mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Release_Notes_4.0 alpha4

Georgia Garcia 2024-05-03 17:53:53 +00:00
parent e10877d816
commit 72664da893
1 changed files with 311 additions and 328 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

639
Release_Notes_4.0-alpha4.md

@ -1,328 +1,311 @@
WARNING this is an alpha - NOT released targeted to fall 2023
================================================
AppArmor 4.0-alpha4 was released 2024-02-02.
# Introduction
AppArmor 4.0 is a major new release of the AppArmor that is in development, these are not complete release notes of everything in alpha4 but just highlighting new or important developments
Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release. For questions around compatibility see the compatibility matrix.
# Note
* Some features will work with older kernels but many of the features in apparmor 4 with require a development kernel.
* The kernel portion of the project is maintained and pushed separately.
* AppArmor 4.0 contains all bug fixes and policy updates from apparmor 3.1
* Some new features will not be fully supported in some utilities. In these cases it was decided that releasing a new feature earlier had more benefit than delaying it for full utility support. Please see the feature support matrix.
# Highlighted new features in alpha 4
## New Profile Flag
- [kill.signal](profileflags)
- [interruptible](profileflags)
- [default_allow](profileflags)
## New Mediation Rules
## utils
* aa-status
- fix json output
- separate error messages from regular output
* apparmor development utilities (aa-logprof, ...)
- support all rule
- exec events in hats are no longer skipped
* aa-cleanprof
- fix to work with named profiles
## Policy
unprivileged_userns:
Special profile transitioned to by unconfined when creating an unprivileged user namespace.
* Improvements
- abstractions/audio
- abstractions/ubuntu-browsers.d/kde
- abstractions/nameservice
- abstractions/wutmp
- abstractions/snap_browsers
- firefox
* New policies for applications that use unprivileged user namespaces
- 1password
- Discord
- MongoDB_Compass
- QtWebEngineProcess
- brave
- buildah
- busybox
- cam
- ch-checkns
- ch-run
- chrome
- code
- crun
- firefox
- flatpak
- github-desktop
- ipa_verify
- lc-compliance
- libcamirify
- linux-sandbox
- lxc-attach
- lxc-create
- lxc-destroy
- lxc-execute
- lxc-stop
- lxc-unshare
- lxc-usernsexec
- mmdebstrap
- msedge
- obsidian
- opera
- plasmashell
- podman
- polypane
- qcam
- rootlesskit
- rpm
- runc
- sbuild
- sbuild-abort
- sbuild-adduser
- sbuild-apt
- sbuild-checkpackages
- sbuild-clean
- sbuild-createchroot
- sbuild-destroychroot
- sbuild-distupgrade
- sbuild-hold
- sbuild-shell
- sbuild-unhold
- sbuild-update
- sbuild-upgrade
- signal-desktop
- slack
- slirp4netns
- steam
- stress-ng
- surfshark
- systemd-coredump
- thunderbird
- toybox
- trinity
- tup
- userbindmount
- uwsgi-core
- vdens
- virtiofsd
- vivaldi-bin
- vpnns
- wpcom
## Feature Matrix
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|:---: |:---: |:---: |:---: |:---: |:---:|
|[unconfined flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|[debug flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|[promt flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|*[audit.mode flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| *[kill.signal flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| *[attach_disconnected.path flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [quiet audit prefix](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [rule priority qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes)| Y | Y <sup>1</sup> | N | N | N |
| [access rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [complain rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [prompt rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [ordered rule block](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | N |
| inherits rule | Y | Y <sup>1</sup> | N | N | N |
| [boolean rule ops](https://gitlab.com/apparmor/apparmor/-/wikis/rule-operations) | Y | Y <sup>1</sup> | N | N | N |
| * @{parent} variable | Y | N <sup>6</sup> | N | N | N |
| * @{attachment} variable | Y | Y <sup>1</sup> | N | N | N |
| *deny attachment | Y | Y <sup>1</sup> | N | N | N <sup>4</sup> |
| *all rule | Y | Y <sup>1</sup> | N | N | N |
| *policy overlay | N | Y <sup>3</sup> | n/a | Y | N |
| *config overlay | N | Y <sup>3</sup> | n/a | Y | N |
| posix mqueue | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| user ns | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| extended x index | N | Y <sup>5</sup> | Y | N | Y <sup>2</sup> |
| fixed x dominance | N<sup>9</sup> | N<sup>10</sup> | Y<sup>11</sup> | N | N |
| *rule extends abi | N | N <sup>7</sup> | N | N | N |
| rootless apparmor_parser | N | N | n/a | N | N |
| improved -O rule-merge | N | N | n/a | N | N |
| aa-status filters | N | N | n/a | N | N |
| aa-load | N | N | n/a | Y | N |
| [unconfined ns restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
| [unconfined change_profile stacking](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
| [unconfined io_uring restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
1. If present in policy will cause previous versions of AppArmor to fail
2. Requires kernel support, policy can be downgraded to work on kernels that do not support.
3. Previous versions of AppArmor may not fail but will not behave correctly
4. Feature can be functionally provided by may not be exactly the same
5. If more than 12 transitions are used in a profile, AppArmor 3.x will fail
6. Will break older policy if variable is not defined. Variable can be manually defined in older parser.
7. AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
8. These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
9. Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
10. If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
11. Tools will work but may not deal with overlapping rules correctly in some cases
12.
in beta
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|:---: |:---: |:---: |:---: |:---: |:---:|
| *io_uring | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| *port level network | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
* io_uring needed for unprivilege unconfined constraint around io_uring
*
AppArmor 4.1 or later
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|:---: |:---: |:---: |:---: |:---: |:---:|
| multiple policy locations | N | Y <sup>3</sup> | n/a | Y | N |
| location specific configs | N | Y <sup>3</sup> | n/a | Y | N |
| user conditional | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| -O rule-refactor | N | N | n/a | N | N |
| kernel supports conditional | Y | Y <sup>1</sup> | N | N | N |
| abi supports conditional | Y | Y <sup>1</sup> | N | N | N |
| replace unconfined | N | Y | N | n/a | N |
## Compatibility
????
TODO: before release
- remove parser.conf pin
-
wip - not in this alpha, not guaranteed to land in 4.0
- kernel & userspace
- in policy stream conditionals
- ioctl
- user
- policy
- attachment
- user mediation
- owner=
- conditionals
- owner
- mac_override (for change_hat, hardlink, mv, bind mount)
- case insensite fs ???
- extended rule blocks
- ordered rule blocks
- bpf mediation
- ioctl mediation
- module mediation
- sysv mqueue
- io_uring
- revised af_unix
- fine grained ipv4/ipv6
- ns
- tracking
- pivot root var setting
- setns
- conditionals around what other namespaces being created
- profile flags
- prompt
- unconfined
- per profile audit control flags audit.mode=XXX
- debug
- kill.signal
- attach_disconnected.path
- extended perms
- dfa32
- still need accept2 cond command table
- userspace support for full width of bits and mappings
- kernel bit mapping of userspace so we can do merge
- reduce file table size by conditional on only accept states that are different
- raw text in policy
- compressed cache
- additional restrictions policy guard restrictions
- change_profile - stack if not policy admin, mac_override
- policy conditional to allow specifying in policy
- link - fail if not mac override
- policy conditional to allow specifying in policy
- rename - fail if not mac override
- policy conditional to allow specifying in policy
- bind - fail if not mac override
- policy conditional to allow specifying in policy
- unconfined
- additional restrictions around link, change_profile, rename, bind
- replace unconfined
- kernel
- per ns control of unmediated
- force mediation on unmediated
- force mediation on complain
- deal with stacked attachment lookup
- optimize stacking name lookup to
- single buffer alloc
- single name lookup
- audit caching
- complain
- improved complain learning
- ioctl interface
- message dedup
- merge file and policy db dfa
- dedup, file and policy code paths
- improve shared code callback
- refcount policydb
- shared dfa, and policydb
- rewrite apparmorfs
- dynamic
- ima support
- userspace
- new access modes
- complain, prompt, access
- new audit prefix
- quiet
- in_policy_abi()
- warn when rule in use but not in policy abi
- turn on/ignore/...
- mount
- per fs mount option matching. ??? does kernel need anything more???
- allow all
- aa_load
- drop root check
- userspace binary dfa
- policy debug
- improved rule prefixes
- allow all
- policy overlays
- extended xindex (part of extended perms)
- boolean ops
- policy hash
- kernel supports conditionals
- improved policy conditionals
- dominance fix
- fs specific mount option matching
- expr simplify optimizations
- policy
- new abi
- remove unconfined from policy
-
-
# WARNING this is an alpha - NOT released targeted to fall 2023
AppArmor 4.0-alpha4 was released 2024-02-02.
# Introduction
AppArmor 4.0 is a major new release of the AppArmor that is in development, these are not complete release notes of everything in alpha4 but just highlighting new or important developments
Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release. For questions around compatibility see the compatibility matrix.
These release notes cover changes between `AppArmor-4.0~alpha3 and AppArmor-4.0~alpha4`
# Note
* Some features will work with older kernels but many of the features in apparmor 4 with require a development kernel.
* The kernel portion of the project is maintained and pushed separately.
* AppArmor 4.0 contains all bug fixes and policy updates from apparmor 3.1
* Some new features will not be fully supported in some utilities. In these cases it was decided that releasing a new feature earlier had more benefit than delaying it for full utility support. Please see the feature support matrix.
# Highlighted new features in alpha 4
## New Profile Flag
- [kill.signal](profileflags)
- [interruptible](profileflags)
- [default_allow](profileflags)
## New Mediation Rules
## utils
* aa-status
- fix json output
- separate error messages from regular output
* apparmor development utilities (aa-logprof, ...)
- support all rule
- exec events in hats are no longer skipped
* aa-cleanprof
- fix to work with named profiles
## Policy
unprivileged_userns: Special profile transitioned to by unconfined when creating an unprivileged user namespace.
* Improvements
- abstractions/audio
- abstractions/ubuntu-browsers.d/kde
- abstractions/nameservice
- abstractions/wutmp
- abstractions/snap_browsers
- firefox
* New policies for applications that use unprivileged user namespaces
- 1password
- Discord
- MongoDB_Compass
- QtWebEngineProcess
- brave
- buildah
- busybox
- cam
- ch-checkns
- ch-run
- chrome
- code
- crun
- firefox
- flatpak
- github-desktop
- ipa_verify
- lc-compliance
- libcamirify
- linux-sandbox
- lxc-attach
- lxc-create
- lxc-destroy
- lxc-execute
- lxc-stop
- lxc-unshare
- lxc-usernsexec
- mmdebstrap
- msedge
- obsidian
- opera
- plasmashell
- podman
- polypane
- qcam
- rootlesskit
- rpm
- runc
- sbuild
- sbuild-abort
- sbuild-adduser
- sbuild-apt
- sbuild-checkpackages
- sbuild-clean
- sbuild-createchroot
- sbuild-destroychroot
- sbuild-distupgrade
- sbuild-hold
- sbuild-shell
- sbuild-unhold
- sbuild-update
- sbuild-upgrade
- signal-desktop
- slack
- slirp4netns
- steam
- stress-ng
- surfshark
- systemd-coredump
- thunderbird
- toybox
- trinity
- tup
- userbindmount
- uwsgi-core
- vdens
- virtiofsd
- vivaldi-bin
- vpnns
- wpcom
## Feature Matrix
| Feature | policy extension | breaks 3.x | supported by utils | requires 4.x libapparmor | requires kernel support |
|:-------:|:----------------:|:----------:|:------------------:|:------------------------:|:-----------------------:|
| [unconfined flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [debug flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [promt flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| \*[audit.mode flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| \*[kill.signal flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| \*[attach_disconnected.path flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [quiet audit prefix](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [rule priority qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | N |
| [access rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [complain rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [prompt rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [ordered rule block](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | N |
| inherits rule | Y | Y <sup>1</sup> | N | N | N |
| [boolean rule ops](https://gitlab.com/apparmor/apparmor/-/wikis/rule-operations) | Y | Y <sup>1</sup> | N | N | N |
| \* @{parent} variable | Y | N <sup>6</sup> | N | N | N |
| \* @{attachment} variable | Y | Y <sup>1</sup> | N | N | N |
| \*deny attachment | Y | Y <sup>1</sup> | N | N | N <sup>4</sup> |
| \*all rule | Y | Y <sup>1</sup> | N | N | N |
| \*policy overlay | N | Y <sup>3</sup> | n/a | Y | N |
| \*config overlay | N | Y <sup>3</sup> | n/a | Y | N |
| posix mqueue | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| user ns | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| extended x index | N | Y <sup>5</sup> | Y | N | Y <sup>2</sup> |
| fixed x dominance | N<sup>9</sup> | N<sup>10</sup> | Y<sup>11</sup> | N | N |
| \*rule extends abi | N | N <sup>7</sup> | N | N | N |
| rootless apparmor_parser | N | N | n/a | N | N |
| improved -O rule-merge | N | N | n/a | N | N |
| aa-status filters | N | N | n/a | N | N |
| aa-load | N | N | n/a | Y | N |
| [unconfined ns restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
| [unconfined change_profile stacking](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
| [unconfined io_uring restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
1. If present in policy will cause previous versions of AppArmor to fail
2. Requires kernel support, policy can be downgraded to work on kernels that do not support.
3. Previous versions of AppArmor may not fail but will not behave correctly
4. Feature can be functionally provided by may not be exactly the same
5. If more than 12 transitions are used in a profile, AppArmor 3.x will fail
6. Will break older policy if variable is not defined. Variable can be manually defined in older parser.
7. AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
8. These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
9. Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
10. If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
11. Tools will work but may not deal with overlapping rules correctly in some cases
12.
in beta
| Feature | policy extension | breaks 3.x | supported by utils | requires 4.x libapparmor | requires kernel support |
|:-------:|:----------------:|:----------:|:------------------:|:------------------------:|:-----------------------:|
| \*io_uring | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| \*port level network | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
* io_uring needed for unprivilege unconfined constraint around io_uring
*
AppArmor 4.1 or later
| Feature | policy extension | breaks 3.x | supported by utils | requires 4.x libapparmor | requires kernel support |
|:-------:|:----------------:|:----------:|:------------------:|:------------------------:|:-----------------------:|
| multiple policy locations | N | Y <sup>3</sup> | n/a | Y | N |
| location specific configs | N | Y <sup>3</sup> | n/a | Y | N |
| user conditional | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| \-O rule-refactor | N | N | n/a | N | N |
| kernel supports conditional | Y | Y <sup>1</sup> | N | N | N |
| abi supports conditional | Y | Y <sup>1</sup> | N | N | N |
| replace unconfined | N | Y | N | n/a | N |
## Compatibility
????
TODO: before release
- remove parser.conf pin
-
wip - not in this alpha, not guaranteed to land in 4.0
- kernel & userspace
- in policy stream conditionals
- ioctl
- user
- policy
- attachment
- user mediation
- owner=
- conditionals
- owner
- mac_override (for change_hat, hardlink, mv, bind mount)
- case insensite fs ???
- extended rule blocks
- ordered rule blocks
- bpf mediation
- ioctl mediation
- module mediation
- sysv mqueue
- io_uring
- revised af_unix
- fine grained ipv4/ipv6
- ns
- tracking
- pivot root var setting
- setns
- conditionals around what other namespaces being created
- profile flags
- prompt
- unconfined
- per profile audit control flags audit.mode=XXX
- debug
- kill.signal
- attach_disconnected.path
- extended perms
- dfa32
- still need accept2 cond command table
- userspace support for full width of bits and mappings
- kernel bit mapping of userspace so we can do merge
- reduce file table size by conditional on only accept states that are different
- raw text in policy
- compressed cache
- additional restrictions policy guard restrictions
- change_profile - stack if not policy admin, mac_override
- policy conditional to allow specifying in policy
- link - fail if not mac override
- policy conditional to allow specifying in policy
- rename - fail if not mac override
- policy conditional to allow specifying in policy
- bind - fail if not mac override
- policy conditional to allow specifying in policy
- unconfined
- additional restrictions around link, change_profile, rename, bind
- replace unconfined
- kernel
- per ns control of unmediated
- force mediation on unmediated
- force mediation on complain
- deal with stacked attachment lookup
- optimize stacking name lookup to
- single buffer alloc
- single name lookup
- audit caching
- complain
- improved complain learning
- ioctl interface
- message dedup
- merge file and policy db dfa
- dedup, file and policy code paths
- improve shared code callback
- refcount policydb
- shared dfa, and policydb
- rewrite apparmorfs
- dynamic
- ima support
- userspace
- new access modes
- complain, prompt, access
- new audit prefix
- quiet
- in_policy_abi()
- warn when rule in use but not in policy abi
- turn on/ignore/...
- mount
- per fs mount option matching. ??? does kernel need anything more???
- allow all
- aa_load
- drop root check
- userspace binary dfa
- policy debug
- improved rule prefixes
- allow all
- policy overlays
- extended xindex (part of extended perms)
- boolean ops
- policy hash
- kernel supports conditionals
- improved policy conditionals
- dominance fix
- fs specific mount option matching
- expr simplify optimizations
- policy
- new abi
- remove unconfined from policy
-
-