mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Release_Notes_4.1 beta5

John Johansen 2025-02-19 03:05:46 +00:00
parent 6677d5d3fc
commit 4af3f8775a
1 changed files with 22 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

113
Release_Notes_4.1-beta5.md

@ -14,7 +14,7 @@ These release notes cover changes between ```AppArmor-4.1~beta1 and AppArmor-4.1
# Notes
- This Release contains bug fixes to AppArmor 4.1 beta1, beta2, beta3.
- This Release contains bug fixes to AppArmor 4.1 beta4
- This release includes new CI E2E testing via the spread frame work. A big thanks to Zygmunt Krynicki for all his work on improving the testing.
## Known issues
@ -38,112 +38,41 @@ This beta release is only available through gitlab
### gitlab
- https://gitlab.com/apparmor/apparmor/-/releases/4.1.0-beta4
- https://gitlab.com/apparmor/apparmor/-/releases/4.1.0-beta5
# Changes in this Release
## Misc
- apparmor.vim
- add missing units for rlimit cpu and rttime ([MR:1336](https://gitlab.com/apparmor/apparmor/-/merge_requests/1336))
- aa-remove-unknown
- fix readability check ([MR:1438](https://gitlab.com/apparmor/apparmor/-/merge_requests/1438), [HUBMR:285915](https://github.com/NixOS/nixpkgs/pull/285915), [HUB:273164](https://github.com/NixOS/nixpkgs/issues/273164))
- aa-status
- fix json generation ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470))
- replace uses of `which` for `command -v` for POSIX compatibility and to fix running the test suite on openSUSE Tumbleweed ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
# Bug Fixes
- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306))
- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309))
- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307))
- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427))
- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429))
- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430))
- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435))
- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436))
- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399))
- fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407))
- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462))
- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
- fix equality tests for priority ([MR:1455](https://gitlab.com/apparmor/apparmor/-/merge_requests/1455))
- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
- fix json generation on aa-status ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470))
- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
## Libraries
- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309))
- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435))
- Improvements to the SWIG bindings (https://gitlab.com/apparmor/apparmor/-/merge_requests/1338, https://gitlab.com/apparmor/apparmor/-/merge_requests/1342, [AABUG:439](https://gitlab.com/apparmor/apparmor/-/issues/439), https://gitlab.com/apparmor/apparmor/-/merge_requests/1352, https://gitlab.com/apparmor/apparmor/-/merge_requests/1337, https://gitlab.com/apparmor/apparmor/-/merge_requests/1334)
- fixes to the SWIG bindings for SWIG 4.3 and later ([AABUG:475](https://gitlab.com/apparmor/apparmor/-/issues/475), [MR:1504](https://gitlab.com/apparmor/apparmor/-/merge_requests/1504))
## policy compiler (aka apparmor_parser)
- add port range support on network policy ([MR:1321](https://gitlab.com/apparmor/apparmor/-/merge_requests/1321))
- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462))
- improve profile build and dump info
- add the abilitiy to dump the permissions table ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
- add the accept2 table entry to the chfa dump ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
- fix and cleanup libapparmor_re/Makefile ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
- restore MatchFlag dump from being hex encoded to decimal ([MR:1419](https://gitlab.com/apparmor/apparmor/-/merge_requests/1419))
- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
- replace uses of MS_SYNC by MS_SYNCHRONOUS in mount flags ([MR:1458](https://gitlab.com/apparmor/apparmor/-/merge_requests/1458))
- add separator between mount flags in dump_flags ([MR:1465](https://gitlab.com/apparmor/apparmor/-/merge_requests/1465))
- allow make-* flags with remount operations ([MR:1466](https://gitlab.com/apparmor/apparmor/-/merge_requests/1466), [LP:2091424](https://bugs.launchpad.net/bugs/2091424))
- convert uint to unsigned int ([MR:1478](https://gitlab.com/apparmor/apparmor/-/merge_requests/1478))
- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307))
- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399))
- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
- fix priority so it is handled on a per permission basis ([MR:1522](https://gitlab.com/apparmor/apparmor/-/merge_requests/1522))
# Build & Infrastructure
- utils
- allow install locations to be overridden in Makefile ([MR:1542](https://gitlab.com/apparmor/apparmor/-/merge_requests/1542))
- aa-notify
- fix package build install of polkit files ([MR:1540](https://gitlab.com/apparmor/apparmor/-/merge_requests/1540), [AABUG:486](https://gitlab.com/apparmor/apparmor/-/issues/486))
- libapparmor
- build fixes for 32-bit systems and older systems ([MR:1536](https://gitlab.com/apparmor/apparmor/-/merge_requests/1536))
## Utils
- aa-genprof
- fix failure on lxd with OSError: Read-only file system ([MR:1539](https://gitlab.com/apparmor/apparmor/-/merge_requests/1539))
- aa-notify
- rename polkit files and template info from com.ubuntu ([MR:1540](https://gitlab.com/apparmor/apparmor/-/merge_requests/1540), [MR:1541](https://gitlab.com/apparmor/apparmor/-/merge_requests/1541), [AABUG:486](https://gitlab.com/apparmor/apparmor/-/issues/486))
- aa-notify: make ttkthemes conditional - extracted and backported from [MR:](https://gitlab.com/apparmor/apparmor/-/merge_requests/1324)
- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306))
- improve UX when allowing rules in aa-notify and update the man page ([MR:1313](https://gitlab.com/apparmor/apparmor/-/merge_requests/1313))
- store the child profile/hat name if we are in a child profile or hat instead of the main profile ([MR:1359](https://gitlab.com/apparmor/apparmor/-/merge_requests/1359))
- aa-mergeprof: prevent backtrace if file not found ([MR:1403](https://gitlab.com/apparmor/apparmor/-/merge_requests/1403))
- Remove match statements in utils for older Python compatibility ([MR:1440](https://gitlab.com/apparmor/apparmor/-/merge_requests/1440))
- fixes/workarounds for python 3.13 missing cgitb ([MR:1439](https://gitlab.com/apparmor/apparmor/-/merge_requests/1439), [AABUG:447](https://gitlab.com/apparmor/apparmor/-/issues/447))
- fix E502 error on Python 3.11 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
- limit buildpath.py setuptools version check to the relevant bits ([MR:1460](https://gitlab.com/apparmor/apparmor/-/merge_requests/1460))
- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427))
- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429))
- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430))
- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436))
- look for 'file' class when parsing logs ([AABUG:478](https://gitlab.com/apparmor/apparmor/-/issues/478), [MR:1507](https://gitlab.com/apparmor/apparmor/-/merge_requests/1507))
## Policy
#### abstractions
- tunables
- add letter, alphanumeric character, int, hex and words variables ([MR:1546](https://gitlab.com/apparmor/apparmor/-/merge_requests/1546), [MR:1544](https://gitlab.com/apparmor/apparmor/-/merge_requests/1544))
- new devices-usb & devices-usb-read ([MR:1545](https://gitlab.com/apparmor/apparmor/-/merge_requests/1545))
- dconf
- use @{etc_ro} instead of `/etc/... r,` ([MR:1402](https://gitlab.com/apparmor/apparmor/-/merge_requests/1402))
- allow write access to /run/user/*/dconf/user ([MR:1471](https://gitlab.com/apparmor/apparmor/-/merge_requests/1471))
- mesa
- allow ~/.cache/mesa_shader_cache_db/ ([MR:1333](https://gitlab.com/apparmor/apparmor/-/merge_requests/1333), [LP:2081692](https://bugs.launchpad.net/bugs/2081692))
- nameservice
* support name resolution via libnss-libvirt ([MR:1362](https://gitlab.com/apparmor/apparmor/-/merge_requests/1362))
* include abstractions/nameservice-strict ([MR:1373](https://gitlab.com/apparmor/apparmor/-/merge_requests/1373))
* tighten libnss_libvirt file access ([MR:1379](https://gitlab.com/apparmor/apparmor/-/merge_requests/1379))
- nameservice-strict
- add more strict version of abstractions/nameservice
- php
- add support for ArchLinux php-legacy package to php-fpm ([MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454))
- python
- allow python cache under @{HOME}/.cache/ ([MR:1467](https://gitlab.com/apparmor/apparmor/-/merge_requests/1467))
#### profiles
- php-fpm:
- unshare
- fix non-user-namespace-related sandbox bypass in unshare profile ([MR:1533](https://gitlab.com/apparmor/apparmor/-/merge_requests/1533))
## Tests
- CI/CD spread tests
@ -151,4 +80,6 @@ This beta release is only available through gitlab
- mark fixed regression tests ([MR:1547](https://gitlab.com/apparmor/apparmor/-/merge_requests/1547))
## Documentation
- apparmor.d: document how variable expansion and path sanitization works ([MR:1532](https://gitlab.com/apparmor/apparmor/-/merge_requests/1532))