mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Kernel_Feature_Matrix

John Johansen 2019-04-16 23:47:08 +00:00
parent 690b06036c
commit 6b4f009901
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Kernel_Feature_Matrix.md

@ -18,7 +18,7 @@
| 4.13 | <ul><li>add v7 abi</li><li>speedup path lookups with preallocated buffers</li><li>revalidate files at exec transition time</li><li>fine grained ptrace mediation</li><li>domain bounding through profile stacking<ul><li>profile stacking api</li><li>extended change_profile to support profile stacking</li><li>support profile stacks in exec transitions</li></ul></li><li>apparmorfs interface<ul><li> apparmorfs policy virtualization<ul><li>the <i>policy/</i> entry is now a special symlink to a virtualized policy directory</li><li><i>policy/</i> directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view</li></ul></li> <li>add namespace level rawdata files<ul><li>unique profile based rawdata files for each namespace in <i>policy/raw_data/</i></li><li> profile raw_data files are now a symlink to the appropriate <i>policy/raw_data/</i> files.</li></ul></li><li>mkdir/rmdir fs based interface for creating namespaces<ul><li>mkdir <i>policy/namespaces/NAMESPACE</i></li><li>rmdir policy/namespaces/NAMESPACE</li></ul></li><li>revision file interface<ul><li>read current policy revision and select/poll for when policy changes via<ul><li> <i>revision</i> for reading the current task's policy namespace revision</li><li><i>policy/revision for the current namespace revision</li><li><i>policy/namespaces/NAMESPACE/revision</i> for a given namespace policy revision</li></ul></li></ul></li><li>query interface<ul><li>support multiple queries per query transaction</li><li>support querying if a profile supports a given mediation type</li></ul></li></ul></li><li>features set<ul><li>add namespace support to available feature set</li><li>add label data query availability to feature set</li></ul></li><li>Bug fixes and code cleanups</li></ul> | | | 4.13 | <ul><li>add v7 abi</li><li>speedup path lookups with preallocated buffers</li><li>revalidate files at exec transition time</li><li>fine grained ptrace mediation</li><li>domain bounding through profile stacking<ul><li>profile stacking api</li><li>extended change_profile to support profile stacking</li><li>support profile stacks in exec transitions</li></ul></li><li>apparmorfs interface<ul><li> apparmorfs policy virtualization<ul><li>the <i>policy/</i> entry is now a special symlink to a virtualized policy directory</li><li><i>policy/</i> directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view</li></ul></li> <li>add namespace level rawdata files<ul><li>unique profile based rawdata files for each namespace in <i>policy/raw_data/</i></li><li> profile raw_data files are now a symlink to the appropriate <i>policy/raw_data/</i> files.</li></ul></li><li>mkdir/rmdir fs based interface for creating namespaces<ul><li>mkdir <i>policy/namespaces/NAMESPACE</i></li><li>rmdir policy/namespaces/NAMESPACE</li></ul></li><li>revision file interface<ul><li>read current policy revision and select/poll for when policy changes via<ul><li> <i>revision</i> for reading the current task's policy namespace revision</li><li><i>policy/revision for the current namespace revision</li><li><i>policy/namespaces/NAMESPACE/revision</i> for a given namespace policy revision</li></ul></li></ul></li><li>query interface<ul><li>support multiple queries per query transaction</li><li>support querying if a profile supports a given mediation type</li></ul></li></ul></li><li>features set<ul><li>add namespace support to available feature set</li><li>add label data query availability to feature set</li></ul></li><li>Bug fixes and code cleanups</li></ul> | |
| 4.14 | <ul><li> mount mediation<sup>1</sup><ul><li>new mount</li><li>remount</li><li>bind mount</li><li>change type</li><li>umount</li><li>pivot_root</li></ul><li>signal mediation<sup>2</sup></li><li>policy unpack log extended error messages</li><li>Bug fixes and code cleanups</li></ul> | ```1``` AppArmor 2.8<br>```2``` AppArmor 2.9 | | 4.14 | <ul><li> mount mediation<sup>1</sup><ul><li>new mount</li><li>remount</li><li>bind mount</li><li>change type</li><li>umount</li><li>pivot_root</li></ul><li>signal mediation<sup>2</sup></li><li>policy unpack log extended error messages</li><li>Bug fixes and code cleanups</li></ul> | ```1``` AppArmor 2.8<br>```2``` AppArmor 2.9 |
| 4.15 - 4.16 | Bug fixes and code cleanups| | | 4.15 - 4.16 | Bug fixes and code cleanups| |
| 4.17 | <ul><li> v8 abi<sup>1</sup></li><li>generic socket mediation<sup>1</sup></li><li>improved profile attachment logic<ul><li>handle overlapping expression resolution up to 8 characters dynamic overlap in kernel<sup>2</sup></li><li>xattr attachment conditional<sup>1</sup></li><li>no_new_privs improved attachment with subset test based on confinement at time no_new_privs was entered<sup>3</sup></ul></li><li> signal mediation of profile stacks<sup>4</sup></li><li>Bug fixes and code cleanups</li></ul> | ```1``` AppArmor 3.0<br>```2``` Any userspace that supports attachment conditionasl 2.5+<br>```3``` no userspace requirements, reduces cases where nnp prevents a transition<br>```4```Same userspace as regular signal mediation AppArmor 2.9 | | 4.17 | <ul><li> v8 abi<sup>1</sup></li><li>generic socket mediation (ie. basic network mediation)<sup>1</sup></li><li>improved profile attachment logic<ul><li>handle overlapping expression resolution up to 8 characters dynamic overlap in kernel<sup>2</sup></li><li>xattr attachment conditional<sup>1</sup></li><li>no_new_privs improved attachment with subset test based on confinement at time no_new_privs was entered<sup>3</sup></ul></li><li> signal mediation of profile stacks<sup>4</sup></li><li>Bug fixes and code cleanups</li></ul> | ```1``` AppArmor 3.0<br>```2``` Any userspace that supports attachment conditionasl 2.5+<br>```3``` no userspace requirements, reduces cases where nnp prevents a transition<br>```4```Same userspace as regular signal mediation AppArmor 2.9 |
| 4.18 | <ul><li>add support for secids and using secctxes</li><li>the ability to get a task's secid</li><li>add support for audit rules filtering. AppArmor task label can be used in audit rule filters</li><li>Bug fixes and code cleanups</li></ul> | No apparmor userspace requirements. | | 4.18 | <ul><li>add support for secids and using secctxes</li><li>the ability to get a task's secid</li><li>add support for audit rules filtering. AppArmor task label can be used in audit rule filters</li><li>Bug fixes and code cleanups</li></ul> | No apparmor userspace requirements. |
| 4.19 | Bug fixes and code cleanups| | | 4.19 | Bug fixes and code cleanups| |
| 4.20 | <ul><li>Secmark mediation for custom policy</li><li>Bug fixes and code cleanups</li></ul> | | 4.20 | <ul><li>Secmark mediation for custom policy</li><li>Bug fixes and code cleanups</li></ul> |