mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity
Page: Release_Notes_4.1.0
Pages
2.12.4_Signatures 2.13.10_Signatures 2.13.11_Signatures 2.13.3_signature 2.13.4_signature 2.13.7_Signatures 2.13.8_Signatures 2.13.9_Signatures 3.0.10_Signatures 3.0.11_Signatures 3.0.12_Signatures 3.0.13_Signatures 3.0.8_Signatures 3.0.9_Signatures 3.1.1_Signatures 3.1.2_Signatures 3.1.3_Signatures 3.1.4_Signatures 3.1.5_Signatures 3.1.6_Signatures 3.1.7_Signatures 4.0.0 alpha2_Signatures 4.0.0 alpha3_Signatures 4.0.0 beta4_Signatures 4.0.1_Signatures 4.0.2_Signatures 4.0.3_Signatures 4.1.0 beta1_Signatures 4.1.0 beta4_Signatures 4.1.0_Signatures 4.1.1_Signatures 5.0.0 alpha1_Signatures 5.0.0~alpha1_Signatures About AbstractionsGuide AlternativeMethodsforSystemWideRestrictions AppArmor and Kubernetes AppArmor2FeatureABI AppArmorAPIs AppArmorAuditing AppArmorClassNumbers AppArmorDBus AppArmorDelegation AppArmorDynamicIncludes AppArmorFeatureABI AppArmorFeatureABIinteractions AppArmorGSettings AppArmorInSystemd AppArmorInterfaces AppArmorJournald AppArmorLabelsandTypes AppArmorLinuxNamespaces AppArmorLog AppArmorMLS AppArmorMonitoring AppArmorNamespaces AppArmorObjectDelegation AppArmorPolicy AppArmorPolicyScope AppArmorPolicyTOC AppArmorPolicyView AppArmorPortals AppArmorProfileSpec AppArmorProgramaticApplicationPolicy AppArmorRBAC AppArmorSandboxing AppArmorSnappyDesktop AppArmorStacking AppArmorSystemWideRestrictions AppArmorTrustedHelpers AppArmorUpdateGuidelines AppArmorUserDefinedPolicy AppArmorVendoringInSnapd AppArmorWine AppArmorXace AppArmor_Core_Policy_Reference AppArmor_Failures AppArmor_History AppArmor_Model AppArmor_Presentations AppArmor_versions AppArmor_versions_2.1 AppArmor_versions_2.10 AppArmor_versions_2.11 AppArmor_versions_2.12 AppArmor_versions_2.13 AppArmor_versions_2.3 AppArmor_versions_2.4 AppArmor_versions_2.5 AppArmor_versions_2.6 AppArmor_versions_2.7 AppArmor_versions_2.8 AppArmor_versions_2.9 AppArmor_versions_3.0 AppArmor_versions_3.1 AppArmor_versions_4.0 AppArmor_versions_4.1 AppArmorpolicyfeaturesDev AppArmorpolicyversioning Apparmor_parser Apparmorbinarypolicy Apparmorearlypolicy Apparmorinitrd Apparmorpolicycache Apparmorpolicymanagement Apparmorpolicymanagement2x Binary_Profile_Language Binary_profile_format BugTracking Coding Style CollaborativeProfileDevSpec CombiningStackingAndNamespaces CommitPolicy CompilerImprovements Complain Mode Confining_all_tasks Controlling_Profile_State CreatingPolicy DeprecateProfilePathName DevelopmentRoadmap Distro_CentOS Distro_debian Distro_suse Distro_ubuntu Documentation EnvironmentVariables ExampleProfiles Extended_profiling_example FAQ Firejail FullSystemPolicy GettingStarted Gittutorial IRC_meeting_2010 IRC_meeting_2011 IRC_meeting_2012 09 25 IRC_meeting_2012 11 06 IRC_meeting_2012 12 04 IRC_meeting_2012 IRC_meeting_2013 01 08 IRC_meeting_2013 02 05 IRC_meeting_2013 03 01 IRC_meeting_2013 05 14 IRC_meeting_2013 06 11 IRC_meeting_2013 07 09 IRC_meeting_2013 08 13 IRC_meeting_2013 10 08 IRC_meeting_2013 11 13 IRC_meeting_2013 IRC_meeting_2014 02 24 IRC_meeting_2014 06 10 IRC_meeting_2014 07 08 IRC_meeting_2014 09 09 IRC_meeting_2014 10 14 IRC_meeting_2014 11 05 IRC_meeting_2014 12 09 IRC_meeting_2014 IRC_meeting_2015 02 10 IRC_meeting_2015 03 10 IRC_meeting_2015 04 14 IRC_meeting_2015 05 12 IRC_meeting_2015 06 09 IRC_meeting_2015 07 14 IRC_meeting_2015 11 17 IRC_meeting_2015 IRC_meeting_2016 01 19 IRC_meeting_2016 09 13 IRC_meeting_2016 IRC_meeting_2017 10 10 IRC_meeting_2017 11 25 IRC_meeting_2017 12 13 IRC_meeting_2017 IRC_meeting_2018 01 16 IRC_meeting_2018 02 15 IRC_meeting_2018 12 11 IRC_meeting_2018 IRC_meeting_2019 04 09 IRC_meeting_2019 06 13 IRC_meeting_2019 10 08 IRC_meeting_2019 IRC_meeting_2020 01 14 IRC_meeting_2020 02 11 IRC_meeting_2020 02 12 IRC_meeting_2020 03 10 IRC_meeting_2020 04 10 IRC_meeting_2020 04 28 IRC_meeting_2020 06 09 IRC_meeting_2020 09 08 IRC_meeting_2020 10 13 IRC_meeting_2020 IRC_meeting_2021 07 13 IRC_meeting_2021 11 09 IRC_meeting_2021 12 14 IRC_meeting_2021_2022 IRC_meeting_2022 02 08 IRC_meeting_2022 08 09 IRC_meeting_2022 10 11 IRC_meeting_2022 11 08 IRC_meeting_2022 12 13 IRC_meeting_2022 4 12 IRC_meeting_2022 7 12 IRC_meeting_2023 02 14 IRC_meeting_2023 06 13 IRC_meeting_2023 08 08 IRC_meeting_2023 09 12 IRC_meeting_2023 10 10 IRC_meeting_2023_2024 IRC_meeting_2024 01 09 IRC_meeting_2024 04 09 IRC_meeting_2024 06 11 IRC_meeting_2024 08 13 IRC_meeting_2024 09 10 IRC_meeting_2024 10 08 IRC_meeting_2024 11 12 IRC_meeting_2025 01 14 IRC_meeting_2025 02 18 IRC_meeting_2025 04 08 IRC_meeting_2025 06 10 IRC_meeting_2025 07 08 Integrating Test plan Kernel_Feature_Matrix Kernel_interfaces Launchpadtutorial Libvirt ManPages MeetingAgenda Mod_apparmor Mod_apparmor_example Multi Category Security (MCS) Pam_apparmor Pam_apparmor_example PerformanceImprovements Policy_Layout ProfileLanguage Profile_repo Profile_variants Profiles Profiling_by_hand Profiling_with_tools QuickProfileLanguage RBAC_2_0 RBAC_2_1 RBAC_2_3 RBAC_2_5 README Raising_Task_Capabilities ReleaseProcess Release_Notes_2.10.1 Release_Notes_2.10.2 Release_Notes_2.10.3 Release_Notes_2.10.4 Release_Notes_2.10.5 Release_Notes_2.10.6 Release_Notes_2.10 Release_Notes_2.11.1 Release_Notes_2.11.2 Release_Notes_2.11.3 Release_Notes_2.11.4 Release_Notes_2.11 Release_Notes_2.12.0 Release_Notes_2.12.1 Release_Notes_2.12.2 Release_Notes_2.12.3 Release_Notes_2.12.4 Release_Notes_2.12 Release_Notes_2.13.1 Release_Notes_2.13.10 Release_Notes_2.13.11 Release_Notes_2.13.2 Release_Notes_2.13.3 Release_Notes_2.13.4 Release_Notes_2.13.5 Release_Notes_2.13.6 Release_Notes_2.13.7 Release_Notes_2.13.8 Release_Notes_2.13.9 Release_Notes_2.13 Release_Notes_2.14 Release_Notes_2.4 Release_Notes_2.5.1 Release_Notes_2.5.2 Release_Notes_2.5 Release_Notes_2.6.0 Release_Notes_2.6.1 Release_Notes_2.7.1 Release_Notes_2.7.2 Release_Notes_2.7 Release_Notes_2.8.1 Release_Notes_2.8.2 Release_Notes_2.8.3 Release_Notes_2.8.4 Release_Notes_2.8.5 Release_Notes_2.8 Release_Notes_2.9.0 Release_Notes_2.9.1 Release_Notes_2.9.2 Release_Notes_2.9.3 Release_Notes_2.9.4 Release_Notes_2.9.5 Release_Notes_3.0.1 Release_Notes_3.0.10 Release_Notes_3.0.11 Release_Notes_3.0.12 Release_Notes_3.0.13 Release_Notes_3.0.2 Release_Notes_3.0.3 Release_Notes_3.0.4 Release_Notes_3.0.5 Release_Notes_3.0.6 Release_Notes_3.0.7 Release_Notes_3.0.8 Release_Notes_3.0.9 Release_Notes_3.0 Release_Notes_3.1.1 Release_Notes_3.1.2 Release_Notes_3.1.3 Release_Notes_3.1.4 Release_Notes_3.1.5 Release_Notes_3.1.6 Release_Notes_3.1.7 Release_Notes_3.1 Release_Notes_4.0 alpha1 Release_Notes_4.0 alpha2 Release_Notes_4.0 alpha3 Release_Notes_4.0 alpha4 Release_Notes_4.0 beta1 Release_Notes_4.0 beta2 Release_Notes_4.0 beta3 Release_Notes_4.0 beta4 Release_Notes_4.0.1 Release_Notes_4.0.2 Release_Notes_4.0.3 Release_Notes_4.0.4 Release_Notes_4.1 beta1 Release_Notes_4.1 beta2 Release_Notes_4.1 beta3 Release_Notes_4.1 beta4 Release_Notes_4.1 beta5 Release_Notes_4.1 beta6 Release_Notes_4.1.0 beta1 Release_Notes_4.1.0 Release_Notes_4.1.1 Release_Notes_5.0 alpha1 Release_Notes_5.0 Revising_and_fine_tuning_policy_and_abstractions Sandstorm StackingConfiningUsers TechnicalDoc TechnicalDoc_DBusRuleEncoding TechnicalDoc_DFA TechnicalDoc_FileRuleEncoding TechnicalDoc_HFA TechnicalDoc_HFA_Layout TechnicalDoc_HFA_permissions TechnicalDoc_Kernel TechnicalDoc_MountRuleEncoding TechnicalDoc_Mount_Flags TechnicalDoc_NetworkRuleEncoding TechnicalDoc_PolicyDB TechnicalDoc_Policy_Layout TechnicalDoc_Proc_and_ptrace TechnicalDoc_RulePathEncoding TechnicalDoc_XWindowsRuleEncoding Translations Unconfined, the unconfined flag and default allow Userconditional Users in AppArmor Userspace_Feature_Matrix Versioning WorkItems _sidebar aparmor_policy_development_guide apparmor 5 config layout spec apparmor_compiler_development_guide apparmor_kernel_development_guide apparmor_kernel_development_guide_notifications apparmor_library_development_guide apparmor_profile_tools_guide apparmordynamicpolicy apparmorpolicyfeaturesABI apparmorversioning bubblewrap clearcontainers containers denial_quick_guide docker flatpak gVisor home how to setup a policy namespace for containers io_uring rules kata containers kubernetes manpage_aa audit.8 manpage_aa autodep.8 manpage_aa cleanprof.8 manpage_aa complain.8 manpage_aa decode.8 manpage_aa disable.8 manpage_aa easyprof.8 manpage_aa enabled.1 manpage_aa enforce.8 manpage_aa exec.1 manpage_aa features abi.1 manpage_aa genprof.8 manpage_aa logprof.8 manpage_aa mergeprof.8 manpage_aa notify.8 manpage_aa remove unknown.8 manpage_aa status.8 manpage_aa teardown.8 manpage_aa unconfined.8 manpage_aa_change_hat.2 manpage_aa_change_profile.2 manpage_aa_features.3 manpage_aa_find_mountpoint.2 manpage_aa_getcon.2 manpage_aa_kernel_interface.3 manpage_aa_policy_cache.3 manpage_aa_query_label.2 manpage_aa_splitcon.3 manpage_aa_stack_profile.2 manpage_apparmor.7 manpage_apparmor.d.5 manpage_apparmor_parser.8 manpage_apparmor_parser manpage_apparmor_xattrs.7 manpage_logprof.conf.5 manpage_mod_apparmor.8 mqueue rules nabla containers no_new_privs profileflags prompt v3 interface rule operations rule prefixes and modes runV runc sanitized_helper security@apparmor template reply unprivileged_unconfined_restriction unprivileged_userns_restriction v4.1.0_Signatures wip conditional policy
Clone
3
Release_Notes_4.1.0
John Johansen edited this page 2025-04-10 09:50:54 +00:00
Table of Contents

AppArmor 4.1 was released 2025-03-08.

Introduction

AppArmor 4.1 is a major new release of the AppArmor user space that makes several important changes to policy development and support. Its focus is transitioning policy to the new policy features.

Apprmor 4.1 is a stable release for the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.1 will be a long term support release.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied). And supports features released in the 4.20 kernel.

Note: that while older kernels are supported, not all features available in AppArmor 4.1 policy can be enforced on older kernels.

The kernel portion of the project is maintained and pushed separately.

Highlighted new features

  • priority rule modifier

Important Notes

  • gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
    • libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
    • the docs for everything but libapparmor have already been built
  • Potentially breaking changes:

Known Issues

  • qrt change_hat regression tests fail when using perms32
  • utils do not handle priorities in rules
  • utils do not handle leading permissions
  • mount rules
    • handling of conflicting mount options is not backwards compatible

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

  • libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
  • the docs for everything but libapparmor have already been built

gitlab release

Launchpad Tarball

Changes since AppArmor 4.0???

Misc

policy compiler (aka apparmor_parser)

  • add port range support on network policy (MR:1321)

Policy

profiles

unconfined profiles

  • new

Documentation

Regression Tests

Changes in this Release

These release notes cover all changes between 4.0??? ( ???) and 4.1.0 ( ??? ) apparmor-4.1 branch.

General improvements

New Profile Flags

???

New Mediation rules

Policy Compiler (a.k.a apparmor_parser)

  • add port range support on network policy (MR:1321)
  • fix mapping of AA_CONT_MATCH for policydb compat entries (MR:1409, AABUG:462)
  • improve profile build and dump info
    • add the abilitiy to dump the permissions table (MR:1410)
    • add the accept2 table entry to the chfa dump (MR:1410)
    • fix and cleanup libapparmor_re/Makefile (MR:1410)
  • restore MatchFlag dump from being hex encoded to decimal (MR:1419)
  • fix make setup when bison is not installed by quoting BISON_MAJOR (MR:1431)
  • replace uses of MS_SYNC by MS_SYNCHRONOUS in mount flags (MR:1458)
  • add separator between mount flags in dump_flags (MR:1465)
  • allow make-* flags with remount operations (MR:1466, LP:2091424)
  • convert uint to unsigned int (MR:1478)
  • fix rule priority destroying rule permissions for io_uring and userns classes (MR:1307)
  • fix integer overflow bug in rule priority comparisons (MR:1396, AABUG:452)
  • fix minimization check for filtering deny (MR:1396, AABUG:452)
  • fix memory leak in aare_rules UniquePermsCache (MR:1399)
  • fix do not change auditing information when applying deny (MR:1408, AABUG:461)

Library

  • bug fix do not change auditing information when applying deny (MR:1408, AABUG:461)
  • fix af_protos.h generation so it's consistent between different architectures (MR:1309)
  • fix ABI break for aa_log_record (MR:1345, LP:2083435)

Utils

  • improve UX when allowing rules in aa-notify and update the man page (MR:1313)
  • store the child profile/hat name if we are in a child profile or hat instead of the main profile (MR:1359)
  • aa-mergeprof: prevent backtrace if file not found (MR:1403)
  • fix creation of path /usr/share/polkit-1/actions/ in python tools setup to create intermediary directories (MR:1306)
  • improve UX when allowing rules in aa-notify and update the man page (MR:1313)
  • store the child profile/hat name if we are in a child profile or hat instead of the main profile (MR:1359)
  • aa-mergeprof: prevent backtrace if file not found (MR:1403)
  • Remove match statements in utils for older Python compatibility (MR:1440)
  • fixes/workarounds for python 3.13 missing cgitb (MR:1439, AABUG:447)
  • fix E502 error on Python 3.11 (MR:1431)
  • limit buildpath.py setuptools version check to the relevant bits (MR:1460)
  • fix tools to ignore peer when parsing logs for non-peer access modes (MR:1314, AABUG:427)
  • fix exception when replacing owner file, rules by file, by suggesting mrwlkix instead (MR:1320, AABUG:429)
  • fix wrong order of the owner keyword when cleaning file rules (MR:1320, AABUG:430)
  • fix thrown TypeError exception when passing binary logs to the tools (MR:1354, AABUG:436)

Policy

abstractions

  • mesa: allow ~/.cache/mesa_shader_cache_db/ (MR:1333, LP:2081692)
  • nameservice-strict: add more strict version of abstractions/nameservice
  • nameservice:
    • support name resolution via libnss-libvirt (MR:1362)
    • include abstractions/nameservice-strict (MR:1373)
    • tighten libnss_libvirt file access (MR:1379)
  • dconf: use @{etc_ro} instead of /etc/... r, (MR:1402)
  • dconf
    • use @{etc_ro} instead of /etc/... r, (MR:1402)
    • allow write access to /run/user/*/dconf/user (MR:1471)
  • mesa
  • nameservice
    • support name resolution via libnss-libvirt (MR:1362)
    • include abstractions/nameservice-strict (MR:1373)
    • tighten libnss_libvirt file access (MR:1379)
  • nameservice-strict
    • add more strict version of abstractions/nameservice
  • php
  • python
    • allow python cache under @{HOME}/.cache/ (MR:1467)

profiles

  • slirp4netns: allow pivot_root (MR:1298, HUB:348)
  • php-fpm:
  • ping: allow reading /proc/sys/net/ipv6/conf/all/disable_ipv6 (MR:1340, debug1082190)
  • transmission: add attach_disconnected flag (MR:1355, LP:2083548)
  • zgrep: deny reading /etc/nsswitch.conf and /etc/passwd (MR:1361)
  • support /usr/libexec/postfix/ path (MR:1330):
    • postfix-anvil
    • postfix-bounce
    • postfix-cleanup
    • postfix-discard
    • postfix-dnsblog
    • postfix-error
    • postfix-flush
    • postfix-lmtp
    • postfix-local
    • postfix-master
    • postfix-nqmgr
    • postfix-oqmgr
    • postfix-pickup
    • postfix-pipe
    • postfix-postscreen
    • postfix-proxymap
    • postfix-qmgr
    • postfix-qmqpd
    • postfix-scache
    • postfix-showq
    • postfix-smtp
    • postfix-smtpd
    • postfix-spawn
    • postfix-tlsmgr
    • postfix-trivial-rewrite
    • postfix-verify
    • postfix-virtual
    • usr.sbin.postqueue
    • usr.sbin.sendmail
    • usr.sbin.sendmail.postfix
  • postfix-master: add exec perm for postfix-tlsproxy and postscreen (MR:1330)
  • postfix-postscreen: add abstractions/{nameservice,postfix-common} and cache map (MR:1330)
  • postfix-smtpd: add permissions to rwk /{var/spool/postfix/,}pid/pass.smtpd (MR:1330)
  • postfix-tlsproxy: add new profile (MR:1330)
  • php-fpm:
  • ping
  • Postfix
    • Support /usr/libexec/postfix/ path (MR:1330)
      • postfix-anvil
      • postfix-bounce
      • postfix-cleanup
      • postfix-discard
      • postfix-dnsblog
      • postfix-error
      • postfix-flush
      • postfix-lmtp
      • postfix-local
      • postfix-master
      • postfix-nqmgr
      • postfix-oqmgr
      • postfix-pickup
      • postfix-pipe
      • postfix-postscreen
      • postfix-proxymap
      • postfix-qmgr
      • postfix-qmqpd
      • postfix-scache
      • postfix-showq
      • postfix-smtp
      • postfix-smtpd
      • postfix-spawn
      • postfix-tlsmgr
      • postfix-trivial-rewrite
      • postfix-verify
      • postfix-virtual
      • usr.sbin.postqueue
      • usr.sbin.sendmail
      • usr.sbin.sendmail.postfix
  • postfix-master
    • add exec perm for postfix-tlsproxy and postscreen (MR:1330)
  • postfix-postscreen
    • add abstractions/{nameservice,postfix-common} and cache map (MR:1330)
  • postfix-showq
    • Allow reading queue ID files from /var/spool/postfix/hold/ (MR:1454)
  • postfix-smtpd
    • add permissions to rwk /{var/spool/postfix/,}pid/pass.smtpd (MR:1330)
    • allow locking for /var/spool/postfix/pid/unix.relay (MR:1459)
  • postfix-tlsproxy
  • slirp4netns: allow pivot_root (MR:1298, HUB:348)
  • transmission
  • smbd:
  • zgrep
    • deny reading /etc/nsswitch.conf and /etc/passwd (MR:1361)
  • dovecot:
    • allow reading /proc/sys/kernel/core_pattern (MR:1331)
  • bwrap:
    • update the bwrap profile so that it will attach to application profiles if present (MR:1435)
  • transmission-gtk:
  • cupsd:
    • allow /etc/paperspecs read access (MR:1472)
    • convert profile to use @etc_ro/rw (MR:1472)

unconfined profiles

Documentation

Translations

  • sync translation from launchpad

Infrastructure

Tests

  • Regression:
    • fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite (MR:1407)
    • resolve some compiler warnings (MR:1407)
    • fix regression tests when parent directory contains spaces (MR:1418, MR:1424)
    • fix incorrect setfattr call in xattrs_profile (MR:1429)
    • add complain mode regression tests (MR:1415)
    • check if setfattr exists to run xattr_profile tests (MR:1412)
    • fix mult_mount and file_unbindable_mount tests by using a larger loop device (MR:1431, MR:1469)
    • add DAC permissions check to the test suite (MR:1411)
    • fix swap regression tests on zfs and btrfs (MR:1462, MR:1463, MR:1464)
    • fix test infrastructure when a wrapper is specified (MR:1450)
    • add test mediation for file access in unbindable mounts (MR:1448)
  • test-logprof
  • spread
    • add support for spread tests (MR:1432)
    • add support for local kernel (MR:1452)
    • add regression tests for snapd mount-control (MR:1445)
  • equality
    • fix equality tests for priority (MR:1455)
    • add explicit test for parser priority-based carveouts (MR:1443)

Bug Fixes

  • fix creation of path /usr/share/polkit-1/actions/ in python tools setup to create intermediary directories (MR:1306)
  • fix af_protos.h generation so it's consistent between different architectures (MR:1309)
  • fix rule priority destroying rule permissions for io_uring and userns classes (MR:1307)
  • fix tools to ignore peer when parsing logs for non-peer access modes (MR:1314, AABUG:427)
  • fix exception when replacing owner file, rules by file, by suggesting mrwlkix instead (MR:1320, AABUG:429)
  • fix wrong order of the owner keyword when cleaning file rules (MR:1320, AABUG:430)
  • fix ABI break for aa_log_record (MR:1345, LP:2083435)
  • fix thrown TypeError exception when passing binary logs to the tools (MR:1354, AABUG:436)
  • fix integer overflow bug in rule priority comparisons (MR:1396, AABUG:452)
  • fix minimization check for filtering deny (MR:1396 , AABUG:452)
  • fix memory leak in aare_rules UniquePermsCache (MR:1399)
  • fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite MR:1407
  • fix do not change auditing information when applying deny (MR:1408, AABUG:461)
  • fix creation of path /usr/share/polkit-1/actions/ in python tools setup to create intermediary directories (MR:1306)
  • fix af_protos.h generation so it's consistent between different architectures (MR:1309)
  • fix rule priority destroying rule permissions for io_uring and userns classes (MR:1307)
  • fix tools to ignore peer when parsing logs for non-peer access modes (MR:1314, AABUG:427)
  • fix exception when replacing owner file, rules by file, by suggesting mrwlkix instead (MR:1320, AABUG:429)
  • fix wrong order of the owner keyword when cleaning file rules (MR:1320, AABUG:430)
  • fix ABI break for aa_log_record (MR:1345, LP:2083435)
  • fix thrown TypeError exception when passing binary logs to the tools (MR:1354, AABUG:436)
  • fix integer overflow bug in rule priority comparisons (MR:1396, AABUG:452)
  • fix minimization check for filtering deny (MR:1396, AABUG:452)
  • fix memory leak in aare_rules UniquePermsCache (MR:1399)
  • fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite (MR:1407)
  • fix do not change auditing information when applying deny (MR:1408, AABUG:461)
  • fix mapping of AA_CONT_MATCH for policydb compat entries (MR:1409, AABUG:462)
  • bug fix do not change auditing information when applying deny (MR:1408, AABUG:461)
  • fix equality tests for priority (MR:1455)
  • fix awk not being found on openSuse 15.6 (MR:1431)
  • fix json generation on aa-status (MR:1451, AABUG:470)
  • fix make setup when bison is not installed by quoting BISON_MAJOR (MR:1431)

Feature Matrix

??????

The feature matrix provides an overview of which features/changes are supported on which release and or kernel.

Feature policy extension breaks 3.x supported by utils requires 4.x libapparmor requires kernel support
unconfined flag Y Y 1 N N Y 2
debug flag Y Y 1 N N Y 2
prompt flag Y Y 1 N N Y 2
audit.mode flag Y Y 1 N N Y 2
kill.signal flag Y Y 1 N N Y 2
attach_disconnected.path flag Y Y 1 N N Y 2
default_allow Y Y 1 N N N
all rule Y Y 1 N N N
userns Y Y 1 N N Y 2
rootless apparmor_parser N N n/a N N
improved -O rule-merge N N n/a N N
aa-status filters N N n/a N N
aa-load N N n/a Y N
io_uring Y Y 1 N N Y 2
port level network 12 Y Y 1 N N Y 2
unconfined ns restriction N Y 8 n/a N Y
unconfined change_profile stacking N Y 8 n/a N Y
unconfined io_uring restriction N Y 8 n/a N Y
  1. If present in policy will cause previous versions of AppArmor to fail
  2. Requires kernel support, policy can be downgraded to work on kernels that do not support.
  3. Previous versions of AppArmor may not fail but will not behave correctly
  4. Feature can be functionally provided by may not be exactly the same
  5. If more than 12 transitions are used in a profile, AppArmor 3.x will fail
  6. Will break older policy if variable is not defined. Variable can be manually defined in older parser.
  7. AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
  8. These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
  9. Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
  10. If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
  11. Tools will work but may not deal with overlapping rules correctly in some cases
  12. Experimental