mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Release_Notes_4.0 alpha3

John Johansen 2023-08-15 00:36:22 +00:00
parent 99de41e04b
commit cf3d4e394b
1 changed files with 53 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
Release_Notes_4.0-alpha3.md

@ -27,41 +27,41 @@ Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer
## Feature Matrix
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|:---: |:---: |:---: |:---: |:---: |:---:|
|unconfined flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|debug flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|[unconfined flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|[debug flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|[promt flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|*[audit.mode flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| *[kill.signal flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| *[attach_disconnected.path flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [quiet audit prefix](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [rule priority qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes)| Y | Y <sup>1</sup> | N | N | N |
| [access rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [complain rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [prompt rule qualifier](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| [ordered rule block](https://gitlab.com/apparmor/apparmor/-/wikis/rule-prefixes-and-modes) | Y | Y <sup>1</sup> | N | N | N |
| inherits rule | Y | Y <sup>1</sup> | N | N | N |
| [boolean rule ops](https://gitlab.com/apparmor/apparmor/-/wikis/rule-operations) | Y | Y <sup>1</sup> | N | N | N |
| * @{parent} variable | Y | N <sup>6</sup> | N | N | N |
| * @{attachment} variable | Y | Y <sup>1</sup> | N | N | N |
| *deny attachment | Y | Y <sup>1</sup> | N | N | N <sup>4</sup> |
| *all rule | Y | Y <sup>1</sup> | N | N | N |
| *policy overlay | N | Y <sup>3</sup> | n/a | Y | N |
| *config overlay | N | Y <sup>3</sup> | n/a | Y | N |
| posix mqueue | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| user ns | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| io_uring | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| rootless apparmor_parser | N | N | n/a | N | N |
| extended x index | N | Y <sup>5</sup> | Y | N | Y <sup>2</sup> |
| fixed x dominance | N<sup>9</sup> | N<sup>10</sup> | Y<sup>11</sup> | N | N |
| *rule extends abi | N | N <sup>7</sup> | N | N | N |
| rootless apparmor_parser | N | N | n/a | N | N |
| improved -O rule-merge | N | N | n/a | N | N |
| aa-status filters | N | N | n/a | N | N |
| aa-load | N | N | n/a | Y | N |
| policy overlay | N | Y <sup>3</sup> | n/a | Y | N |
| config overlay | N | Y <sup>3</sup> | n/a | Y | N |
| multiple policy locations | N | Y <sup>3</sup> | n/a | Y | N |
| location specific configs | N | Y <sup>3</sup> | n/a | Y | N |
| deny attachment | Y | Y <sup>1</sup> | N | N | N <sup>4</sup> |
|audit.mode flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| kill.signal flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| attach_disconnected.path flag | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| quiet audit prefix | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| access rule qualifier | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| complain rule qualifier | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| user conditional | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| inherits rule | Y | Y <sup>1</sup> | N | N | N |
| boolean rule ops | Y | Y <sup>1</sup> | N | N | N |
| ordered rule block | Y | Y <sup>1</sup> | N | N | N |
| rule priority | Y | Y <sup>1</sup> | N | N | N |
| @{parent} variable | Y | N <sup>6</sup> | N | N | N |
| @{attachment} variable | Y | Y <sup>1</sup> | N | N | N |
| kernel supports conditional | Y | Y <sup>1</sup> | N | N | N |
| abi supports conditional | Y | Y <sup>1</sup> | N | N | N |
| rule extends abi | N | N <sup>7</sup> | N | N | N |
| all rule | Y | Y <sup>1</sup> | N | N | N |
| improved -O rule-merge | N | N | n/a | N | N |
| -O rule-refactor | N | N | n/a | N | N |
| [unconfined ns restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
| [unconfined change_profile stacking](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
| [unconfined io_uring restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
@ -73,6 +73,29 @@ Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer
5. If more than 12 transitions are used in a profile, AppArmor 3.x will fail
6. Will break older policy if variable is not defined. Variable can be manually defined in older parser.
7. AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
8. These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
9. Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
10. If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
11. Tools will work but may not deal with overlapping rules correctly in some cases
12.
in beta
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|:---: |:---: |:---: |:---: |:---: |:---:|
| *io_uring | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| *port level network | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
* io_uring needed for unprivilege unconfined constraint around io_uring
*
AppArmor 4.1 or later
|Feature | policy extension |breaks 3.x |supported by utils|requires 4.x libapparmor|requires kernel support|
|:---: |:---: |:---: |:---: |:---: |:---:|
| multiple policy locations | N | Y <sup>3</sup> | n/a | Y | N |
| location specific configs | N | Y <sup>3</sup> | n/a | Y | N |
| user conditional | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
| -O rule-refactor | N | N | n/a | N | N |
| kernel supports conditional | Y | Y <sup>1</sup> | N | N | N |
| abi supports conditional | Y | Y <sup>1</sup> | N | N | N |
| replace unconfined | N | Y | N | n/a | N |
## Compatibility
@ -202,6 +225,8 @@ wip - not in this alpha, not guaranteed to land in 4.0
-