mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
Page:
Release_Notes_4.0.1
Pages
2.12.4_Signatures
2.13.10_Signatures
2.13.11_Signatures
2.13.3_signature
2.13.4_signature
2.13.7_Signatures
2.13.8_Signatures
2.13.9_Signatures
3.0.10_Signatures
3.0.11_Signatures
3.0.12_Signatures
3.0.13_Signatures
3.0.8_Signatures
3.0.9_Signatures
3.1.1_Signatures
3.1.2_Signatures
3.1.3_Signatures
3.1.4_Signatures
3.1.5_Signatures
3.1.6_Signatures
3.1.7_Signatures
4.0.0 alpha2_Signatures
4.0.0 alpha3_Signatures
4.0.0 beta4_Signatures
4.0.1_Signatures
4.0.2_Signatures
4.0.3_Signatures
4.1.0 beta1_Signatures
4.1.0 beta4_Signatures
About
AbstractionsGuide
AlternativeMethodsforSystemWideRestrictions
AppArmor and Kubernetes
AppArmor2FeatureABI
AppArmorAPIs
AppArmorAuditing
AppArmorClassNumbers
AppArmorDBus
AppArmorDelegation
AppArmorDynamicIncludes
AppArmorFeatureABI
AppArmorFeatureABIinteractions
AppArmorGSettings
AppArmorInSystemd
AppArmorInterfaces
AppArmorJournald
AppArmorLabelsandTypes
AppArmorLinuxNamespaces
AppArmorLog
AppArmorMLS
AppArmorMonitoring
AppArmorNamespaces
AppArmorObjectDelegation
AppArmorPolicy
AppArmorPolicyScope
AppArmorPolicyTOC
AppArmorPolicyView
AppArmorPortals
AppArmorProfileSpec
AppArmorProgramaticApplicationPolicy
AppArmorRBAC
AppArmorSandboxing
AppArmorSnappyDesktop
AppArmorStacking
AppArmorSystemWideRestrictions
AppArmorTrustedHelpers
AppArmorUpdateGuidelines
AppArmorUserDefinedPolicy
AppArmorWine
AppArmorXace
AppArmor_Core_Policy_Reference
AppArmor_Failures
AppArmor_History
AppArmor_Model
AppArmor_Presentations
AppArmor_versions
AppArmor_versions_2.1
AppArmor_versions_2.10
AppArmor_versions_2.11
AppArmor_versions_2.12
AppArmor_versions_2.13
AppArmor_versions_2.3
AppArmor_versions_2.4
AppArmor_versions_2.5
AppArmor_versions_2.6
AppArmor_versions_2.7
AppArmor_versions_2.8
AppArmor_versions_2.9
AppArmor_versions_3.0
AppArmor_versions_3.1
AppArmor_versions_4.0
AppArmor_versions_4.1
AppArmorpolicyfeaturesDev
AppArmorpolicyversioning
Apparmor_parser
Apparmorbinarypolicy
Apparmorearlypolicy
Apparmorinitrd
Apparmorpolicycache
Apparmorpolicymanagement
Apparmorpolicymanagement2x
Binary_Profile_Language
Binary_profile_format
BugTracking
Coding Style
CollaborativeProfileDevSpec
CombiningStackingAndNamespaces
CommitPolicy
CompilerImprovements
Complain Mode
Confining_all_tasks
Controlling_Profile_State
CreatingPolicy
DeprecateProfilePathName
DevelopmentRoadmap
Distro_CentOS
Distro_debian
Distro_suse
Distro_ubuntu
Documentation
EnvironmentVariables
ExampleProfiles
Extended_profiling_example
FAQ
Firejail
FullSystemPolicy
GettingStarted
Gittutorial
IRC_meeting_2010
IRC_meeting_2011
IRC_meeting_2012 09 25
IRC_meeting_2012 11 06
IRC_meeting_2012 12 04
IRC_meeting_2012
IRC_meeting_2013 01 08
IRC_meeting_2013 02 05
IRC_meeting_2013 03 01
IRC_meeting_2013 05 14
IRC_meeting_2013 06 11
IRC_meeting_2013 07 09
IRC_meeting_2013 08 13
IRC_meeting_2013 10 08
IRC_meeting_2013 11 13
IRC_meeting_2013
IRC_meeting_2014 02 24
IRC_meeting_2014 06 10
IRC_meeting_2014 07 08
IRC_meeting_2014 09 09
IRC_meeting_2014 10 14
IRC_meeting_2014 11 05
IRC_meeting_2014 12 09
IRC_meeting_2014
IRC_meeting_2015 02 10
IRC_meeting_2015 03 10
IRC_meeting_2015 04 14
IRC_meeting_2015 05 12
IRC_meeting_2015 06 09
IRC_meeting_2015 07 14
IRC_meeting_2015 11 17
IRC_meeting_2015
IRC_meeting_2016 01 19
IRC_meeting_2016 09 13
IRC_meeting_2016
IRC_meeting_2017 10 10
IRC_meeting_2017 11 25
IRC_meeting_2017 12 13
IRC_meeting_2017
IRC_meeting_2018 01 16
IRC_meeting_2018 02 15
IRC_meeting_2018 12 11
IRC_meeting_2018
IRC_meeting_2019 04 09
IRC_meeting_2019 06 13
IRC_meeting_2019 10 08
IRC_meeting_2019
IRC_meeting_2020 01 14
IRC_meeting_2020 02 11
IRC_meeting_2020 02 12
IRC_meeting_2020 03 10
IRC_meeting_2020 04 10
IRC_meeting_2020 04 28
IRC_meeting_2020 06 09
IRC_meeting_2020 09 08
IRC_meeting_2020 10 13
IRC_meeting_2020
IRC_meeting_2021 07 13
IRC_meeting_2021 11 09
IRC_meeting_2021 12 14
IRC_meeting_2022 02 08
IRC_meeting_2022 08 09
IRC_meeting_2022 10 11
IRC_meeting_2022 11 08
IRC_meeting_2022 12 13
IRC_meeting_2022 4 12
IRC_meeting_2022 7 12
IRC_meeting_2023 02 14
IRC_meeting_2023 06 13
IRC_meeting_2023 08 08
IRC_meeting_2023 09 12
IRC_meeting_2023 10 10
IRC_meeting_2024 01 09
IRC_meeting_2024 04 09
IRC_meeting_2024 06 11
IRC_meeting_2024 08 13
IRC_meeting_2024 09 10
IRC_meeting_2024 10 08
IRC_meeting_2024 11 12
IRC_meeting_2025 01 14
IRC_meeting_2025 02 18
Integrating Test plan
Kernel_Feature_Matrix
Kernel_interfaces
Launchpadtutorial
Libvirt
ManPages
MeetingAgenda
Mod_apparmor
Mod_apparmor_example
Multi Category Security (MCS)
Pam_apparmor
Pam_apparmor_example
PerformanceImprovements
Policy_Layout
ProfileLanguage
Profile_repo
Profile_variants
Profiles
Profiling_by_hand
Profiling_with_tools
QuickProfileLanguage
RBAC_2_0
RBAC_2_1
RBAC_2_3
RBAC_2_5
README
Raising_Task_Capabilities
ReleaseProcess
Release_Notes_2.10.1
Release_Notes_2.10.2
Release_Notes_2.10.3
Release_Notes_2.10.4
Release_Notes_2.10.5
Release_Notes_2.10.6
Release_Notes_2.10
Release_Notes_2.11.1
Release_Notes_2.11.2
Release_Notes_2.11.3
Release_Notes_2.11.4
Release_Notes_2.11
Release_Notes_2.12.0
Release_Notes_2.12.1
Release_Notes_2.12.2
Release_Notes_2.12.3
Release_Notes_2.12.4
Release_Notes_2.12
Release_Notes_2.13.1
Release_Notes_2.13.10
Release_Notes_2.13.11
Release_Notes_2.13.2
Release_Notes_2.13.3
Release_Notes_2.13.4
Release_Notes_2.13.5
Release_Notes_2.13.6
Release_Notes_2.13.7
Release_Notes_2.13.8
Release_Notes_2.13.9
Release_Notes_2.13
Release_Notes_2.14
Release_Notes_2.4
Release_Notes_2.5.1
Release_Notes_2.5.2
Release_Notes_2.5
Release_Notes_2.6.0
Release_Notes_2.6.1
Release_Notes_2.7.1
Release_Notes_2.7.2
Release_Notes_2.7
Release_Notes_2.8.1
Release_Notes_2.8.2
Release_Notes_2.8.3
Release_Notes_2.8.4
Release_Notes_2.8.5
Release_Notes_2.8
Release_Notes_2.9.0
Release_Notes_2.9.1
Release_Notes_2.9.2
Release_Notes_2.9.3
Release_Notes_2.9.4
Release_Notes_2.9.5
Release_Notes_3.0.1
Release_Notes_3.0.10
Release_Notes_3.0.11
Release_Notes_3.0.12
Release_Notes_3.0.13
Release_Notes_3.0.2
Release_Notes_3.0.3
Release_Notes_3.0.4
Release_Notes_3.0.5
Release_Notes_3.0.6
Release_Notes_3.0.7
Release_Notes_3.0.8
Release_Notes_3.0.9
Release_Notes_3.0
Release_Notes_3.1.1
Release_Notes_3.1.2
Release_Notes_3.1.3
Release_Notes_3.1.4
Release_Notes_3.1.5
Release_Notes_3.1.6
Release_Notes_3.1.7
Release_Notes_3.1
Release_Notes_4.0 alpha1
Release_Notes_4.0 alpha2
Release_Notes_4.0 alpha3
Release_Notes_4.0 alpha4
Release_Notes_4.0 beta1
Release_Notes_4.0 beta2
Release_Notes_4.0 beta3
Release_Notes_4.0 beta4
Release_Notes_4.0.1
Release_Notes_4.0.2
Release_Notes_4.0.3
Release_Notes_4.0.4
Release_Notes_4.1 beta1
Release_Notes_4.1 beta2
Release_Notes_4.1 beta3
Release_Notes_4.1 beta4
Release_Notes_4.1 beta5
Release_Notes_4.1 beta6
Release_Notes_4.1.0 beta1
Release_Notes_5.0
Revising_and_fine_tuning_policy_and_abstractions
Sandstorm
StackingConfiningUsers
TechnicalDoc
TechnicalDoc_DBusRuleEncoding
TechnicalDoc_DFA
TechnicalDoc_FileRuleEncoding
TechnicalDoc_HFA
TechnicalDoc_HFA_Layout
TechnicalDoc_HFA_permissions
TechnicalDoc_Kernel
TechnicalDoc_MountRuleEncoding
TechnicalDoc_Mount_Flags
TechnicalDoc_NetworkRuleEncoding
TechnicalDoc_PolicyDB
TechnicalDoc_Policy_Layout
TechnicalDoc_Proc_and_ptrace
TechnicalDoc_RulePathEncoding
TechnicalDoc_XWindowsRuleEncoding
Translations
Unconfined, the unconfined flag and default allow
Userconditional
Users in AppArmor
Userspace_Feature_Matrix
Versioning
WorkItems
_sidebar
aparmor_policy_development_guide
apparmor 5 config layout spec
apparmor_compiler_development_guide
apparmor_kernel_development_guide
apparmor_kernel_development_guide_notifications
apparmor_library_development_guide
apparmor_profile_tools_guide
apparmordynamicpolicy
apparmorpolicyfeaturesABI
apparmorversioning
bubblewrap
clearcontainers
containers
docker
flatpak
gVisor
home
how to setup a policy namespace for containers
io_uring rules
kata containers
kubernetes
manpage_aa audit.8
manpage_aa autodep.8
manpage_aa cleanprof.8
manpage_aa complain.8
manpage_aa decode.8
manpage_aa disable.8
manpage_aa easyprof.8
manpage_aa enabled.1
manpage_aa enforce.8
manpage_aa exec.1
manpage_aa features abi.1
manpage_aa genprof.8
manpage_aa logprof.8
manpage_aa mergeprof.8
manpage_aa notify.8
manpage_aa remove unknown.8
manpage_aa status.8
manpage_aa teardown.8
manpage_aa unconfined.8
manpage_aa_change_hat.2
manpage_aa_change_profile.2
manpage_aa_features.3
manpage_aa_find_mountpoint.2
manpage_aa_getcon.2
manpage_aa_kernel_interface.3
manpage_aa_policy_cache.3
manpage_aa_query_label.2
manpage_aa_splitcon.3
manpage_aa_stack_profile.2
manpage_apparmor.7
manpage_apparmor.d.5
manpage_apparmor_parser.8
manpage_apparmor_parser
manpage_apparmor_xattrs.7
manpage_logprof.conf.5
manpage_mod_apparmor.8
mqueue rules
nabla containers
no_new_privs
profileflags
prompt v3 interface
rule operations
rule prefixes and modes
runV
runc
sanitized_helper
security@apparmor template reply
unprivileged_unconfined_restriction
unprivileged_userns_restriction
wip conditional policy
No results
10
Release_Notes_4.0.1
John Johansen edited this page 2024-07-22 19:44:03 +00:00
AppArmor 4.0 was released 2024-04-12.
Note: 4.0.0 was never released, and is superseded by 4.0.1
Introduction
AppArmor 4.0 is a major new release of the AppArmor user space that makes several important changes to policy development and support. Its focus is transitioning policy to the new policy features.
Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release.
This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied). And supports features released in the 4.20 kernel.
Note: that while older kernels are supported, not all features available in AppArmor 4.0 policy can be enforced on older kernels.
The kernel portion of the project is maintained and pushed separately.
Highlighted new features
- profile flags
- prompt
- kill.signal
- attach_disconnected.path
- fine grained mediation
- ipv4
- ipv6
- mqueue
- aa_load
Important Notes
- gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
- libapparmor
autogen.shis already done, meaning distros only need to use ./configure in their build setup - the docs for everything but libapparmor have already been built
- libapparmor
- Potentially breaking changes:
Obtaining the Release
There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
- libapparmor
autogen.shis already done, meaning distros only need to use ./configure in their build setup - the docs for everything but libapparmor have already been built
gitlab release
Launchpad Tarball
- https://launchpad.net/apparmor/4.0/4.0/+download/apparmor-4.0.0.tar.gz
- sha256sum: 2216f4928d4b9fa3a3ff545d19b86ac53c90c58cc0c468b19dc678f6246ad1aa
- signature: https://launchpad.net/apparmor/4.0/4.0/+download/apparmor-4.0.0.tar.gz.asc
Changes since AppArmor 4.0-beta4
policy compiler (aka apparmor_parser)
Policy
profiles
unconfined profiles
- new
- foliate profile (MR:1209, HUB:1271, LP:2060767)
- wike profile (MR:1212, LP:2060810)
Documentation
- add network inet mediation documentation to apparmor.d (MR:1213)
Regression Tests
- add mount test for CVE-2016-1585 (MR:1054, MR:1211, BOO:1211989, LP:1597017, LP:2023814)
Changes in this Release
These release notes cover all changes between 3.1 ( 7c7224004c) and 4.0.1 ( b0eb95457b) apparmor-4.0 branch.
Includes all the bug fixes and improvements in
And the following improvements
General improvements
New Profile Flags
New Mediation rules
- fine grain posix mqueue mediation
- user ns mediation
- io_uring mediation
- sqpoll and override_creds (cmd is still a wip)
unprivileged_userns: Special profile transitioned to by unconfined when creating an unprivileged user namespace.
Policy Compiler (a.k.a apparmor_parser)
- no longer require root permissions. Will still require privilege to load policy
- improved rule merging before expr-simplification
- Experimental
- Fine grained IPv4 and IPv6 network mediation (MR:1160)
- Requires use of experimental kernel.
- Unsupported and evolving experimental features exist in the release to help with broader testing. They should not affect regular operation/policy unless the feature is explicitly enabled.
- Fine grained IPv4 and IPv6 network mediation (MR:1160)
- fix policy generation for non-af_inet rules (MR:1175)
- Fix network test regression on kernels that support af_unix (MR:1183,AABUG:374)
- fix coverity static analysis failure (MR:1188)
- fix getattr and setattr perm mapping on mqueue rules (MR:1197, AABUG:377, AABUG:378)
- add ability to specify where a disconnected path is attached (attach_disconnected.path) (MR:661)
- make attach_disconnected.path enable attach_disconnected by default (MR:1084)
- fix encoding of unix permissions for setopt and getopt (MR:1079)
- add support for prompt profile mode (MR:1062)
Library
- check if AX_CHECK_COMPILE_FLAG is available (MR:1174)
- fix syntax in configure (MR:1184)
- fix dynamic linkage since lto1 does not support -dynamic (MR:1071)
Utils
- apparmor development utilities (aa-logprof, ...)
- support all rule
- exec events in hats are no longer skipped
- Adding support for mount rules in aa-genprof/aa-logprof (MR:1153)
- fix coding style in mount rules (MR:1173)
- change string to r-string to avoid warning (MR:1172)
- Remove unnecessary variable source_is_path in mount rules (MR:1172)
- check for unknown fstype and options keywords, and fix issues uncovered by that (MR:1169)
- Fix writing 'mount {options,fstype} in ...' rules and make error check more readable (MR:1168)
- Add useful error message in test-mount.py (MR:1166)
- Fix typo in 'btrfs', and add '9p' filesystem (MR:1164)
- mount rules Fix _is_covered_localvars (MR:1182)
- MountRule to fix make check failure (MR:1176,AABUG:370)
- add option to log aa-logprof json input and output (MR:1078)
- allow mount destination globbing (MR:1195, AABUG:381)
- aa-notify
- new add notification filtering (MR:1154)
- fix aa-notify last login test (MR:1152,LP:1939022)
- Fix test-aa-notify on openSUSE Tumbleweed (new 'last') (MR:1180)
- aa-unconfined
- aa-cleanprof
- fix to work with named profiles
- aa-status
- fix json output
- separate error messages from regular output
- add ability to filter output
- new aa-load
- utility for loading binary (cache) policy without the parser, can be used by non-systemd systems to do cache loads.
Policy
- update abi references to 4.0
abstractions
- authentication
- Allow pam_unix to execute unix_chkpwd (MR:1181,BOO:1219139)
- audio
- crypto (MR:1178,LP:2056747,LP:2056739)
- allow read of openssl config
- allow read of gnutls config
- kde-open5
- Clean superfluous openssl abstraction includes (MR:1179)
- openssl
- allow version specific engdef & engines paths (MR:1147, BOO:1219571)
- Move pam-related permissions to abstractions/authentication (MR:1191, BOO:1220032)
- nameservice
- snap_browsers
- ubuntu-browsers.d/kde
- wutmp
- add "include if exists" to all tunables files to allow for customization (MR:1077, AABUG:347)
profiles
- new bwrap (MR:1204,MR:1206, AABUG:382, LP:2046844)
- new unshare (MR:1204,MR:1206, AABUG:382, LP:2046844)
- firefox
- samba
- sshd
- Add new permissions needed on Ubuntu 24.04 (MR:1196, LP:2060100)
- new unix_chkpwd - required by authentication (MR:1181,BOO:1219139)
- smbd
- honouring pam restrictions (MR:1159,BOO:1220032)
- php-fpm
- Clean superfluous openssl abstraction includes (MR:1179)
- samba-bgqd
- Clean superfluous openssl abstraction includes (MR:1179)
- sbin.syslog-ng
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.ntpd
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.smbd
- Clean superfluous openssl abstraction includes (MR:1179)
- postfix-proxymap
- Clean superfluous openssl abstraction includes (MR:1179)
- postfix-smtp
- Clean superfluous openssl abstraction includes (MR:1179)
- postfix-smtpd
- Clean superfluous openssl abstraction includes (MR:1179)
- postfix-tlsmgr
- Clean superfluous openssl abstraction includes (MR:1179)
- sbin.dhclient
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.bin.freshclam
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.clamd
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.haproxy
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.httpd2-prefork
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.imapd
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.ipop2d
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.ipop3d
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.lib.dovecot.auth
- usr.lib.dovecot.dict
- usr.lib.dovecot.imap-login
- usr.lib.dovecot.lmtp
- usr.lib.dovecot.managesieve-login
- usr.lib.dovecot.pop3-login
- usr.lib.dovecot.anvil
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.config
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.deliver
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.director
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.doveadm-server
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.dovecot-auth
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.dovecot-lda
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.imap
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.log
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.managesieve
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.pop3
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.replicator
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.script-login
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.ssl-params
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.lib.dovecot.stats
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- usr.sbin.dovecot
- Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
- chromium profile
- add crashpad_handler subprofile to factor out some permissions that the browser proper does not need (MR:1208)
- new transmission - includes abstractions/transmission-common (MR:1190)
unconfined profiles
- 1password
- Discord
- MongoDB_Compass
- QtWebEngineProcess
- brave
- buildah
- busybox
- cam
- ch-checkns
- ch-run
- chrome
- code
- crun
- firefox
- flatpak
- github-desktop
- ipa_verify
- lc-compliance
- libcamirify
- linux-sandbox
- lxc-attach
- lxc-create
- lxc-destroy
- lxc-execute
- lxc-stop
- lxc-unshare
- lxc-usernsexec
- mmdebstrap
- msedge
- obsidian
- opera
- plasmashell
- podman
- polypane
- qcam
- rootlesskit
- rpm
- runc
- sbuild
- sbuild-abort
- sbuild-adduser
- sbuild-apt
- sbuild-checkpackages
- sbuild-clean
- sbuild-createchroot
- sbuild-destroychroot
- sbuild-distupgrade
- sbuild-hold
- sbuild-shell
- sbuild-unhold
- sbuild-update
- sbuild-upgrade
- signal-desktop
- slack
- slirp4netns
- steam
- stress-ng
- surfshark
- systemd-coredump
- thunderbird
- toybox
- trinity
- tup
- userbindmount
- uwsgi-core
- vdens
- virtiofsd
- vivaldi-bin
- vpnns
- wpcom
- firefox (MR:1185,LP:2046844)
- mscode
- nautilis (MR:1161,LP:2047256)
- devhelp (MR:1149)
- element-desktop (MR:1150)
- epiphany (MR:1149)
- evolution (MR:1149)
- keybase (MR:1145)
- opam (MR:1149)
- goldendict (MR:1186,LP2046844)
- kchmviewer (MR:1186,LP2046844)
- notepadqq (MR:1186,LP2046844)
- pageedit (MR:1186,LP2046844)
- privacybrowser (MR:1186,LP2046844)
- qmapshack (MR:1186,LP2046844)
- qutebrowser (MR:1186,LP2046844)
- rssguard (MR:1186,LP2046844)
- scide (MR:1186,LP2046844)
- geary (MR:1185,LP:2046844)
- loupe (MR:1185,LP:2046844)
- tuxedo-control-center (MR:1187, LP:2046844)
- wike (MR:1212, LP:2060810)
- foliate (MR:1209, HUB:1271, LP:2060767)
Documentation
- apparmor.d
- aa-status
- document filters
Translations
- sync translation from launchpad
Infrastructure
- makefiles
- don't ship /var in downstream packages (MR:1167)
Tests
regression tests
- dbus-broker integration
- handle unprivileged_userns transition in userns tests (MR:1146)
- fix usr-merge failures on exec and regex tests (MR:1146)
- fix inet tests (MR:1192, AABUG:376)
- fix checking if a feature exists in the test by ignoring if feature file is actually a directory (MR:1074)
tools tests
- add aa-logprof test framework (MR:1082)
parser tests
- improve parser test coverage by checking for non-existent profiles, convert to unittest.main (MR:1070)
Feature Matrix
The feature matrix provides an overview of which features/changes are supported on which release and or kernel.
| Feature | policy extension | breaks 3.x | supported by utils | requires 4.x libapparmor | requires kernel support |
|---|---|---|---|---|---|
| unconfined flag | Y | Y 1 | N | N | Y 2 |
| debug flag | Y | Y 1 | N | N | Y 2 |
| prompt flag | Y | Y 1 | N | N | Y 2 |
| audit.mode flag | Y | Y 1 | N | N | Y 2 |
| kill.signal flag | Y | Y 1 | N | N | Y 2 |
| attach_disconnected.path flag | Y | Y 1 | N | N | Y 2 |
| default_allow | Y | Y 1 | N | N | N |
| all rule | Y | Y 1 | N | N | N |
| userns | Y | Y 1 | N | N | Y 2 |
| rootless apparmor_parser | N | N | n/a | N | N |
| improved -O rule-merge | N | N | n/a | N | N |
| aa-status filters | N | N | n/a | N | N |
| aa-load | N | N | n/a | Y | N |
| io_uring | Y | Y 1 | N | N | Y 2 |
| port level network 12 | Y | Y 1 | N | N | Y 2 |
| unconfined ns restriction | N | Y 8 | n/a | N | Y |
| unconfined change_profile stacking | N | Y 8 | n/a | N | Y |
| unconfined io_uring restriction | N | Y 8 | n/a | N | Y |
- If present in policy will cause previous versions of AppArmor to fail
- Requires kernel support, policy can be downgraded to work on kernels that do not support.
- Previous versions of AppArmor may not fail but will not behave correctly
- Feature can be functionally provided by may not be exactly the same
- If more than 12 transitions are used in a profile, AppArmor 3.x will fail
- Will break older policy if variable is not defined. Variable can be manually defined in older parser.
- AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
- These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
- Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
- If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
- Tools will work but may not deal with overlapping rules correctly in some cases
- Experimental