Update Release_Notes_4.0

2025-03-04 16:35:02 +01:00 · 2023-05-12 03:25:53 +00:00 · 2023-05-12 03:25:53 +00:00 · 00f41ad395
commit 00f41ad395
parent 06d7a41da9
1 changed files with 134 additions and 72 deletions
--- a/Release_Notes_4.0.md
+++ b/Release_Notes_4.0.md
@ -1,107 +1,169 @@
-WARNING WIP - NOT released targeted to fall 2017
+WARNING WIP - NOT released targeted to fall 2023
 ================================================

 This release has not happened and these notes will be revised

-Introduction
-============
+AppArmor 3.0 was released 2020-10-01.

-AppArmor 4.0 is major release of the user space components of the
-AppArmor security project. The kernel portion of the project is
-maintained and pushed separately. This release resynchronizes
-the versioning used for the kernel module and the userspace
-components. While incremental in nature it supports new features that
-allow fundamental shifts in how policy is used.
+# Introduction

-This version of the userspace should work with all kernel versions
-from 2.6.15 and later (some earlier version of the kernel if they
-have the apparmor patches applied), however dependent on the kernel
-used not all features will be supported or available. And supports
-features released in the 4.14 kernel and ubuntu 17.10 kernel.
+AppArmor 4.0 is a major new release of the AppArmor user space that makes several important change to policy development and support. Its focus is transitioning policy to the new policy features.

-**Note**: These release notes cover all changes between 2.11 and 4.0
+Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release.

-What happened to AppArmor 3.x
-=============================
+This version of the userspace should work with all kernel versions from
+2.6.15 and later (some earlier version of the kernel if they have the
+apparmor patches applied). And supports features released in the 4.20
+kernel.

-3.x versioning was used during the development of the labeling
-kernel module that has evolved over time into the 4.0 release. With
-the 4.0 release the versioning of the userspace and kernel are being
-synchronized to help indicate the relationship between the userspace
-tools and the kernel module.
+Note: that while older kernels are supported, not all features available in AppArmor 4.0 policy can be enforced on older kernels.

-Note
-====
+The kernel portion of the project is maintained and pushed separately.

-There is a semantic change in the 4.8 kernel (commit
-9f834ec18defc369d73ccf9e87a2790bfa05bf46) that affects apparmor policy
-enforcement. Specifically it affects when the m permission bit is
-checked for elf binary executables. Policy within apparmor 4.0 have
-been updated to account for this, but old policy brought forward to
-newer kernels may have to be updated.

-Highlighted new features
-========================
+# Highlighted new features

-   extended change\_hat?
-   updated pam\_apparmor?
-   policy versioning and vars?
-   policy update revision support?
-   policy caching?
-   userspace matching?
-   fully virtualized policy namespaces
-   namespace views and scopes
-   default profiles
-   experimental X mediation
+- boolean policy operations
+- block prefxes
+- policy overlays

-Detailed changelog
-==================

-parser
------

-libapparmor
-----------
+- Policy now must declare the feature abi it was developed for if it is to use any new features. For further information please see the [wiki](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorpolicyfeaturesabi).
+- The use of profile names that are based on pathnames are deprecated. For further information please see the [wiki](https://gitlab.com/apparmor/apparmor/-/wikis/DeprecateProfilePathName).
+- Support for new kernel features (requires appropriate features abi tagging in policy)
+  - upstream v8 network socket rules
+  - [xattr attachment conditionals](https://gitlab.com/apparmor/apparmor/-/wikis/manpage_apparmor_xattrs.7)
+  - capabilities PERFMON and BPF
+- rewritten aa-status
+  - supports use in systems/images where python is not available
+  - supports kill, unconfined and mixed profile modes
+- rewritten aa-notify
+  - move from perl to python 3
+  - shared backend with other python tools
+  - support use of aa.CONFDIR instead of hard coded /etc/apparmor
+  - improved message layout
+- improved support for kernels that support LSM stacking
+- support profile modes
+  - enforce (default when no mode flag is supplied)
+  - kill (experimental)
+  - unconfined (experimental)
+- reference policy updated for 3.0 feature abi
+- basic support for [systemd v246 early load of apparmor policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads).
+- new tool [aa-features-abi](https://gitlab.com/apparmor/apparmor/-/wikis/manpage_aa-features-abi.1) for extracting feature abis from the kernel

-Utils
-----
+# Important Notes

-aa-status: ?
+- gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
+  - libapparmor ```autogen.sh``` is already done, meaning distros only need to use ./configure in their build setup
+  - the docs for everything but libapparmor have already been built

-aa-unconfined: ?
+- Potentially breaking changes:

-aa-logprof, aa-genprof, aa-mergeprof ?
+- ????
+- ????
+# Obtaining the Release

-Policy
------
+There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
+  - libapparmor ```autogen.sh``` is already done, meaning distros only need to use ./configure in their build setup
+  - the docs for everything but libapparmor have already been built

-abstractions: ?
+### gitlab release
+- https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0

-dnsmasq profile: ?
+### Launchpad Tarball
+-   <https://launchpad.net/apparmor/4.0/4.0/+download/apparmor-4.0.0.tar.gz>
+-   sha256sum: XXX
+-   signature: <https://launchpad.net/apparmor/4.0/4.0/+download/apparmor-4.0.0.tar.gz.asc>

-Dovecot profiles: ?
+# Changes in this Release

-Samba profiles: ?
+These release notes cover all changes between 3.1 (XXX) and 4.0 (XXXX) [apparmor-4.0 branch](https://gitlab.com/apparmor/apparmor/tree/apparmor-4.0).

-other profile changes: ?
+Includes all the bug fixes and improvements in
+- [3.1.1](Release_Notes_3.1.1)
+- [3.1.2](Release_Notes_3.1.2)
+- [3.1.3](Release_Notes_3.1.3)
+- [3.1.4](Release_Notes_3.1.4)

-Documentation
-------------

-apparmor.d manpage: ?
+And the following improvements

-Utils: ?
+## General improvments
+- 
+## Build Infrastructure
+- 

-Library manpages: ?
+## Policy Compiler (a.k.a apparmor\_parser)
+- 

-Build: ?

-tests
-----

-?
+## Init
+- XXX
+-
+- aa-teardown
+  - 

-other changes
-------------

-?
+## Library
+  - XXXX
+
+
+
+## Utils
+- aa-enabled
+  - XXXX
+- aa-status
+  - filters XXX
+- aa-exec
+  - 
+- aa-decode
+  - 
+- aa-notify
+  - 
+- genprof, logprof and aa python library,
+
+## Policy
+- XXXX
+
+#### abstractions
+  - General changes
+    - XXXX
+  - apache2-common
+    - XXXX
+  - base
+    - XXXX
+
+#### profiles
+  - General changes
+    - XXX
+  - chromium profile
+    - XXXX
+
+## Documentation
+  - XXXX
+  - apparmor.d
+    - XXX
+  - apparmor_parser    
+    - XXX
+  - apparmor
+    - XXX
+  - aa-status
+    - document filters
+  - libapparmor
+    - XXX
+
+
+
+## Translations
+- sync translation from launchpad
+
+
+## Tests
+
+-regression tests
+
+
+
+# Note