mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Kernel_Feature_Matrix

John Johansen 2019-04-16 20:08:05 +00:00
parent 8e3f628871
commit 690b06036c
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Kernel_Feature_Matrix.md

@ -9,7 +9,7 @@
| 3.5 | Fail exec transitions due to no_new_privs<ul><li>unconfined is allowed to transition to anything</li><li>inherit is allowed when task has nnp set</li><li>all other domain transitions are blocked when a task has nnp set</li><li>Bug fixes and code cleanups</li></ul> | |
| 3.6 - 3.10 | Bug fixes and code cleanups | |
| 3.11 | <ul><li>relax restrictions on setting rlimits</li> <li>Bug fixes and code cleanups</li></ul> | |
| 3.12 | <ul><li>support unconfined flag on any profile</li><li>support multiple profiles being loaded in a single write</li><li>introspection interface<ul><li>add ability to query whether apparmor is enabled</li><li>allow introspecting the loaded set of profiles virtualized to the opening tasks namespace via the <i>profiles</i> file</li><li>add <i>policy/</i> directory which can be used to introspect profiles and namespaces of loaded policy<ul><li> add <i>policy/namespaces/</i> dir to introspect policy namespaces</li><li>add <i>policy/profiles/</i> dir to report on profiles loaded into the current namespace<ul><li>report profile name <i>policy/profiles/PROFILE/name</i></li><li>report profile mode <i>policy/profiles/PROFILE/mode</i></li><li>report sha1 of profile <i>policy/profiles/PROFILE/sha1</i></li><li>allow human readable attachment string to be loaded and reported in the <i>policy/profiles/PROFILE/attach</i></li></ul></li></ul></li></ul></li><li>feature set<ul><li>export set of capabilities supported</li></ul></li><li>Bug fixes and code cleanups</li></ul> | |
| 3.12 | <ul><li>support unconfined flag on any profile<sup>9</sup></li><li>support multiple profiles being loaded in a single write<sup>1</sup></li><li>introspection interface<ul><li>add ability to query whether apparmor is enabled<sup>?</sup></li><li>allow introspecting the loaded set of profiles virtualized to the opening tasks namespace via the <i>profiles</i> file<sup>?</sup></li><li>add <i>policy/</i> directory which can be used to introspect profiles and namespaces of loaded policy<sup>?</sup><ul><li> add <i>policy/namespaces/</i> dir to introspect policy namespaces</li><li>add <i>policy/profiles/</i> dir to report on profiles loaded into the current namespace<ul><li>report profile name <i>policy/profiles/PROFILE/name</i></li><li>report profile mode <i>policy/profiles/PROFILE/mode</i></li><li>report sha1 of profile <i>policy/profiles/PROFILE/sha1</i></li><li>allow human readable attachment string to be loaded and reported in the <i>policy/profiles/PROFILE/attach</i></li></ul></li></ul></li></ul></li><li>feature set<ul><li>export set of capabilities supported</li></ul></li><li>Bug fixes and code cleanups</li></ul> | |
| 3.13 - 4.7 | Bug fixes and code cleanups | |
| 4.8 | <ul><li>allow CAP_SYS_RESOURCE to prlimit another task</li><li>add kernel parameter and kconfig to allow controlling if profile hashing is used</li><li>Bug fixes and code cleanups</li></ul> | |
| 4.9 - 4.10 | Bug fixes and code cleanups | |