WARNING this is a beta - NOT a final release

AppArmor 4.1-beta2 was not released due to a tagging vs. branch issue. It was abandoned in favor of beta3.

Introduction

AppArmor 4.1 is a major new release of the AppArmor that is in development.

Apprmor 4.1 is a short term (at least 2 years of updates) stable release for AppArmor 4.1 series policy which introduces several new features that are not backwards compatible.

These release notes cover changes between AppArmor-4.1~beta1 and AppArmor-4.1~beta2

Notes

This Release contains bug fixes to AppArmor 4.1 beta1.

Known issues

priority rule modifier is broken in two distinct ways
- the modifier is not correctly applied to file rules
- the modifier has a total permission override behavior, which is not the correct per permission behavior

Misc

apparmor.vim: add missing units for rlimit cpu and rttime (MR:1336)

Bug Fixes

fix creation of path /usr/share/polkit-1/actions/ in python tools setup to create intermediary directories (MR:1306)
fix af_protos.h generation so it's consistent between different architectures (MR:1309)
fix rule priority destroying rule permissions for io_uring and userns classes (MR:1307)
fix tools to ignore peer when parsing logs for non-peer access modes (MR:1314, AABUG:427)
fix exception when replacing owner file, rules by file, by suggesting mrwlkix instead (MR:1320, AABUG:429)
fix wrong order of the owner keyword when cleaning file rules (MR:1320, AABUG:430)
fix ABI break for aa_log_record (MR:1345, LP:2083435)
fix thrown TypeError exception when passing binary logs to the tools (MR:1354, AABUG:436)
fix integer overflow bug in rule priority comparisons (MR:1396, AABUG:452)
fix minimization check for filtering deny (MR:1396 , AABUG:452)
fix memory leak in aare_rules UniquePermsCache (MR:1399)
fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite MR:1407
fix do not change auditing information when applying deny (MR:1408, AABUG:461)

policy compiler (aka apparmor_parser)

add port range support on network policy (MR:1321)

Utils

improve UX when allowing rules in aa-notify and update the man page (MR:1313)
store the child profile/hat name if we are in a child profile or hat instead of the main profile (MR:1359)
aa-mergeprof: prevent backtrace if file not found (MR:1403)

Policy

abstractions

abstractions/mesa: allow ~/.cache/mesa_shader_cache_db/ (MR:1333, LP:2081692)
abstractions/nameservice-strict: add more strict version of abstractions/nameservice
abstractions/nameservice:
- support name resolution via libnss-libvirt (MR:1362)
- include abstractions/nameservice-strict (MR:1373)
- tighten libnss_libvirt file access (MR:1379)
abstractions/dconf: use @{etc_ro} instead of /etc/... r, (MR:1402)

profiles

slirp4netns: allow pivot_root (MR:1298, HUB:348)
php-fpm:
- confine php-fpm in both /usr/bin and /usr/sbin (MR:1301, AABUG:421)
- add support for ArchLinux php-legacy package ( MR:1401, AABUG:454, LP:2061113)
- widen allowed socket paths (MR:1406, LP:2061113)
ping: allow reading /proc/sys/net/ipv6/conf/all/disable_ipv6 (MR:1340, debug1082190)
transmission: add attach_disconnected flag (MR:1355, LP:2083548)
zgrep: deny reading /etc/nsswitch.conf and /etc/passwd (MR:1361)
support /usr/libexec/postfix/ path (MR:1330):
- postfix-anvil
- postfix-bounce
- postfix-cleanup
- postfix-discard
- postfix-dnsblog
- postfix-error
- postfix-flush
- postfix-lmtp
- postfix-local
- postfix-master
- postfix-nqmgr
- postfix-oqmgr
- postfix-pickup
- postfix-pipe
- postfix-postscreen
- postfix-proxymap
- postfix-qmgr
- postfix-qmqpd
- postfix-scache
- postfix-showq
- postfix-smtp
- postfix-smtpd
- postfix-spawn
- postfix-tlsmgr
- postfix-trivial-rewrite
- postfix-verify
- postfix-virtual
- usr.sbin.postqueue
- usr.sbin.sendmail
- usr.sbin.sendmail.postfix
postfix-master: add exec perm for postfix-tlsproxy and postscreen (MR:1330)
postfix-postscreen: add abstractions/{nameservice,postfix-common} and cache map (MR:1330)
postfix-smtpd: add permissions to rwk /{var/spool/postfix/,}pid/pass.smtpd (MR:1330)
postfix-tlsproxy: add new profile (MR:1330)