mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Release_Notes_4.0 alpha3

John Johansen 2023-08-10 23:26:56 +00:00
parent 8ce1e8339b
commit 51f9fe2e28
1 changed files with 208 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

209
Release_Notes_4.0-alpha3.md

@ -1 +1,208 @@
foo
WARNING this is an alpha - NOT released targeted to fall 2023
================================================
AppArmor 4.0-alpha3 was released 2023-07-2??.
# Introduction
AppArmor 4.0 is a major new release of the AppArmor that is in development, these are not complete release notes of everything in alpha2 but just highlighting new or important developments
Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release. For questions around compatibility see the compatibility matrix.
# Note
* Some features will work with older kernels but many of the features in apparmor 4 with require a development kernel.
* The kernel portion of the project is maintained and pushed separately.
* AppArmor 4.0 contains all bug fixes and policy updates from apparmor 3.1
* Some new features will not be fully supported in some utilities. In these cases it was decided that releasing a new feature earlier had more benefit than delaying it for full utility support. Please see the feature support matrix.
# Highlighted new features in alpha 2
## New Mediation Rules
## utils
## parser
## misc
## Feature Matrix
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|:---: |:---: |:---: |:---: |:---: |:---:|
|unconfined flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|debug flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| posix mqueue | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| user ns | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| io_uring | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| rootless apparmor_parser | N | N | n/a | N | N |
| extended x index | N | Y <sup>5</sup> | Y | N | Y <sup>2</sup> |
| aa-status filters | N | N | n/a | N | N |
| aa-load | N | N | n/a | Y | N |
| policy overlay | N | Y <sup>3</sup> | n/a | Y | N |
| config overlay | N | Y <sup>3</sup> | n/a | Y | N |
| multiple policy locations | N | Y <sup>3</sup> | n/a | Y | N |
| location specific configs | N | Y <sup>3</sup> | n/a | Y | N |
| deny attachment | Y | Y <sup>1</sup> | N | N | N <sup>4</sup> |
|audit.mode flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| kill.signal flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| attach_disconnected.path flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| quiet audit prefix | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| access rule qualifier | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| complain rule qualifier | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| user conditional | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| inherits rule | Y | Y <sup>1</sup> | N | N | N |
| boolean rule ops | Y | Y <sup>1</sup> | N | N | N |
| ordered rule block | Y | Y <sup>1</sup> | N | N | N |
| rule priority | Y | Y <sup>1</sup> | N | N | N |
| @{parent} variable | Y | N <sup>6</sup> | N | N | N |
| @{attachment} variable | Y | Y <sup>1</sup> | N | N | N |
| kernel supports conditional | Y | Y <sup>1</sup> | N | N | N |
| abi supports conditional | Y | Y <sup>1</sup> | N | N | N |
| rule extends abi | N | N <sup>7</sup> | N | N | N |
| all rule | Y | Y <sup>1</sup> | N | N | N |
| improved -O rule-merge | N | N | n/a | N | N |
| -O rule-refactor | N | N | n/a | N | N |
1. If present in policy will cause previous versions of AppArmor to fail
2. Requires kernel support, policy can be downgraded to work on kernels that do not support.
3. Previous versions of AppArmor may not fail but will not behave correctly
4. Feature can be functionally provided by may not be exactly the same
5. If more than 12 transitions are used in a profile, AppArmor 3.x will fail
6. Will break older policy if variable is not defined. Variable can be manually defined in older parser.
7. AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
## Compatibility
????
TODO: before release
- remove parser.conf pin
-
wip - not in this alpha, not guaranteed to land in 4.0
- kernel & userspace
- in policy stream conditionals
- ioctl
- user
- policy
- attachment
- user mediation
- owner=
- conditionals
- owner
- mac_override (for change_hat, hardlink, mv, bind mount)
- case insensite fs ???
- extended rule blocks
- ordered rule blocks
- bpf mediation
- ioctl mediation
- module mediation
- sysv mqueue
- io_uring
- revised af_unix
- fine grained ipv4/ipv6
- ns
- tracking
- pivot root var setting
- setns
- conditionals around what other namespaces being created
- profile flags
- prompt
- unconfined
- per profile audit control flags audit.mode=XXX
- debug
- kill.signal
- attach_disconnected.path
- extended perms
- dfa32
- still need accept2 cond command table
- userspace support for full width of bits and mappings
- kernel bit mapping of userspace so we can do merge
- reduce file table size by conditional on only accept states that are different
- raw text in policy
- compressed cache
- additional restrictions policy guard restrictions
- change_profile - stack if not policy admin, mac_override
- policy conditional to allow specifying in policy
- link - fail if not mac override
- policy conditional to allow specifying in policy
- rename - fail if not mac override
- policy conditional to allow specifying in policy
- bind - fail if not mac override
- policy conditional to allow specifying in policy
- unconfined
- additional restrictions around link, change_profile, rename, bind
- replace unconfined
- kernel
- per ns control of unmediated
- force mediation on unmediated
- force mediation on complain
- deal with stacked attachment lookup
- optimize stacking name lookup to
- single buffer alloc
- single name lookup
- audit caching
- complain
- improved complain learning
- ioctl interface
- message dedup
- merge file and policy db dfa
- dedup, file and policy code paths
- improve shared code callback
- refcount policydb
- shared dfa, and policydb
- rewrite apparmorfs
- dynamic
- ima support
- userspace
- new access modes
- complain, prompt, access
- new audit prefix
- quiet
- in_policy_abi()
- warn when rule in use but not in policy abi
- turn on/ignore/...
- mount
- per fs mount option matching. ??? does kernel need anything more???
- allow all
- aa_load
- drop root check
- userspace binary dfa
- policy debug
- improved rule prefixes
- allow all
- policy overlays
- extended xindex (part of extended perms)
- boolean ops
- policy hash
- kernel supports conditionals
- improved policy conditionals
- dominance fix
- fs specific mount option matching
- expr simplify optimizations
- policy
- new abi
- remove unconfined from policy
-
-