mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Update Release_Notes_4.0 alpha2
John Johansen
parent
51f9fe2e28
commit
0d004ce7a2
1 changed files with 42 additions and 25 deletions
|
|
@ -31,37 +31,34 @@ Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer
|
|||
|:---: |:---: |:---: |:---: |:---: |:---:|
|
||||
|unconfined flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
|debug flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| posix mqueue | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| user ns | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| io_uring | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| rootless apparmor_parser | N | N | n/a | N | N |
|
||||
| extended x index | N | Y <sup>5</sup> | Y | N | Y <sup>2</sup> |
|
||||
| aa-status filters | N | N | n/a | N | N |
|
||||
| aa-load | N | N | n/a | Y | N |
|
||||
| policy overlay | N | Y <sup>3</sup> | n/a | Y | N |
|
||||
| config overlay | N | Y <sup>3</sup> | n/a | Y | N |
|
||||
| multiple policy locations | N | Y <sup>3</sup> | n/a | Y | N |
|
||||
| location specific configs | N | Y <sup>3</sup> | n/a | Y | N |
|
||||
| deny attachment | Y | Y <sup>1</sup> | N | N | N <sup>4</sup> |
|
||||
|audit.mode flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| kill.signal flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| attach_disconnected.path flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
|promt flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
|*audit.mode flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| *kill.signal flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| *attach_disconnected.path flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| quiet audit prefix | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| rule priority qualifier| Y | Y <sup>1</sup> | N | N | N |
|
||||
| access rule qualifier | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| complain rule qualifier | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| user conditional | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| prompt rule qualifier | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| ordered rule block | Y | Y <sup>1</sup> | N | N | N |
|
||||
| inherits rule | Y | Y <sup>1</sup> | N | N | N |
|
||||
| boolean rule ops | Y | Y <sup>1</sup> | N | N | N |
|
||||
| ordered rule block | Y | Y <sup>1</sup> | N | N | N |
|
||||
| rule priority | Y | Y <sup>1</sup> | N | N | N |
|
||||
| @{parent} variable | Y | N <sup>6</sup> | N | N | N |
|
||||
| @{attachment} variable | Y | Y <sup>1</sup> | N | N | N |
|
||||
| kernel supports conditional | Y | Y <sup>1</sup> | N | N | N |
|
||||
| abi supports conditional | Y | Y <sup>1</sup> | N | N | N |
|
||||
| rule extends abi | N | N <sup>7</sup> | N | N | N |
|
||||
| all rule | Y | Y <sup>1</sup> | N | N | N |
|
||||
| * @{parent} variable | Y | N <sup>6</sup> | N | N | N |
|
||||
| * @{attachment} variable | Y | Y <sup>1</sup> | N | N | N |
|
||||
| *deny attachment | Y | Y <sup>1</sup> | N | N | N <sup>4</sup> |
|
||||
| rootless apparmor_parser | N | N | n/a | N | N |
|
||||
| extended x index | N | Y <sup>5</sup> | Y | N | Y <sup>2</sup> |
|
||||
| *rule extends abi | N | N <sup>7</sup> | N | N | N |
|
||||
| *all rule | Y | Y <sup>1</sup> | N | N | N |
|
||||
| improved -O rule-merge | N | N | n/a | N | N |
|
||||
| -O rule-refactor | N | N | n/a | N | N |
|
||||
| *policy overlay | N | Y <sup>3</sup> | n/a | Y | N |
|
||||
| *config overlay | N | Y <sup>3</sup> | n/a | Y | N |
|
||||
| posix mqueue | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| user ns | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| aa-status filters | N | N | n/a | N | N |
|
||||
| aa-load | N | N | n/a | Y | N |
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -74,6 +71,26 @@ Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer
|
|||
6. Will break older policy if variable is not defined. Variable can be manually defined in older parser.
|
||||
7. AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
|
||||
|
||||
in beta
|
||||
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|
||||
|:---: |:---: |:---: |:---: |:---: |:---:|
|
||||
| *io_uring | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| *port level network | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
* io_uring needed for unprivilege unconfined constraint around io_uring
|
||||
*
|
||||
|
||||
AppArmor 4.1 or later
|
||||
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|
||||
|:---: |:---: |:---: |:---: |:---: |:---:|
|
||||
|
||||
| multiple policy locations | N | Y <sup>3</sup> | n/a | Y | N |
|
||||
| location specific configs | N | Y <sup>3</sup> | n/a | Y | N |
|
||||
| user conditional | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| -O rule-refactor | N | N | n/a | N | N |
|
||||
| kernel supports conditional | Y | Y <sup>1</sup> | N | N | N |
|
||||
| abi supports conditional | Y | Y <sup>1</sup> | N | N | N |
|
||||
|
||||
|
||||
|
||||
## Compatibility
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue