mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Release_Notes_4.1 beta5

John Johansen 2025-02-19 02:52:20 +00:00
parent 2cb3e48acb
commit 6677d5d3fc
1 changed files with 154 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

155
Release_Notes_4.1-beta5.md

@ -1 +1,154 @@
TODO
WARNING this is a beta - NOT a final release
================================================
AppArmor 4.1~beta4 was released on 2025-02-11.
# Introduction
AppArmor 4.1 is a major new release of the AppArmor that is in development.
Apprmor 4.1 is a long term stable (5 years of support) release for the AppArmor 4.x policy which introduces several new features that are not backwards compatible.
These release notes cover changes between ```AppArmor-4.1~beta1 and AppArmor-4.1~beta4``` (Note: includes notes for Beta2 and Beta3 which was dropped due to technical issues).
# Notes
- This Release contains bug fixes to AppArmor 4.1 beta1, beta2, beta3.
- This release includes new CI E2E testing via the spread frame work. A big thanks to Zygmunt Krynicki for all his work on improving the testing.
## Known issues
* profile: unshare has a known issue around profile transitions
* utils do not handle priorities in rules
* utils do not handle leading permissions
* utils crash if they can't parse all files in the profile directory
* mount rules
* control of disconnect mounts is missing
* handling of conflicting mount options is not backwards compatible
# Obtaining the Release
This beta release is only available through gitlab
**Important note:** the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
* libapparmor `autogen.sh` is already done, meaning distros only need to use ./configure in their build setup
* the docs for everything but libapparmor have already been built
### gitlab
- https://gitlab.com/apparmor/apparmor/-/releases/4.1.0-beta4
# Changes in this Release
## Misc
- apparmor.vim
- add missing units for rlimit cpu and rttime ([MR:1336](https://gitlab.com/apparmor/apparmor/-/merge_requests/1336))
- aa-remove-unknown
- fix readability check ([MR:1438](https://gitlab.com/apparmor/apparmor/-/merge_requests/1438), [HUBMR:285915](https://github.com/NixOS/nixpkgs/pull/285915), [HUB:273164](https://github.com/NixOS/nixpkgs/issues/273164))
- aa-status
- fix json generation ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470))
- replace uses of `which` for `command -v` for POSIX compatibility and to fix running the test suite on openSUSE Tumbleweed ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
# Bug Fixes
- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306))
- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309))
- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307))
- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427))
- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429))
- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430))
- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435))
- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436))
- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399))
- fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407))
- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462))
- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
- fix equality tests for priority ([MR:1455](https://gitlab.com/apparmor/apparmor/-/merge_requests/1455))
- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
- fix json generation on aa-status ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470))
- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
## Libraries
- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309))
- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435))
- Improvements to the SWIG bindings (https://gitlab.com/apparmor/apparmor/-/merge_requests/1338, https://gitlab.com/apparmor/apparmor/-/merge_requests/1342, [AABUG:439](https://gitlab.com/apparmor/apparmor/-/issues/439), https://gitlab.com/apparmor/apparmor/-/merge_requests/1352, https://gitlab.com/apparmor/apparmor/-/merge_requests/1337, https://gitlab.com/apparmor/apparmor/-/merge_requests/1334)
- fixes to the SWIG bindings for SWIG 4.3 and later ([AABUG:475](https://gitlab.com/apparmor/apparmor/-/issues/475), [MR:1504](https://gitlab.com/apparmor/apparmor/-/merge_requests/1504))
## policy compiler (aka apparmor_parser)
- add port range support on network policy ([MR:1321](https://gitlab.com/apparmor/apparmor/-/merge_requests/1321))
- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462))
- improve profile build and dump info
- add the abilitiy to dump the permissions table ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
- add the accept2 table entry to the chfa dump ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
- fix and cleanup libapparmor_re/Makefile ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
- restore MatchFlag dump from being hex encoded to decimal ([MR:1419](https://gitlab.com/apparmor/apparmor/-/merge_requests/1419))
- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
- replace uses of MS_SYNC by MS_SYNCHRONOUS in mount flags ([MR:1458](https://gitlab.com/apparmor/apparmor/-/merge_requests/1458))
- add separator between mount flags in dump_flags ([MR:1465](https://gitlab.com/apparmor/apparmor/-/merge_requests/1465))
- allow make-* flags with remount operations ([MR:1466](https://gitlab.com/apparmor/apparmor/-/merge_requests/1466), [LP:2091424](https://bugs.launchpad.net/bugs/2091424))
- convert uint to unsigned int ([MR:1478](https://gitlab.com/apparmor/apparmor/-/merge_requests/1478))
- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307))
- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399))
- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
- fix priority so it is handled on a per permission basis ([MR:1522](https://gitlab.com/apparmor/apparmor/-/merge_requests/1522))
## Utils
- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306))
- improve UX when allowing rules in aa-notify and update the man page ([MR:1313](https://gitlab.com/apparmor/apparmor/-/merge_requests/1313))
- store the child profile/hat name if we are in a child profile or hat instead of the main profile ([MR:1359](https://gitlab.com/apparmor/apparmor/-/merge_requests/1359))
- aa-mergeprof: prevent backtrace if file not found ([MR:1403](https://gitlab.com/apparmor/apparmor/-/merge_requests/1403))
- Remove match statements in utils for older Python compatibility ([MR:1440](https://gitlab.com/apparmor/apparmor/-/merge_requests/1440))
- fixes/workarounds for python 3.13 missing cgitb ([MR:1439](https://gitlab.com/apparmor/apparmor/-/merge_requests/1439), [AABUG:447](https://gitlab.com/apparmor/apparmor/-/issues/447))
- fix E502 error on Python 3.11 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
- limit buildpath.py setuptools version check to the relevant bits ([MR:1460](https://gitlab.com/apparmor/apparmor/-/merge_requests/1460))
- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427))
- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429))
- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430))
- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436))
- look for 'file' class when parsing logs ([AABUG:478](https://gitlab.com/apparmor/apparmor/-/issues/478), [MR:1507](https://gitlab.com/apparmor/apparmor/-/merge_requests/1507))
## Policy
#### abstractions
- dconf
- use @{etc_ro} instead of `/etc/... r,` ([MR:1402](https://gitlab.com/apparmor/apparmor/-/merge_requests/1402))
- allow write access to /run/user/*/dconf/user ([MR:1471](https://gitlab.com/apparmor/apparmor/-/merge_requests/1471))
- mesa
- allow ~/.cache/mesa_shader_cache_db/ ([MR:1333](https://gitlab.com/apparmor/apparmor/-/merge_requests/1333), [LP:2081692](https://bugs.launchpad.net/bugs/2081692))
- nameservice
* support name resolution via libnss-libvirt ([MR:1362](https://gitlab.com/apparmor/apparmor/-/merge_requests/1362))
* include abstractions/nameservice-strict ([MR:1373](https://gitlab.com/apparmor/apparmor/-/merge_requests/1373))
* tighten libnss_libvirt file access ([MR:1379](https://gitlab.com/apparmor/apparmor/-/merge_requests/1379))
- nameservice-strict
- add more strict version of abstractions/nameservice
- php
- add support for ArchLinux php-legacy package to php-fpm ([MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454))
- python
- allow python cache under @{HOME}/.cache/ ([MR:1467](https://gitlab.com/apparmor/apparmor/-/merge_requests/1467))
#### profiles
- php-fpm:
## Tests
- CI/CD spread tests
- provide better output on failures ([MR:1548](https://gitlab.com/apparmor/apparmor/-/merge_requests/1548))
- mark fixed regression tests ([MR:1547](https://gitlab.com/apparmor/apparmor/-/merge_requests/1547))
## Documentation