hats are no longer skipped
aa-cleanprof
- fix to work with named profiles

Policy

unprivileged_userns: Special profile transitioned to by unconfined when creating an unprivileged user namespace.

Improvements
- abstractions/audio
- abstractions/ubuntu-browsers.d/kde
- abstractions/nameservice
- abstractions/wutmp
- abstractions/snap_browsers
- firefox
New policies for applications that use unprivileged user namespaces
- 1password
- Discord
- MongoDB_Compass
- QtWebEngineProcess
- brave
- buildah
- busybox
- cam
- ch-checkns
- ch-run
- chrome
- code
- crun
- firefox
- flatpak
- github-desktop
- ipa_verify
- lc-compliance
- libcamirify
- linux-sandbox
- lxc-attach
- lxc-create
- lxc-destroy
- lxc-execute
- lxc-stop
- lxc-unshare
- lxc-usernsexec
- mmdebstrap
- msedge
- obsidian
- opera
- plasmashell
- podman
- polypane
- qcam
- rootlesskit
- rpm
- runc
- sbuild
- sbuild-abort
- sbuild-adduser
- sbuild-apt
- sbuild-checkpackages
- sbuild-clean
- sbuild-createchroot
- sbuild-destroychroot
- sbuild-distupgrade
- sbuild-hold
- sbuild-shell
- sbuild-unhold
- sbuild-update
- sbuild-upgrade
- signal-desktop
- slack
- slirp4netns
- steam
- stress-ng
- surfshark
- systemd-coredump
- thunderbird
- toybox
- trinity
- tup
- userbindmount
- uwsgi-core
- vdens
- virtiofsd
- vivaldi-bin
- vpnns
- wpcom

Feature Matrix

Feature	policy extension	breaks 3.x	supported by utils	requires 4.x libapparmor	requires kernel support
unconfined flag	Y	Y ¹	N	N	Y ²
debug flag	Y	Y ¹	N	N	Y ²
promt flag	Y	Y ¹	N	N	Y ²
*audit.mode flag	Y	Y ¹	N	N	Y ²
*kill.signal flag	Y	Y ¹	N	N	Y ²
*attach_disconnected.path flag	Y	Y ¹	N	N	Y ²
quiet audit prefix	Y	Y ¹	N	N	Y ²
rule priority qualifier	Y	Y ¹	N	N	N
access rule qualifier	Y	Y ¹	N	N	Y ²
complain rule qualifier	Y	Y ¹	N	N	Y ²
prompt rule qualifier	Y	Y ¹	N	N	Y ²
ordered rule block	Y	Y ¹	N	N	N
inherits rule	Y	Y ¹	N	N	N
boolean rule ops	Y	Y ¹	N	N	N
* @{parent} variable	Y	N ⁶	N	N	N
* @{attachment} variable	Y	Y ¹	N	N	N
*deny attachment	Y	Y ¹	N	N	N ⁴
*all rule	Y	Y ¹	N	N	N
*policy overlay	N	Y ³	n/a	Y	N
*config overlay	N	Y ³	n/a	Y	N
posix mqueue	Y	Y ¹	N	N	Y ²
user ns	Y	Y ¹	N	N	Y ²
extended x index	N	Y ⁵	Y	N	Y ²
fixed x dominance	N⁹	N¹⁰	Y¹¹	N	N
*rule extends abi	N	N ⁷	N	N	N
rootless apparmor_parser	N	N	n/a	N	N
improved -O rule-merge	N	N	n/a	N	N
aa-status filters	N	N	n/a	N	N
aa-load	N	N	n/a	Y	N
unconfined ns restriction	N	Y ⁸	n/a	N	Y
unconfined change_profile stacking	N	Y ⁸	n/a	N	Y
unconfined io_uring restriction	N	Y ⁸	n/a	N	Y

If present in policy will cause previous versions of AppArmor to fail
Requires kernel support, policy can be downgraded to work on kernels that do not support.
Previous versions of AppArmor may not fail but will not behave correctly
Feature can be functionally provided by may not be exactly the same
If more than 12 transitions are used in a profile, AppArmor 3.x will fail
Will break older policy if variable is not defined. Variable can be manually defined in older parser.
AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
Tools will work but may not deal with overlapping rules correctly in some cases

in beta

Feature	policy extension	breaks 3.x	supported by utils	requires 4.x libapparmor	requires kernel support
*io_uring	Y	Y ¹	N	N	Y ²
*port level network	Y	Y ¹	N	N	Y ²

io_uring needed for unprivilege unconfined constraint around io_uring

AppArmor 4.1 or later

Feature	policy extension	breaks 3.x	supported by utils	requires 4.x libapparmor	requires kernel support
multiple policy locations	N	Y ³	n/a	Y	N
location specific configs	N	Y ³	n/a	Y	N
user conditional	Y	Y ¹	N	N	Y ²
-O rule-refactor	N	N	n/a	N	N
kernel supports conditional	Y	Y ¹	N	N	N
abi supports conditional	Y	Y ¹	N	N	N
replace unconfined	N	Y	N	n/a	N

Compatibility

????

TODO: before release

remove parser.conf pin

wip - not in this alpha, not guaranteed to land in 4.0

kernel & userspace
- in policy stream conditionals
  - ioctl
  - user
    - policy
    - attachment
    - user mediation
  - owner=
- conditionals
  - owner
  - mac_override (for change_hat, hardlink, mv, bind mount)
  - case insensite fs ???
- extended rule blocks
  - ordered rule blocks
- bpf mediation
- ioctl mediation
- module mediation
- sysv mqueue
- io_uring
- revised af_unix
- fine grained ipv4/ipv6
- ns
  - tracking
  - pivot root var setting
  - setns
  - conditionals around what other namespaces being created
- profile flags
  - prompt
  - unconfined
  - per profile audit control flags audit.mode=XXX
  - debug
  - kill.signal
  - attach_disconnected.path
- extended perms
- dfa32
  - still need accept2 cond command table
  - userspace support for full width of bits and mappings
  - kernel bit mapping of userspace so we can do merge
  - reduce file table size by conditional on only accept states that are different
- raw text in policy
- compressed cache
- additional restrictions policy guard restrictions
  - change_profile - stack if not policy admin, mac_override
    - policy conditional to allow specifying in policy
  - link - fail if not mac override
    - policy conditional to allow specifying in policy
  - rename - fail if not mac override
    - policy conditional to allow specifying in policy
  - bind - fail if not mac override
    - policy conditional to allow specifying in policy
- unconfined
  - additional restrictions around link, change_profile, rename, bind
  - replace unconfined
kernel
- per ns control of unmediated
  - force mediation on unmediated
  - force mediation on complain
- deal with stacked attachment lookup
- optimize stacking name lookup to
  - single buffer alloc
  - single name lookup
- audit caching
  - complain
    - improved complain learning
    - ioctl interface
  - message dedup
- merge file and policy db dfa
  - dedup, file and policy code paths
  - improve shared code callback
  - refcount policydb
  - shared dfa, and policydb
- rewrite apparmorfs
  - dynamic
  - ima support
userspace
- new access modes
  - complain, prompt, access
- new audit prefix
  - quiet
- in_policy_abi()
  - warn when rule in use but not in policy abi
    - turn on/ignore/...
- mount
  - per fs mount option matching. ??? does kernel need anything more???
- allow all
- aa_load
  - drop root check
- userspace binary dfa
- policy debug
- improved rule prefixes
- allow all
- policy overlays
- extended xindex (part of extended perms)
- boolean ops
- policy hash
- kernel supports conditionals
- improved policy conditionals
- dominance fix
- fs specific mount option matching
- expr simplify optimizations
policy
- new abi
- remove unconfined from policy