mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
Page:
Release_Notes_4.1 beta4
Pages
2.12.4_Signatures
2.13.10_Signatures
2.13.11_Signatures
2.13.3_signature
2.13.4_signature
2.13.7_Signatures
2.13.8_Signatures
2.13.9_Signatures
3.0.10_Signatures
3.0.11_Signatures
3.0.12_Signatures
3.0.13_Signatures
3.0.8_Signatures
3.0.9_Signatures
3.1.1_Signatures
3.1.2_Signatures
3.1.3_Signatures
3.1.4_Signatures
3.1.5_Signatures
3.1.6_Signatures
3.1.7_Signatures
4.0.0 alpha2_Signatures
4.0.0 alpha3_Signatures
4.0.0 beta4_Signatures
4.0.1_Signatures
4.0.2_Signatures
4.0.3_Signatures
4.1.0 beta1_Signatures
4.1.0 beta4_Signatures
About
AbstractionsGuide
AlternativeMethodsforSystemWideRestrictions
AppArmor and Kubernetes
AppArmor2FeatureABI
AppArmorAPIs
AppArmorAuditing
AppArmorClassNumbers
AppArmorDBus
AppArmorDelegation
AppArmorDynamicIncludes
AppArmorFeatureABI
AppArmorFeatureABIinteractions
AppArmorGSettings
AppArmorInSystemd
AppArmorInterfaces
AppArmorJournald
AppArmorLabelsandTypes
AppArmorLinuxNamespaces
AppArmorLog
AppArmorMLS
AppArmorMonitoring
AppArmorNamespaces
AppArmorObjectDelegation
AppArmorPolicy
AppArmorPolicyScope
AppArmorPolicyTOC
AppArmorPolicyView
AppArmorPortals
AppArmorProfileSpec
AppArmorProgramaticApplicationPolicy
AppArmorRBAC
AppArmorSandboxing
AppArmorSnappyDesktop
AppArmorStacking
AppArmorSystemWideRestrictions
AppArmorTrustedHelpers
AppArmorUpdateGuidelines
AppArmorUserDefinedPolicy
AppArmorWine
AppArmorXace
AppArmor_Core_Policy_Reference
AppArmor_Failures
AppArmor_History
AppArmor_Model
AppArmor_Presentations
AppArmor_versions
AppArmor_versions_2.1
AppArmor_versions_2.10
AppArmor_versions_2.11
AppArmor_versions_2.12
AppArmor_versions_2.13
AppArmor_versions_2.3
AppArmor_versions_2.4
AppArmor_versions_2.5
AppArmor_versions_2.6
AppArmor_versions_2.7
AppArmor_versions_2.8
AppArmor_versions_2.9
AppArmor_versions_3.0
AppArmor_versions_3.1
AppArmor_versions_4.0
AppArmor_versions_4.1
AppArmorpolicyfeaturesDev
AppArmorpolicyversioning
Apparmor_parser
Apparmorbinarypolicy
Apparmorearlypolicy
Apparmorinitrd
Apparmorpolicycache
Apparmorpolicymanagement
Apparmorpolicymanagement2x
Binary_Profile_Language
Binary_profile_format
BugTracking
Coding Style
CollaborativeProfileDevSpec
CombiningStackingAndNamespaces
CommitPolicy
CompilerImprovements
Complain Mode
Confining_all_tasks
Controlling_Profile_State
CreatingPolicy
DeprecateProfilePathName
DevelopmentRoadmap
Distro_CentOS
Distro_debian
Distro_suse
Distro_ubuntu
Documentation
EnvironmentVariables
ExampleProfiles
Extended_profiling_example
FAQ
Firejail
FullSystemPolicy
GettingStarted
Gittutorial
IRC_meeting_2010
IRC_meeting_2011
IRC_meeting_2012 09 25
IRC_meeting_2012 11 06
IRC_meeting_2012 12 04
IRC_meeting_2012
IRC_meeting_2013 01 08
IRC_meeting_2013 02 05
IRC_meeting_2013 03 01
IRC_meeting_2013 05 14
IRC_meeting_2013 06 11
IRC_meeting_2013 07 09
IRC_meeting_2013 08 13
IRC_meeting_2013 10 08
IRC_meeting_2013 11 13
IRC_meeting_2013
IRC_meeting_2014 02 24
IRC_meeting_2014 06 10
IRC_meeting_2014 07 08
IRC_meeting_2014 09 09
IRC_meeting_2014 10 14
IRC_meeting_2014 11 05
IRC_meeting_2014 12 09
IRC_meeting_2014
IRC_meeting_2015 02 10
IRC_meeting_2015 03 10
IRC_meeting_2015 04 14
IRC_meeting_2015 05 12
IRC_meeting_2015 06 09
IRC_meeting_2015 07 14
IRC_meeting_2015 11 17
IRC_meeting_2015
IRC_meeting_2016 01 19
IRC_meeting_2016 09 13
IRC_meeting_2016
IRC_meeting_2017 10 10
IRC_meeting_2017 11 25
IRC_meeting_2017 12 13
IRC_meeting_2017
IRC_meeting_2018 01 16
IRC_meeting_2018 02 15
IRC_meeting_2018 12 11
IRC_meeting_2018
IRC_meeting_2019 04 09
IRC_meeting_2019 06 13
IRC_meeting_2019 10 08
IRC_meeting_2019
IRC_meeting_2020 01 14
IRC_meeting_2020 02 11
IRC_meeting_2020 02 12
IRC_meeting_2020 03 10
IRC_meeting_2020 04 10
IRC_meeting_2020 04 28
IRC_meeting_2020 06 09
IRC_meeting_2020 09 08
IRC_meeting_2020 10 13
IRC_meeting_2020
IRC_meeting_2021 07 13
IRC_meeting_2021 11 09
IRC_meeting_2021 12 14
IRC_meeting_2022 02 08
IRC_meeting_2022 08 09
IRC_meeting_2022 10 11
IRC_meeting_2022 11 08
IRC_meeting_2022 12 13
IRC_meeting_2022 4 12
IRC_meeting_2022 7 12
IRC_meeting_2023 02 14
IRC_meeting_2023 06 13
IRC_meeting_2023 08 08
IRC_meeting_2023 09 12
IRC_meeting_2023 10 10
IRC_meeting_2024 01 09
IRC_meeting_2024 04 09
IRC_meeting_2024 06 11
IRC_meeting_2024 08 13
IRC_meeting_2024 09 10
IRC_meeting_2024 10 08
IRC_meeting_2024 11 12
IRC_meeting_2025 01 14
IRC_meeting_2025 02 18
Integrating Test plan
Kernel_Feature_Matrix
Kernel_interfaces
Launchpadtutorial
Libvirt
ManPages
MeetingAgenda
Mod_apparmor
Mod_apparmor_example
Multi Category Security (MCS)
Pam_apparmor
Pam_apparmor_example
PerformanceImprovements
Policy_Layout
ProfileLanguage
Profile_repo
Profile_variants
Profiles
Profiling_by_hand
Profiling_with_tools
QuickProfileLanguage
RBAC_2_0
RBAC_2_1
RBAC_2_3
RBAC_2_5
README
Raising_Task_Capabilities
ReleaseProcess
Release_Notes_2.10.1
Release_Notes_2.10.2
Release_Notes_2.10.3
Release_Notes_2.10.4
Release_Notes_2.10.5
Release_Notes_2.10.6
Release_Notes_2.10
Release_Notes_2.11.1
Release_Notes_2.11.2
Release_Notes_2.11.3
Release_Notes_2.11.4
Release_Notes_2.11
Release_Notes_2.12.0
Release_Notes_2.12.1
Release_Notes_2.12.2
Release_Notes_2.12.3
Release_Notes_2.12.4
Release_Notes_2.12
Release_Notes_2.13.1
Release_Notes_2.13.10
Release_Notes_2.13.11
Release_Notes_2.13.2
Release_Notes_2.13.3
Release_Notes_2.13.4
Release_Notes_2.13.5
Release_Notes_2.13.6
Release_Notes_2.13.7
Release_Notes_2.13.8
Release_Notes_2.13.9
Release_Notes_2.13
Release_Notes_2.14
Release_Notes_2.4
Release_Notes_2.5.1
Release_Notes_2.5.2
Release_Notes_2.5
Release_Notes_2.6.0
Release_Notes_2.6.1
Release_Notes_2.7.1
Release_Notes_2.7.2
Release_Notes_2.7
Release_Notes_2.8.1
Release_Notes_2.8.2
Release_Notes_2.8.3
Release_Notes_2.8.4
Release_Notes_2.8.5
Release_Notes_2.8
Release_Notes_2.9.0
Release_Notes_2.9.1
Release_Notes_2.9.2
Release_Notes_2.9.3
Release_Notes_2.9.4
Release_Notes_2.9.5
Release_Notes_3.0.1
Release_Notes_3.0.10
Release_Notes_3.0.11
Release_Notes_3.0.12
Release_Notes_3.0.13
Release_Notes_3.0.2
Release_Notes_3.0.3
Release_Notes_3.0.4
Release_Notes_3.0.5
Release_Notes_3.0.6
Release_Notes_3.0.7
Release_Notes_3.0.8
Release_Notes_3.0.9
Release_Notes_3.0
Release_Notes_3.1.1
Release_Notes_3.1.2
Release_Notes_3.1.3
Release_Notes_3.1.4
Release_Notes_3.1.5
Release_Notes_3.1.6
Release_Notes_3.1.7
Release_Notes_3.1
Release_Notes_4.0 alpha1
Release_Notes_4.0 alpha2
Release_Notes_4.0 alpha3
Release_Notes_4.0 alpha4
Release_Notes_4.0 beta1
Release_Notes_4.0 beta2
Release_Notes_4.0 beta3
Release_Notes_4.0 beta4
Release_Notes_4.0.1
Release_Notes_4.0.2
Release_Notes_4.0.3
Release_Notes_4.0.4
Release_Notes_4.1 beta1
Release_Notes_4.1 beta2
Release_Notes_4.1 beta3
Release_Notes_4.1 beta4
Release_Notes_4.1 beta5
Release_Notes_4.1 beta6
Release_Notes_4.1.0 beta1
Release_Notes_5.0
Revising_and_fine_tuning_policy_and_abstractions
Sandstorm
StackingConfiningUsers
TechnicalDoc
TechnicalDoc_DBusRuleEncoding
TechnicalDoc_DFA
TechnicalDoc_FileRuleEncoding
TechnicalDoc_HFA
TechnicalDoc_HFA_Layout
TechnicalDoc_HFA_permissions
TechnicalDoc_Kernel
TechnicalDoc_MountRuleEncoding
TechnicalDoc_Mount_Flags
TechnicalDoc_NetworkRuleEncoding
TechnicalDoc_PolicyDB
TechnicalDoc_Policy_Layout
TechnicalDoc_Proc_and_ptrace
TechnicalDoc_RulePathEncoding
TechnicalDoc_XWindowsRuleEncoding
Translations
Unconfined, the unconfined flag and default allow
Userconditional
Users in AppArmor
Userspace_Feature_Matrix
Versioning
WorkItems
_sidebar
aparmor_policy_development_guide
apparmor 5 config layout spec
apparmor_compiler_development_guide
apparmor_kernel_development_guide
apparmor_kernel_development_guide_notifications
apparmor_library_development_guide
apparmor_profile_tools_guide
apparmordynamicpolicy
apparmorpolicyfeaturesABI
apparmorversioning
bubblewrap
clearcontainers
containers
docker
flatpak
gVisor
home
how to setup a policy namespace for containers
io_uring rules
kata containers
kubernetes
manpage_aa audit.8
manpage_aa autodep.8
manpage_aa cleanprof.8
manpage_aa complain.8
manpage_aa decode.8
manpage_aa disable.8
manpage_aa easyprof.8
manpage_aa enabled.1
manpage_aa enforce.8
manpage_aa exec.1
manpage_aa features abi.1
manpage_aa genprof.8
manpage_aa logprof.8
manpage_aa mergeprof.8
manpage_aa notify.8
manpage_aa remove unknown.8
manpage_aa status.8
manpage_aa teardown.8
manpage_aa unconfined.8
manpage_aa_change_hat.2
manpage_aa_change_profile.2
manpage_aa_features.3
manpage_aa_find_mountpoint.2
manpage_aa_getcon.2
manpage_aa_kernel_interface.3
manpage_aa_policy_cache.3
manpage_aa_query_label.2
manpage_aa_splitcon.3
manpage_aa_stack_profile.2
manpage_apparmor.7
manpage_apparmor.d.5
manpage_apparmor_parser.8
manpage_apparmor_parser
manpage_apparmor_xattrs.7
manpage_logprof.conf.5
manpage_mod_apparmor.8
mqueue rules
nabla containers
no_new_privs
profileflags
prompt v3 interface
rule operations
rule prefixes and modes
runV
runc
sanitized_helper
security@apparmor template reply
unprivileged_unconfined_restriction
unprivileged_userns_restriction
wip conditional policy
No results
5
Release_Notes_4.1 beta4
John Johansen edited this page 2025-02-12 09:47:05 +00:00
WARNING this is a beta - NOT a final release
AppArmor 4.1~beta4 was released on 2025-02-11.
Introduction
AppArmor 4.1 is a major new release of the AppArmor that is in development.
Apprmor 4.1 is a long term stable (5 years of support) release for the AppArmor 4.x policy which introduces several new features that are not backwards compatible.
These release notes cover changes between AppArmor-4.1~beta1 and AppArmor-4.1~beta4 (Note: includes notes for Beta2 and Beta3 which was dropped due to technical issues).
Notes
- This Release contains bug fixes to AppArmor 4.1 beta1, beta2, beta3.
- This release includes new CI E2E testing via the spread frame work. A big thanks to Zygmunt Krynicki for all his work on improving the testing.
Known issues
- profile: unshare has a known issue around profile transitions
- utils do not handle priorities in rules
- utils do not handle leading permissions
- utils crash if they can't parse all files in the profile directory
- mount rules
- control of disconnect mounts is missing
- handling of conflicting mount options is not backwards compatible
Obtaining the Release
This beta release is only available through gitlab
Important note: the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
- libapparmor
autogen.shis already done, meaning distros only need to use ./configure in their build setup - the docs for everything but libapparmor have already been built
gitlab
Changes in this Release
Misc
- apparmor.vim
- add missing units for rlimit cpu and rttime (MR:1336)
- aa-remove-unknown
- fix readability check (MR:1438, HUBMR:285915, HUB:273164)
- aa-status
- replace uses of
whichforcommand -vfor POSIX compatibility and to fix running the test suite on openSUSE Tumbleweed (MR:1431) - fix awk not being found on openSuse 15.6 (MR:1431)
Bug Fixes
- fix creation of path
/usr/share/polkit-1/actions/in python tools setup to create intermediary directories (MR:1306) - fix af_protos.h generation so it's consistent between different architectures (MR:1309)
- fix rule priority destroying rule permissions for io_uring and userns classes (MR:1307)
- fix tools to ignore peer when parsing logs for non-peer access modes (MR:1314, AABUG:427)
- fix exception when replacing
owner file,rules byfile,by suggestingmrwlkixinstead (MR:1320, AABUG:429) - fix wrong order of the owner keyword when cleaning file rules (MR:1320, AABUG:430)
- fix ABI break for aa_log_record (MR:1345, LP:2083435)
- fix thrown TypeError exception when passing binary logs to the tools (MR:1354, AABUG:436)
- fix integer overflow bug in rule priority comparisons (MR:1396, AABUG:452)
- fix minimization check for filtering deny (MR:1396, AABUG:452)
- fix memory leak in aare_rules UniquePermsCache (MR:1399)
- fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite (MR:1407)
- fix do not change auditing information when applying deny (MR:1408, AABUG:461)
- fix mapping of AA_CONT_MATCH for policydb compat entries (MR:1409, AABUG:462)
- bug fix do not change auditing information when applying deny (MR:1408, AABUG:461)
- fix equality tests for priority (MR:1455)
- fix awk not being found on openSuse 15.6 (MR:1431)
- fix json generation on aa-status (MR:1451, AABUG:470)
- fix make setup when bison is not installed by quoting BISON_MAJOR (MR:1431)
Libraries
- bug fix do not change auditing information when applying deny (MR:1408, AABUG:461)
- fix af_protos.h generation so it's consistent between different architectures (MR:1309)
- fix ABI break for aa_log_record (MR:1345, LP:2083435)
- Improvements to the SWIG bindings (https://gitlab.com/apparmor/apparmor/-/merge_requests/1338, https://gitlab.com/apparmor/apparmor/-/merge_requests/1342, AABUG:439, https://gitlab.com/apparmor/apparmor/-/merge_requests/1352, https://gitlab.com/apparmor/apparmor/-/merge_requests/1337, https://gitlab.com/apparmor/apparmor/-/merge_requests/1334)
- fixes to the SWIG bindings for SWIG 4.3 and later (AABUG:475, MR:1504)
policy compiler (aka apparmor_parser)
- add port range support on network policy (MR:1321)
- fix mapping of AA_CONT_MATCH for policydb compat entries (MR:1409, AABUG:462)
- improve profile build and dump info
- restore MatchFlag dump from being hex encoded to decimal (MR:1419)
- fix make setup when bison is not installed by quoting BISON_MAJOR (MR:1431)
- replace uses of MS_SYNC by MS_SYNCHRONOUS in mount flags (MR:1458)
- add separator between mount flags in dump_flags (MR:1465)
- allow make-* flags with remount operations (MR:1466, LP:2091424)
- convert uint to unsigned int (MR:1478)
- fix rule priority destroying rule permissions for io_uring and userns classes (MR:1307)
- fix integer overflow bug in rule priority comparisons (MR:1396, AABUG:452)
- fix minimization check for filtering deny (MR:1396, AABUG:452)
- fix memory leak in aare_rules UniquePermsCache (MR:1399)
- fix do not change auditing information when applying deny (MR:1408, AABUG:461)
- fix priority so it is handled on a per permission basis (MR:1522)
Utils
- fix creation of path
/usr/share/polkit-1/actions/in python tools setup to create intermediary directories (MR:1306) - improve UX when allowing rules in aa-notify and update the man page (MR:1313)
- store the child profile/hat name if we are in a child profile or hat instead of the main profile (MR:1359)
- aa-mergeprof: prevent backtrace if file not found (MR:1403)
- Remove match statements in utils for older Python compatibility (MR:1440)
- fixes/workarounds for python 3.13 missing cgitb (MR:1439, AABUG:447)
- fix E502 error on Python 3.11 (MR:1431)
- limit buildpath.py setuptools version check to the relevant bits (MR:1460)
- fix tools to ignore peer when parsing logs for non-peer access modes (MR:1314, AABUG:427)
- fix exception when replacing
owner file,rules byfile,by suggestingmrwlkixinstead (MR:1320, AABUG:429) - fix wrong order of the owner keyword when cleaning file rules (MR:1320, AABUG:430)
- fix thrown TypeError exception when passing binary logs to the tools (MR:1354, AABUG:436)
- look for 'file' class when parsing logs (AABUG:478, MR:1507)
Policy
abstractions
- dconf
- mesa
- allow ~/.cache/mesa_shader_cache_db/ (MR:1333, LP:2081692)
- nameservice
- nameservice-strict
- add more strict version of abstractions/nameservice
- php
- python
- allow python cache under @{HOME}/.cache/ (MR:1467)
profiles
- php-fpm:
- add support for ArchLinux php-legacy package to php-fpm (MR:1401, AABUG:454)
- widen allowed socket paths (MR:1406, LP:2061113)
- add support for ArchLinux php-legacy package ( MR:1401, AABUG:454, LP:2061113)
- ping
- allow reading /proc/sys/net/ipv6/conf/all/disable_ipv6 (MR:1340, debug1082190)
- Postfix
- Support /usr/libexec/postfix/ path (MR:1330)
- postfix-anvil
- postfix-bounce
- postfix-cleanup
- postfix-discard
- postfix-dnsblog
- postfix-error
- postfix-flush
- postfix-lmtp
- postfix-local
- postfix-master
- postfix-nqmgr
- postfix-oqmgr
- postfix-pickup
- postfix-pipe
- postfix-postscreen
- postfix-proxymap
- postfix-qmgr
- postfix-qmqpd
- postfix-scache
- postfix-showq
- postfix-smtp
- postfix-smtpd
- postfix-spawn
- postfix-tlsmgr
- postfix-trivial-rewrite
- postfix-verify
- postfix-virtual
- usr.sbin.postqueue
- usr.sbin.sendmail
- usr.sbin.sendmail.postfix
- Support /usr/libexec/postfix/ path (MR:1330)
- postfix-master
- add exec perm for postfix-tlsproxy and postscreen (MR:1330)
- postfix-postscreen
- add abstractions/{nameservice,postfix-common} and cache map (MR:1330)
- postfix-showq
- Allow reading queue ID files from /var/spool/postfix/hold/ (MR:1454)
- postfix-smtpd
- postfix-tlsproxy
- add new profile (MR:1330)
- slirp4netns: allow pivot_root (MR:1298, HUB:348)
- transmission
- add attach_disconnected flag (MR:1355, LP:2083548)
- smbd:
- allow capability chown (MR:1456, BOS:1234327)
- zgrep
- deny reading /etc/nsswitch.conf and /etc/passwd (MR:1361)
- dovecot:
- allow reading /proc/sys/kernel/core_pattern (MR:1331)
- bwrap:
- update the bwrap profile so that it will attach to application profiles if present (MR:1435)
- transmission-gtk:
- add attach_disconnected flag (MR:1395, LP:2085377)
- cupsd:
- unshare
- fix deleted files (MR:1521)
Tests
-
auto/build/unit tests
-
Regression:
- fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite (MR:1407)
- resolve some compiler warnings (MR:1407)
- fix regression tests when parent directory contains spaces (MR:1418, MR:1424)
- fix incorrect setfattr call in xattrs_profile (MR:1429)
- add complain mode regression tests (MR:1415)
- check if setfattr exists to run xattr_profile tests (MR:1412)
- fix mult_mount and file_unbindable_mount tests by using a larger loop device (MR:1431, MR:1469)
- add DAC permissions check to the test suite (MR:1411)
- fix swap regression tests on zfs and btrfs (MR:1462, MR:1463, MR:1464)
- fix test infrastructure when a wrapper is specified (MR:1450)
- add test mediation for file access in unbindable mounts (MR:1448)
- separate bash traces from errors (MR:1481)
- Move overlayfs test into include helper and wrap in overlayfs_kernel (MR:1503)
- overlayfs_fuse test that uses a FUSE implementation of overlayfs
- modernize the mount regression test (MR:1449)
-
CI/CD spread tests
- add support for spread tests (MR:1432)
- add support for local kernel (MR:1452)
- add regression tests for snapd mount-control (MR:1445)
- only run coverity in the upstream project
- Use parallelism and make --touch when building in GitLab CI for faster CI times
- Build regression test suite in CI
- cleanups coverity jobs (MR:1491)
- skip profile tests on Fedora (MR:1501)
- snapd/mount-control: improvements (MR:1479)
- add support for spread testing to improve e2e testing
- add immage-garden support
- switch tumbleweed to boot with security=apparmor (MR:1492)
-
build PAM and apparmor modules in spread (MR:1493)
-
enable build tests on Fedora 41 (MR:1496)
-
add integration test for toybox profile tests (MR:1487)
-
add httpd-devel and pam-devel to fedora cloud-init profile (MR:1499)
-
add tool for observing the profile of a given command (MR:1500)
-
unify CI/CD preparation phase (MR:1494)
-
add dosfstools to image-garden cloud-init (MR:1480)
-
add fuse-overlayfs to cloud-init (MR:1495)
-
mark more regression test as known-failures (MR:1483)
-
unify formatting of .gitlab-ci.yml (MR:1510)
-
spread: fix debian system name (MR:1511)
-
spread: Add support for EXPECT_DENIALS in profile tests (MR:1515)
-
run regression tests with spread (self-hosted) (MR:1512)
Documentation
- Upadate man apparmor.d to highlight pivot_root limitation (LP:2087875, MR:1436)
- Add aa-load documentation (MR:1505)
- misc fixes on apparmor.d man page (MR:1516)