From 976dcbad9a825eabf7f85852da53094406c1c7ac Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 12 Feb 2025 05:35:38 +0000 Subject: [PATCH] Update Release_Notes_4.1 beta4 --- Release_Notes_4.1-beta4.md | 217 ++++++++++++++++++++++++++++++++++++- 1 file changed, 216 insertions(+), 1 deletion(-) diff --git a/Release_Notes_4.1-beta4.md b/Release_Notes_4.1-beta4.md index 6f57b56..babf06a 100644 --- a/Release_Notes_4.1-beta4.md +++ b/Release_Notes_4.1-beta4.md @@ -1 +1,216 @@ -wip +WARNING this is a beta - NOT a final release +================================================ + +AppArmor 4.1~beta4 was released on 2025-02-11. + +# Introduction + +AppArmor 4.1 is a major new release of the AppArmor that is in development. + +Apprmor 4.1 is a long term stable (5 years of support) release for the AppArmor 4.x policy which introduces several new features that are not backwards compatible. + +These release notes cover changes between ```AppArmor-4.1~beta1 and AppArmor-4.1~beta4``` (Note: includes notes for Beta2 and Beta3 which was dropped due to technical issues). + +# Notes + +This Release contains bug fixes to AppArmor 4.1 beta1, beta2, beta3. + +## Known issues + +* profile: unshare has a known issue around profile transitions +* utils do not handle priorities in rules +* utils do not handle leading permissions +* utils crash if they can't parse all files in the profile directory +* mount rules + * control of disconnect mounts is missing + * handling of conflicting mount options is not backwards compatible + +## Misc + +- apparmor.vim + - add missing units for rlimit cpu and rttime ([MR:1336](https://gitlab.com/apparmor/apparmor/-/merge_requests/1336)) +- aa-remove-unknown + - fix readability check ([MR:1438](https://gitlab.com/apparmor/apparmor/-/merge_requests/1438), [HUBMR:285915](https://github.com/NixOS/nixpkgs/pull/285915), [HUB:273164](https://github.com/NixOS/nixpkgs/issues/273164)) +- aa-status + - fix json generation ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470)) +- replace uses of `which` for `command -v` for POSIX compatibility and to fix running the test suite on openSUSE Tumbleweed ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) +- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) + + +# Bug Fixes + +- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306)) +- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309)) +- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307)) +- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427)) +- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429)) +- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430)) +- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435)) +- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436)) +- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452)) +- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452)) +- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399)) +- fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407)) +- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461)) +- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462)) +- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461)) +- fix equality tests for priority ([MR:1455](https://gitlab.com/apparmor/apparmor/-/merge_requests/1455)) +- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) +- fix json generation on aa-status ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470)) +- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) + +## Libraries +- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461)) +- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309)) +- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435)) + +## policy compiler (aka apparmor_parser) + +- add port range support on network policy ([MR:1321](https://gitlab.com/apparmor/apparmor/-/merge_requests/1321)) +- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462)) +- improve profile build and dump info + - add the abilitiy to dump the permissions table ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410)) + - add the accept2 table entry to the chfa dump ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410)) + - fix and cleanup libapparmor_re/Makefile ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410)) +- restore MatchFlag dump from being hex encoded to decimal ([MR:1419](https://gitlab.com/apparmor/apparmor/-/merge_requests/1419)) +- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) +- replace uses of MS_SYNC by MS_SYNCHRONOUS in mount flags ([MR:1458](https://gitlab.com/apparmor/apparmor/-/merge_requests/1458)) +- add separator between mount flags in dump_flags ([MR:1465](https://gitlab.com/apparmor/apparmor/-/merge_requests/1465)) +- allow make-* flags with remount operations ([MR:1466](https://gitlab.com/apparmor/apparmor/-/merge_requests/1466), [LP:2091424](https://bugs.launchpad.net/bugs/2091424)) +- convert uint to unsigned int ([MR:1478](https://gitlab.com/apparmor/apparmor/-/merge_requests/1478)) +- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307)) +- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452)) +- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452)) +- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399)) +- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461)) + + + +## Utils + +- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306)) +- improve UX when allowing rules in aa-notify and update the man page ([MR:1313](https://gitlab.com/apparmor/apparmor/-/merge_requests/1313)) +- store the child profile/hat name if we are in a child profile or hat instead of the main profile ([MR:1359](https://gitlab.com/apparmor/apparmor/-/merge_requests/1359)) +- aa-mergeprof: prevent backtrace if file not found ([MR:1403](https://gitlab.com/apparmor/apparmor/-/merge_requests/1403)) +- Remove match statements in utils for older Python compatibility ([MR:1440](https://gitlab.com/apparmor/apparmor/-/merge_requests/1440)) +- fixes/workarounds for python 3.13 missing cgitb ([MR:1439](https://gitlab.com/apparmor/apparmor/-/merge_requests/1439), [AABUG:447](https://gitlab.com/apparmor/apparmor/-/issues/447)) +- fix E502 error on Python 3.11 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) +- limit buildpath.py setuptools version check to the relevant bits ([MR:1460](https://gitlab.com/apparmor/apparmor/-/merge_requests/1460)) +- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427)) +- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429)) +- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430)) +- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436)) + + +## Policy + +#### abstractions + +- dconf + - use @{etc_ro} instead of `/etc/... r,` ([MR:1402](https://gitlab.com/apparmor/apparmor/-/merge_requests/1402)) + - allow write access to /run/user/*/dconf/user ([MR:1471](https://gitlab.com/apparmor/apparmor/-/merge_requests/1471)) +- mesa + - allow ~/.cache/mesa_shader_cache_db/ ([MR:1333](https://gitlab.com/apparmor/apparmor/-/merge_requests/1333), [LP:2081692](https://bugs.launchpad.net/bugs/2081692)) +- nameservice + * support name resolution via libnss-libvirt ([MR:1362](https://gitlab.com/apparmor/apparmor/-/merge_requests/1362)) + * include abstractions/nameservice-strict ([MR:1373](https://gitlab.com/apparmor/apparmor/-/merge_requests/1373)) + * tighten libnss_libvirt file access ([MR:1379](https://gitlab.com/apparmor/apparmor/-/merge_requests/1379)) +- nameservice-strict + - add more strict version of abstractions/nameservice +- php + - add support for ArchLinux php-legacy package to php-fpm ([MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454)) +- python + - allow python cache under @{HOME}/.cache/ ([MR:1467](https://gitlab.com/apparmor/apparmor/-/merge_requests/1467)) + +#### profiles +- php-fpm: + * confine php-fpm in both /usr/bin and /usr/sbin ([MR:1301](https://gitlab.com/apparmor/apparmor/-/merge_requests/1301), [AABUG:421](https://gitlab.com/apparmor/apparmor/-/issues/421)) + - add support for ArchLinux php-legacy package to php-fpm ([MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454)) + - widen allowed socket paths ([MR:1406](https://gitlab.com/apparmor/apparmor/-/merge_requests/1406), [LP:2061113](https://bugs.launchpad.net/bugs/2061113)) + * add support for ArchLinux php-legacy package ( [MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454), [LP:2061113](https://bugs.launchpad.net/bugs/2061113)) +- ping + - allow reading /proc/sys/net/ipv6/conf/all/disable_ipv6 ([MR:1340](https://gitlab.com/apparmor/apparmor/-/merge_requests/1340), [debug1082190](https://bugs.debian.org/1082190)) +- Postfix + - Support /usr/libexec/postfix/ path ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330)) + * postfix-anvil + * postfix-bounce + * postfix-cleanup + * postfix-discard + * postfix-dnsblog + * postfix-error + * postfix-flush + * postfix-lmtp + * postfix-local + * postfix-master + * postfix-nqmgr + * postfix-oqmgr + * postfix-pickup + * postfix-pipe + * postfix-postscreen + * postfix-proxymap + * postfix-qmgr + * postfix-qmqpd + * postfix-scache + * postfix-showq + * postfix-smtp + * postfix-smtpd + * postfix-spawn + * postfix-tlsmgr + * postfix-trivial-rewrite + * postfix-verify + * postfix-virtual + * usr.sbin.postqueue + * usr.sbin.sendmail + * usr.sbin.sendmail.postfix +- postfix-master + - add exec perm for postfix-tlsproxy and postscreen ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330)) +- postfix-postscreen + - add abstractions/{nameservice,postfix-common} and cache map ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330)) +- postfix-showq + - Allow reading queue ID files from /var/spool/postfix/hold/ ([MR:1454](https://gitlab.com/apparmor/apparmor/-/merge_requests/1454)) +- postfix-smtpd + - add permissions to rwk /{var/spool/postfix/,}pid/pass.smtpd ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330)) + - allow locking for /var/spool/postfix/pid/unix.relay ([MR:1459](https://gitlab.com/apparmor/apparmor/-/merge_requests/1459)) +- postfix-tlsproxy + - add new profile ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330)) +- slirp4netns: allow pivot_root ([MR:1298](https://gitlab.com/apparmor/apparmor/-/merge_requests/1298), [HUB:348](https://github.com/rootless-containers/slirp4netns/issues/348)) +- transmission + - add attach_disconnected flag ([MR:1355](https://gitlab.com/apparmor/apparmor/-/merge_requests/1355), [LP:2083548](https://bugs.launchpad.net/bugs/2083548)) +- smbd: + - allow capability chown ([MR:1456](https://gitlab.com/apparmor/apparmor/-/merge_requests/1456), [BOS:1234327](https://bugzilla.suse.com/show_bug.cgi?id=1234327)) +- zgrep + - deny reading /etc/nsswitch.conf and /etc/passwd ([MR:1361](https://gitlab.com/apparmor/apparmor/-/merge_requests/1361)) +- dovecot: + - allow reading /proc/sys/kernel/core_pattern ([MR:1331](https://gitlab.com/apparmor/apparmor/-/merge_requests/1331)) +- bwrap: + - update the bwrap profile so that it will attach to application profiles if present ([MR:1435](https://gitlab.com/apparmor/apparmor/-/merge_requests/1435)) +- transmission-gtk: + - add attach_disconnected flag ([MR:1395](https://gitlab.com/apparmor/apparmor/-/merge_requests/1395), [LP:2085377](https://bugs.launchpad.net/bugs/2085377)) +- cupsd: + - allow /etc/paperspecs read access ([MR:1472](https://gitlab.com/apparmor/apparmor/-/merge_requests/1472)) + - convert profile to use @etc_ro/rw ([MR:1472](https://gitlab.com/apparmor/apparmor/-/merge_requests/1472)) + +## Tests + +- Regression: + - fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407)) + - resolve some compiler warnings ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407)) + - fix regression tests when parent directory contains spaces ([MR:1418](https://gitlab.com/apparmor/apparmor/-/merge_requests/1418), [MR:1424](https://gitlab.com/apparmor/apparmor/-/merge_requests/1424)) + - fix incorrect setfattr call in xattrs_profile ([MR:1429](https://gitlab.com/apparmor/apparmor/-/merge_requests/1429)) + - add complain mode regression tests ([MR:1415](https://gitlab.com/apparmor/apparmor/-/merge_requests/1415)) + - check if setfattr exists to run xattr_profile tests ([MR:1412](https://gitlab.com/apparmor/apparmor/-/merge_requests/1412)) + - fix mult_mount and file_unbindable_mount tests by using a larger loop device ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431), [MR:1469](https://gitlab.com/apparmor/apparmor/-/merge_requests/1469)) + - add DAC permissions check to the test suite ([MR:1411](https://gitlab.com/apparmor/apparmor/-/merge_requests/1411)) + - fix swap regression tests on zfs and btrfs ([MR:1462](https://gitlab.com/apparmor/apparmor/-/merge_requests/1462), [MR:1463](https://gitlab.com/apparmor/apparmor/-/merge_requests/1463), [MR:1464](https://gitlab.com/apparmor/apparmor/-/merge_requests/1464)) + - fix test infrastructure when a wrapper is specified ([MR:1450](https://gitlab.com/apparmor/apparmor/-/merge_requests/1450)) + - add test mediation for file access in unbindable mounts ([MR:1448](https://gitlab.com/apparmor/apparmor/-/merge_requests/1448)) +- test-logprof + - Increase test timeout ([MR:1417](https://gitlab.com/apparmor/apparmor/-/merge_requests/1417), [AABUG:463](https://gitlab.com/apparmor/apparmor/-/issues/463)) +- spread + - add support for spread tests ([MR:1432](https://gitlab.com/apparmor/apparmor/-/merge_requests/1432)) + - add support for local kernel ([MR:1452](https://gitlab.com/apparmor/apparmor/-/merge_requests/1452)) + - add regression tests for snapd mount-control ([MR:1445](https://gitlab.com/apparmor/apparmor/-/merge_requests/1445)) +- equality + - fix equality tests for priority ([MR:1455](https://gitlab.com/apparmor/apparmor/-/merge_requests/1455)) + - add explicit test for parser priority-based carveouts ([MR:1443](https://gitlab.com/apparmor/apparmor/-/merge_requests/1443)) +