diff --git a/Release_Notes_2.13.2.md b/Release_Notes_2.13.2.md index 69cef90..97d6665 100644 --- a/Release_Notes_2.13.2.md +++ b/Release_Notes_2.13.2.md @@ -22,114 +22,62 @@ Tarball - signature: -Build Infrastructure --------------------- - -??? -- fix FTBFS w/older glibc - Policy Compiler (a.k.a apparmor\_parser) ---------------------------------------- +- Fix failures due to -M only setting compile-features +- Don't hard code the location of netinet/in.h. -??? -- allow specifying the parser config file Init ---- -- fix permissions of apparmor.systemd helper script -- skip XBPS conffile artifacts +- Ignore *.orig and *.rej files when loading profiles +- Fix syntax error in rc.apparmor.functions which could cause policy load failures -Library -------- - -??? -- do not honor $LIBAPPARMOR_DEBUG when `secure_getenv` is undefined - Utils ----- -??? - genprof/logprof - - error out on nested child profiles which are not currently supported - -- aa-notify - - make message about notify-send package cross-distro compatible - - Read user's configuration file from XDG_CONFIG_HOME - -- sandbox.py - - remove unused exception binding + - Fix viewing a local inactive profile in aa-genprof + - Ensure last line in a profile is valid + - Fix handling of options when serializing profiles + - Fix minitools for named profiles + - Fix preview when viewing profile changes Policy ------ -??? +- Use @{sys} tunable in profiles and abstractions - Profiles - - support distributions which merge sbin into bin - - ping: support void linux binary location - - traceroute: support void linux binary location - - dnsmasq - - add paths for NetworkManager connection sharing - - add permission to open log files - - allow running Thunderbird wrapper script - - ntpd - - allow access to ntp clockstat - - add openntpd drift and socket files - - support void linux binary location - - samba - - allow smbd to load new shared libraries - - allow winbindd to read and write new kerberos cache location - - nmbd - - add missing files - - support writing to /run/systemd/notify - - smbd add missing pid lock file - - update usr.sbin.useradd to support usr-merge + - Add profile names to all profiles with {bin,sbin} attachment except for the dnsmasq profile + + - dovecot: allow reading /proc/sys/fs/suid_dumpable + - postalias: allow locking /etc/aliases.db + - dnsmasq: + - Add pid file used by NetworkManager + - Adjust pattern for log files to comply with SELinux -- Tunables - - Make variables value more readable by avoiding the use of too many alternations. - - Add uid and uids kernel var placeholders - Abstractions - - add qt5 abstraction - - add qt5-compose-cache-write abstraction - - ubuntu-email: add new Thunderbird executable path - - ubuntu-browsers.d/user-files: disallow access to the dirs of private files - - private-files: disallow writes to thumbnailer dir (LP: #1788929) - - private-files-strict: disallow access to the dirs of private files - - user-files: disallow access to the dirs of private files - - remove antiquated abstractions/launchpad-integration - - kde: use qt5 abstration - - samba: add missing log files - - add recent documents write abstraction and update abstractions to use it - - add OpenCL abstraction - - kde: drop redundant rules for icons access - - ssl - - add dehydrated certificate support - - support new location for ssl-params file - - php: allow ICU (unicode support) data tables - - Python: - - add support for python 3.7 - - allow /usr/local/lib/python3/dist-packages - - freedesktop.org: - - factor out duplicated path components with variables - - treat Flatpak exports the same way as bits shipped by the distro. - - simplify by not attempting to guess the exhaustive list of files that can exist in {~/.local/share,/usr/share}/applications/. - - refactor for consistency. - - nvidia - - opencl: don't allow PUx on nvidia-modprobe - - use nvidia_modprobe profile inside opencl-nvidia - + - private-files: deny ~/.mutt** + - private-files-strict: audit deny ~/.aws + - ssl_key: Add /etc/letsencrypt/archive + - Add vulkan abstraction Tests ----- -- mount regression test: convert mount test to use MS_NODE -- use --config-file in tests so they are unaffected by the system parser.conf file +- error out on superfluous TODOs +- disable abi/ok_10 and abi/ok_12 tests +- Remove TODO notes from no-longer-failing tests +- add utils/test/common_test.pyc to gitignore + Documentation ------------- -- update documentation to references gitlab and updated bug reporting procedures. +- apparmor(7): document various debugging options. +- aa-notify(8): update user's configuration file path Note @@ -139,4 +87,4 @@ There is a semantic change in the 4.8 kernel (commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46) that affects apparmor policy enforcement. Specifically it affects when the m permission bit is checked for elf binary executables. Policy and tests within apparmor -2.12 and later have been updated to support running on pre 4.8 and 4.8+ kernels. \ No newline at end of file +2.12 and later have been updated to support running on pre 4.8 and 4.8+ kernels.