Update Release_Notes_4.1 beta4

2025-03-04 08:24:42 +01:00 · 2025-02-12 05:35:38 +00:00 · 2025-02-12 05:35:38 +00:00 · 976dcbad9a
commit 976dcbad9a
parent e38e0ec002
1 changed files with 216 additions and 1 deletions
--- a/Release_Notes_4.1-beta4.md
+++ b/Release_Notes_4.1-beta4.md
@ -1 +1,216 @@
-wip
+WARNING this is a beta - NOT a final release
+================================================
+
+AppArmor 4.1~beta4 was released on 2025-02-11.
+
+# Introduction
+
+AppArmor 4.1 is a major new release of the AppArmor that is in development.
+
+Apprmor 4.1 is a long term stable (5 years of support) release for the AppArmor 4.x policy which introduces several new features that are not backwards compatible.
+
+These release notes cover changes between ```AppArmor-4.1~beta1 and AppArmor-4.1~beta4``` (Note: includes notes for Beta2 and Beta3 which was dropped due to technical issues).
+
+# Notes
+
+This Release contains bug fixes to AppArmor 4.1 beta1, beta2, beta3.
+
+## Known issues
+
+* profile: unshare has a known issue around profile transitions
+* utils do not handle priorities in rules
+* utils do not handle leading permissions
+* utils crash if they can't parse all files in the profile directory
+* mount rules
+  * control of disconnect mounts is missing
+  * handling of conflicting mount options is not backwards compatible
+
+## Misc
+
+- apparmor.vim
+  - add missing units for rlimit cpu and rttime ([MR:1336](https://gitlab.com/apparmor/apparmor/-/merge_requests/1336))
+- aa-remove-unknown
+  - fix readability check ([MR:1438](https://gitlab.com/apparmor/apparmor/-/merge_requests/1438), [HUBMR:285915](https://github.com/NixOS/nixpkgs/pull/285915), [HUB:273164](https://github.com/NixOS/nixpkgs/issues/273164))
+- aa-status
+  - fix json generation ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470))
+- replace uses of `which` for `command -v` for POSIX compatibility and to fix running the test suite on openSUSE Tumbleweed ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
+- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
+
+
+# Bug Fixes
+
+- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306))
+- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309))
+- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307))
+- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427))
+- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429))
+- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430))
+- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435))
+- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436))
+- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
+- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
+- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399))
+- fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407))
+- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
+- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462))
+- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
+- fix equality tests for priority ([MR:1455](https://gitlab.com/apparmor/apparmor/-/merge_requests/1455))
+- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
+- fix json generation on aa-status ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470))
+- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
+
+## Libraries
+- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
+- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309))
+- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435))
+
+## policy compiler (aka apparmor_parser)
+
+- add port range support on network policy ([MR:1321](https://gitlab.com/apparmor/apparmor/-/merge_requests/1321))
+- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462))
+- improve profile build and dump info
+  - add the abilitiy to dump the permissions table ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
+  - add the accept2 table entry to the chfa dump ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
+  - fix and cleanup libapparmor_re/Makefile ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410))
+- restore MatchFlag dump from being hex encoded to decimal ([MR:1419](https://gitlab.com/apparmor/apparmor/-/merge_requests/1419))
+- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
+- replace uses of MS_SYNC by MS_SYNCHRONOUS in mount flags ([MR:1458](https://gitlab.com/apparmor/apparmor/-/merge_requests/1458))
+- add separator between mount flags in dump_flags ([MR:1465](https://gitlab.com/apparmor/apparmor/-/merge_requests/1465))
+- allow make-* flags with remount operations ([MR:1466](https://gitlab.com/apparmor/apparmor/-/merge_requests/1466), [LP:2091424](https://bugs.launchpad.net/bugs/2091424))
+- convert uint to unsigned int ([MR:1478](https://gitlab.com/apparmor/apparmor/-/merge_requests/1478))
+- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307))
+- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
+- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
+- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399))
+- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
+
+
+
+## Utils
+
+- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306))
+- improve UX when allowing rules in aa-notify and update the man page ([MR:1313](https://gitlab.com/apparmor/apparmor/-/merge_requests/1313))
+- store the child profile/hat name if we are in a child profile or hat instead of the main profile ([MR:1359](https://gitlab.com/apparmor/apparmor/-/merge_requests/1359))
+- aa-mergeprof: prevent backtrace if file not found ([MR:1403](https://gitlab.com/apparmor/apparmor/-/merge_requests/1403))
+- Remove match statements in utils for older Python compatibility ([MR:1440](https://gitlab.com/apparmor/apparmor/-/merge_requests/1440))
+- fixes/workarounds for python 3.13 missing cgitb ([MR:1439](https://gitlab.com/apparmor/apparmor/-/merge_requests/1439), [AABUG:447](https://gitlab.com/apparmor/apparmor/-/issues/447))
+- fix E502 error on Python 3.11 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431))
+- limit buildpath.py setuptools version check to the relevant bits ([MR:1460](https://gitlab.com/apparmor/apparmor/-/merge_requests/1460))
+- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427))
+- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429))
+- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430))
+- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436))
+
+
+## Policy
+
+#### abstractions
+
+- dconf
+  - use @{etc_ro} instead of `/etc/... r,` ([MR:1402](https://gitlab.com/apparmor/apparmor/-/merge_requests/1402))
+  - allow write access to /run/user/*/dconf/user ([MR:1471](https://gitlab.com/apparmor/apparmor/-/merge_requests/1471))
+- mesa
+  - allow ~/.cache/mesa_shader_cache_db/ ([MR:1333](https://gitlab.com/apparmor/apparmor/-/merge_requests/1333), [LP:2081692](https://bugs.launchpad.net/bugs/2081692))
+- nameservice
+  * support name resolution via libnss-libvirt ([MR:1362](https://gitlab.com/apparmor/apparmor/-/merge_requests/1362))
+  * include abstractions/nameservice-strict ([MR:1373](https://gitlab.com/apparmor/apparmor/-/merge_requests/1373))
+  * tighten libnss_libvirt file access ([MR:1379](https://gitlab.com/apparmor/apparmor/-/merge_requests/1379))
+- nameservice-strict
+  - add more strict version of abstractions/nameservice
+- php
+  - add support for ArchLinux php-legacy package to php-fpm ([MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454))
+- python
+  - allow python cache under @{HOME}/.cache/ ([MR:1467](https://gitlab.com/apparmor/apparmor/-/merge_requests/1467))
+
+#### profiles
+- php-fpm: 
+  * confine php-fpm in both /usr/bin and /usr/sbin ([MR:1301](https://gitlab.com/apparmor/apparmor/-/merge_requests/1301), [AABUG:421](https://gitlab.com/apparmor/apparmor/-/issues/421))
+  - add support for ArchLinux php-legacy package to php-fpm ([MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454))
+  - widen allowed socket paths ([MR:1406](https://gitlab.com/apparmor/apparmor/-/merge_requests/1406), [LP:2061113](https://bugs.launchpad.net/bugs/2061113))
+  * add support for ArchLinux php-legacy package (    [MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454), [LP:2061113](https://bugs.launchpad.net/bugs/2061113))
+- ping
+  - allow reading /proc/sys/net/ipv6/conf/all/disable_ipv6 ([MR:1340](https://gitlab.com/apparmor/apparmor/-/merge_requests/1340), [debug1082190](https://bugs.debian.org/1082190))
+- Postfix
+  - Support /usr/libexec/postfix/ path ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))
+    * postfix-anvil
+    * postfix-bounce
+    * postfix-cleanup
+    * postfix-discard
+    * postfix-dnsblog
+    * postfix-error
+    * postfix-flush
+    * postfix-lmtp
+    * postfix-local
+    * postfix-master
+    * postfix-nqmgr
+    * postfix-oqmgr
+    * postfix-pickup
+    * postfix-pipe
+    * postfix-postscreen
+    * postfix-proxymap
+    * postfix-qmgr
+    * postfix-qmqpd
+    * postfix-scache
+    * postfix-showq
+    * postfix-smtp
+    * postfix-smtpd
+    * postfix-spawn
+    * postfix-tlsmgr
+    * postfix-trivial-rewrite
+    * postfix-verify
+    * postfix-virtual
+    * usr.sbin.postqueue
+    * usr.sbin.sendmail
+    * usr.sbin.sendmail.postfix
+- postfix-master
+  - add exec perm for postfix-tlsproxy and postscreen ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))
+- postfix-postscreen
+  - add abstractions/{nameservice,postfix-common} and cache map ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))
+- postfix-showq
+  - Allow reading queue ID files from /var/spool/postfix/hold/ ([MR:1454](https://gitlab.com/apparmor/apparmor/-/merge_requests/1454))
+- postfix-smtpd
+  - add permissions to rwk /{var/spool/postfix/,}pid/pass.smtpd ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))
+  - allow locking for /var/spool/postfix/pid/unix.relay ([MR:1459](https://gitlab.com/apparmor/apparmor/-/merge_requests/1459))
+- postfix-tlsproxy
+  - add new profile ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))
+- slirp4netns: allow pivot_root ([MR:1298](https://gitlab.com/apparmor/apparmor/-/merge_requests/1298), [HUB:348](https://github.com/rootless-containers/slirp4netns/issues/348))
+- transmission
+  - add attach_disconnected flag ([MR:1355](https://gitlab.com/apparmor/apparmor/-/merge_requests/1355), [LP:2083548](https://bugs.launchpad.net/bugs/2083548))
+- smbd:
+  - allow capability chown ([MR:1456](https://gitlab.com/apparmor/apparmor/-/merge_requests/1456), [BOS:1234327](https://bugzilla.suse.com/show_bug.cgi?id=1234327))
+- zgrep
+  - deny reading /etc/nsswitch.conf and /etc/passwd ([MR:1361](https://gitlab.com/apparmor/apparmor/-/merge_requests/1361))
+- dovecot:
+  - allow reading /proc/sys/kernel/core_pattern ([MR:1331](https://gitlab.com/apparmor/apparmor/-/merge_requests/1331))
+- bwrap:
+  - update the bwrap profile so that it will attach to application profiles if present ([MR:1435](https://gitlab.com/apparmor/apparmor/-/merge_requests/1435))
+- transmission-gtk:
+  - add attach_disconnected flag ([MR:1395](https://gitlab.com/apparmor/apparmor/-/merge_requests/1395), [LP:2085377](https://bugs.launchpad.net/bugs/2085377))
+- cupsd:
+  - allow /etc/paperspecs read access ([MR:1472](https://gitlab.com/apparmor/apparmor/-/merge_requests/1472))
+  - convert profile to use @etc_ro/rw ([MR:1472](https://gitlab.com/apparmor/apparmor/-/merge_requests/1472))
+
+## Tests
+
+- Regression:
+  - fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407))
+  - resolve some compiler warnings ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407))
+  - fix regression tests when parent directory contains spaces ([MR:1418](https://gitlab.com/apparmor/apparmor/-/merge_requests/1418), [MR:1424](https://gitlab.com/apparmor/apparmor/-/merge_requests/1424))
+  - fix incorrect setfattr call in xattrs_profile ([MR:1429](https://gitlab.com/apparmor/apparmor/-/merge_requests/1429))
+  - add complain mode regression tests ([MR:1415](https://gitlab.com/apparmor/apparmor/-/merge_requests/1415))
+  - check if setfattr exists to run xattr_profile tests ([MR:1412](https://gitlab.com/apparmor/apparmor/-/merge_requests/1412))
+  - fix mult_mount and file_unbindable_mount tests by using a larger loop device ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431), [MR:1469](https://gitlab.com/apparmor/apparmor/-/merge_requests/1469))
+  - add DAC permissions check to the test suite ([MR:1411](https://gitlab.com/apparmor/apparmor/-/merge_requests/1411))
+  - fix swap regression tests on zfs and btrfs ([MR:1462](https://gitlab.com/apparmor/apparmor/-/merge_requests/1462), [MR:1463](https://gitlab.com/apparmor/apparmor/-/merge_requests/1463), [MR:1464](https://gitlab.com/apparmor/apparmor/-/merge_requests/1464))
+  - fix test infrastructure when a wrapper is specified ([MR:1450](https://gitlab.com/apparmor/apparmor/-/merge_requests/1450))
+  - add test mediation for file access in unbindable mounts ([MR:1448](https://gitlab.com/apparmor/apparmor/-/merge_requests/1448))
+- test-logprof
+  - Increase test timeout ([MR:1417](https://gitlab.com/apparmor/apparmor/-/merge_requests/1417), [AABUG:463](https://gitlab.com/apparmor/apparmor/-/issues/463))
+- spread
+  - add support for spread tests ([MR:1432](https://gitlab.com/apparmor/apparmor/-/merge_requests/1432))
+  - add support for local kernel ([MR:1452](https://gitlab.com/apparmor/apparmor/-/merge_requests/1452))
+  - add regression tests for snapd mount-control ([MR:1445](https://gitlab.com/apparmor/apparmor/-/merge_requests/1445))
+- equality
+  - fix equality tests for priority ([MR:1455](https://gitlab.com/apparmor/apparmor/-/merge_requests/1455))
+  - add explicit test for parser priority-based carveouts ([MR:1443](https://gitlab.com/apparmor/apparmor/-/merge_requests/1443))
+