mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Create Release_Notes_4.1 beta3

John Johansen 2025-01-09 10:55:47 +00:00
parent 0b264b6fc8
commit db83d7bba3
1 changed files with 112 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

112
Release_Notes_4.1-beta3.md Normal file

@ -0,0 +1,112 @@
WARNING this is a beta - NOT a final release
================================================
AppArmor 4.1~beta3 was released on 2024-01-09.
# Introduction
AppArmor 4.1 is a major new release of the AppArmor that is in development.
Apprmor 4.1 is a long term stable release for AppArmor 4.1 series policy which introduces several new features that are not backwards compatible.
These release notes cover changes between ```AppArmor-4.1~beta1 and AppArmor-4.1~beta3``` (Note: includes notes for AppArmor-4.1~Beta2 which was dropped due to technical issues).
# Notes
This Release contains bug fixes to AppArmor 4.1 beta1 and beta2.
## Known issues
* priority rule modifier is broken in two distinct ways
* the modifier has a total permission override behavior, which is not the correct per permission behavior
## Misc
- apparmor.vim: add missing units for rlimit cpu and rttime ([MR:1336](https://gitlab.com/apparmor/apparmor/-/merge_requests/1336))
# Bug Fixes
- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306))
- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309))
- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307))
- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427))
- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429))
- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430))
- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435))
- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436))
- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396)
, [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452))
- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399))
- fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite [MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407)
- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461))
## policy compiler (aka apparmor_parser)
- add port range support on network policy ([MR:1321](https://gitlab.com/apparmor/apparmor/-/merge_requests/1321))
## Utils
- improve UX when allowing rules in aa-notify and update the man page ([MR:1313](https://gitlab.com/apparmor/apparmor/-/merge_requests/1313))
- store the child profile/hat name if we are in a child profile or hat instead of the main profile ([MR:1359](https://gitlab.com/apparmor/apparmor/-/merge_requests/1359))
- aa-mergeprof: prevent backtrace if file not found ([MR:1403](https://gitlab.com/apparmor/apparmor/-/merge_requests/1403))
## Policy
#### abstractions
- abstractions/mesa: allow ~/.cache/mesa_shader_cache_db/ ([MR:1333](https://gitlab.com/apparmor/apparmor/-/merge_requests/1333), [LP:2081692](https://bugs.launchpad.net/bugs/2081692))
- abstractions/nameservice-strict: add more strict version of abstractions/nameservice
- abstractions/nameservice:
* support name resolution via libnss-libvirt ([MR:1362](https://gitlab.com/apparmor/apparmor/-/merge_requests/1362))
* include abstractions/nameservice-strict ([MR:1373](https://gitlab.com/apparmor/apparmor/-/merge_requests/1373))
* tighten libnss_libvirt file access ([MR:1379](https://gitlab.com/apparmor/apparmor/-/merge_requests/1379))
- abstractions/dconf: use @{etc_ro} instead of `/etc/... r,` ([MR:1402](https://gitlab.com/apparmor/apparmor/-/merge_requests/1402))
#### profiles
- slirp4netns: allow pivot_root ([MR:1298](https://gitlab.com/apparmor/apparmor/-/merge_requests/1298), [HUB:348](https://github.com/rootless-containers/slirp4netns/issues/348))
- php-fpm:
* confine php-fpm in both /usr/bin and /usr/sbin ([MR:1301](https://gitlab.com/apparmor/apparmor/-/merge_requests/1301), [AABUG:421](https://gitlab.com/apparmor/apparmor/-/issues/421))
* add support for ArchLinux php-legacy package ( [MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454), [LP:2061113](https://bugs.launchpad.net/bugs/2061113))
* widen allowed socket paths ([MR:1406](https://gitlab.com/apparmor/apparmor/-/merge_requests/1406), [LP:2061113](https://bugs.launchpad.net/bugs/2061113))
- ping: allow reading /proc/sys/net/ipv6/conf/all/disable_ipv6 ([MR:1340](https://gitlab.com/apparmor/apparmor/-/merge_requests/1340), [debug1082190](https://bugs.debian.org/1082190))
- transmission: add attach_disconnected flag ([MR:1355](https://gitlab.com/apparmor/apparmor/-/merge_requests/1355), [LP:2083548](https://bugs.launchpad.net/bugs/2083548))
- zgrep: deny reading /etc/nsswitch.conf and /etc/passwd ([MR:1361](https://gitlab.com/apparmor/apparmor/-/merge_requests/1361))
- support /usr/libexec/postfix/ path ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330)):
* postfix-anvil
* postfix-bounce
* postfix-cleanup
* postfix-discard
* postfix-dnsblog
* postfix-error
* postfix-flush
* postfix-lmtp
* postfix-local
* postfix-master
* postfix-nqmgr
* postfix-oqmgr
* postfix-pickup
* postfix-pipe
* postfix-postscreen
* postfix-proxymap
* postfix-qmgr
* postfix-qmqpd
* postfix-scache
* postfix-showq
* postfix-smtp
* postfix-smtpd
* postfix-spawn
* postfix-tlsmgr
* postfix-trivial-rewrite
* postfix-verify
* postfix-virtual
* usr.sbin.postqueue
* usr.sbin.sendmail
* usr.sbin.sendmail.postfix
- postfix-master: add exec perm for postfix-tlsproxy and postscreen ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))
- postfix-postscreen: add abstractions/{nameservice,postfix-common} and cache map ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))
- postfix-smtpd: add permissions to rwk /{var/spool/postfix/,}pid/pass.smtpd ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))
- postfix-tlsproxy: add new profile ([MR:1330](https://gitlab.com/apparmor/apparmor/-/merge_requests/1330))