From 48cba4bd1bccad047646f40e8b108d8bc84160e8 Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Tue, 16 Apr 2019 05:37:05 +0000
Subject: [PATCH] Update Kernel_Feature_Matrix

---
 Kernel_Feature_Matrix.md | 46 ++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/Kernel_Feature_Matrix.md b/Kernel_Feature_Matrix.md
index 6620898..7d6f7ea 100644
--- a/Kernel_Feature_Matrix.md
+++ b/Kernel_Feature_Matrix.md
@@ -1,30 +1,30 @@
 
 # Upstream kernel
 
-| Kernel Version | Feature |
-|----------------|---------|
-| 2.6.36         | Base functionality lands upstream mediation of: <ul><li>File<ul><li>owner conditional</li><li>read, write, link, lock, mmap exec</li></ul></li><li>Execute<ul><li>[pP]x, [cC]x, ix, ux, [pP]ix, [pP]ux named transitions</li><li>attachment conditional separate from profile name</li></ul></li><li>Change hat<ul><li>single hat</li></ul></li><li>Change Profile</li><li>Capability</li><li>policy namespaces created through policy load</li><li>rlimit</li><li>Bug fixes and code cleanups</li></ul> |
-| 2.6.37 - 3.3| Bug fixes and code cleanups       |
-| 3.4            | <ul><li>Add support for extensible policydb</li><li>feature set<ul><li>add <i>features/</i> directory as a userspace api to discover kernel supported feature set</li><li>add file mediation details</li><li>add capability mediation details</li><li>export known rlimit mappings</li></ul></li></ul>       |
-| 3.5            | Fail exec transitions due to no_new_privs<ul><li>unconfined is allowed to transition to anything</li><li>inherit is allowed when task has nnp set</li><li>all other domain transitions are blocked when a task has nnp set</li><li>Bug fixes and code cleanups</li></ul>        |
-| 3.6 - 3.10     | Bug fixes and code cleanups       |
-| 3.11           | <ul><li>relax restrictions on setting rlimits</li> <li>Bug fixes and code cleanups</li></ul>   |
-| 3.12           | <ul><li>support unconfined flag on any profile</li><li>support multiple profiles being loaded in a single write</li><li>introspection interface<ul><li>add ability to query whether apparmor is enabled</li><li>allow introspecting the loaded set of profiles virtualized to the opening tasks namespace via the <i>profiles</i> file</li><li>add <i>policy/</i> directory which can be used to introspect profiles and namespaces of loaded policy<ul><li> add <i>policy/namespaces/</i> dir to introspect policy namespaces</li><li>add <i>policy/profiles/</i> dir to report on profiles loaded into the current namespace<ul><li>report profile name <i>policy/profiles/PROFILE/name</i></li><li>report profile mode <i>policy/profiles/PROFILE/mode</i></li><li>report sha1 of profile <i>policy/profiles/PROFILE/sha1</i></li><li>allow human readable attachment string to be loaded and reported in the <i>policy/profiles/PROFILE/attach</i></li></ul></li></ul></li></ul></li><li>feature set<ul><li>export set of capabilities supported</li></ul></li><li>Bug fixes and code cleanups</li></ul>   |
-| 3.13 - 4.7       | Bug fixes and code cleanups       |
-| 4.8            | <ul><li>allow CAP_SYS_RESOURCE to prlimit another task</li><li>add kernel parameter and kconfig to allow controlling if profile hashing is used</li><li>Bug fixes and code cleanups</li></ul>        |
-| 4.9 - 4.10     | Bug fixes and code cleanups     |
-| 4.11           | <ul><ul><li>add <i>/sys/kernel/security/lsm</i> to enable detecting currently in use lsm</li><li>kernel parameters<ul><li>remove paranoid load parameter - all policy loads now do full checking</li></ul></li><li>speedup mediation by use of percpu buffers</li><li>add sysctl <i>/proc/sys/kernel/unprivileged_userns_apparmor_policy</i> to allow disabling user namespaces from loading policy</li><li>add query interface for extended profile <i>key/value</i> data store</ul><li>allow profile hashing to be disabled with a kconfing</li><li>policy namespaces<ul><li>add namespace view support and restrictions on visibility</li><li>add per namespace policy interface file to directly load policy into a namespace<ul><li><i>policy/namespaces/NAMESPACE/.load</i></li><li><i>policy/namespaces/NAMESPACE/.replace</i></li><li><i>policy/namespaces/NAMESPACE/.remove</i></li></ul></li></ul></li><li>allow introspecting and checkpoint and restore of loaded profile data via<ul><li><i>policy/profiles/PROFILE/raw_abi</i></li><li><i>policy/profiles/PROFILE/raw_data</i></li><li><i>policy/profiles/PROFILE/raw_sha1</i></li></ul></li><li> on exec dup2 opened files that the task won't have permission to access to a special <i>.null</i> device file</li><li>Complain mode<ul><li>support force complain flag</li><li>try to create null profiles using the exec name <i>null-EXECNAME</i></ul></li><li>feature set<ul><li> add <i>features/domain/fix_binfmt_elf_mmap</i> to enable userspace to detect the semantic change caused by <i>9f834ec18def</i></li></ul></li><li>report namespace name in audit messages</li><li>Bug fixes and code cleanups</li></ul>        |
-| 4.12           | <ul><li>kernel parameters<ul><li>make path_max readonly</li></ul></li><li>Bug fixes and code cleanups</li></ul>        |
-| 4.13           | <ul><li>add v7 abi</li><li>speedup path lookups with preallocated buffers</li><li>revalidate files at exec transition time</li><li>fine grained ptrace mediation</li><li>domain bounding through profile stacking<ul><li>profile stacking api</li><li>extended change_profile to support profile stacking</li><li>support profile stacks in exec transitions</li></ul></li><li>apparmorfs interface<ul><li> apparmorfs policy virtualization<ul><li>the <i>policy/</i> entry is now a special symlink to a virtualized policy directory</li><li><i>policy/</i> directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view</li></ul></li> <li>add namespace level rawdata files<ul><li>unique profile based rawdata files for each namespace in <i>policy/raw_data/</i></li><li> profile raw_data files are now a symlink to the appropriate <i>policy/raw_data/</i> files.</li></ul></li><li>mkdir/rmdir fs based interface for creating namespaces<ul><li>mkdir <i>policy/namespaces/NAMESPACE</i></li><li>rmdir policy/namespaces/NAMESPACE</li></ul></li><li>revision file interface<ul><li>read current policy revision and select/poll for when policy changes via<ul><li> <i>revision</i> for reading the current task's policy namespace revision</li><li><i>policy/revision for the current namespace revision</li><li><i>policy/namespaces/NAMESPACE/revision</i> for a given namespace policy revision</li></ul></li></ul></li><li>query interface<ul><li>support multiple queries per query transaction</li><li>support querying if a profile supports a given mediation type</li></ul></li></ul></li><li>features set<ul><li>add namespace support to available feature set</li><li>add label data query availability to feature set</li></ul></li><li>Bug fixes and code cleanups</li></ul>     |
-| 4.14           | <ul><li> mount mediation<ul><li>new mount</li><li>remount</li><li>bind mount</li><li>change type</li><li>umount</li><li>pivot_root</li></ul><li>signal mediation</li><li>policy unpack log extended error messages</li><li>Bug fixes and code cleanups</li></ul> |
-| 4.15 - 4.16 | Bug fixes and code cleanups|
-| 4.17           | <ul><li> v8 abi</li><li>generic socket mediation </li><li>improved profile attachment logic<ul><li>handle overlapping expression resolution up to 8 characters dynamic overlap in kernel</li><li>xattr attachment conditional</li><li>no_new_privs improved attachment with subset test based on confinement at time no_new_privs was entered</ul></li><li> signal mediation of profile stacks</li><li>Bug fixes and code cleanups</li></ul>       |
-| 4.18           | <ul><li>add support for secids and using secctxes</li><li>the ability to get a task's secid</li><li>add support for audit rules filtering. AppArmor task label can be used in audit rule filters</li><li>Bug fixes and code cleanups</li></ul>        |
-| 4.19           | Bug fixes and code cleanups|
+| Kernel Version | Feature | Required userspace version and notes |
+|----------------|---------|--------------------------------------|
+| 2.6.36         | Base functionality lands upstream mediation of: <ul><li>File<ul><li>owner conditional</li><li>read, write, link, lock, mmap exec</li></ul></li><li>Execute<ul><li>[pP]x, [cC]x, ix, ux, [pP]ix, [pP]ux named transitions</li><li>attachment conditional separate from profile name</li></ul></li><li>Change hat<ul><li>single hat</li></ul></li><li>Change Profile</li><li>Capability</li><li>policy namespaces created through policy load</li><li>rlimit</li><li>Bug fixes and code cleanups</li></ul> |  |
+| 2.6.37 - 3.3| Bug fixes and code cleanups       |  |
+| 3.4            | <ul><li>Add support for extensible policydb</li><li>feature set<ul><li>add <i>features/</i> directory as a userspace api to discover kernel supported feature set</li><li>add file mediation details</li><li>add capability mediation details</li><li>export known rlimit mappings</li></ul></li></ul>       |  |
+| 3.5            | Fail exec transitions due to no_new_privs<ul><li>unconfined is allowed to transition to anything</li><li>inherit is allowed when task has nnp set</li><li>all other domain transitions are blocked when a task has nnp set</li><li>Bug fixes and code cleanups</li></ul>        |  |
+| 3.6 - 3.10     | Bug fixes and code cleanups       |  |
+| 3.11           | <ul><li>relax restrictions on setting rlimits</li> <li>Bug fixes and code cleanups</li></ul>   |  |
+| 3.12           | <ul><li>support unconfined flag on any profile</li><li>support multiple profiles being loaded in a single write</li><li>introspection interface<ul><li>add ability to query whether apparmor is enabled</li><li>allow introspecting the loaded set of profiles virtualized to the opening tasks namespace via the <i>profiles</i> file</li><li>add <i>policy/</i> directory which can be used to introspect profiles and namespaces of loaded policy<ul><li> add <i>policy/namespaces/</i> dir to introspect policy namespaces</li><li>add <i>policy/profiles/</i> dir to report on profiles loaded into the current namespace<ul><li>report profile name <i>policy/profiles/PROFILE/name</i></li><li>report profile mode <i>policy/profiles/PROFILE/mode</i></li><li>report sha1 of profile <i>policy/profiles/PROFILE/sha1</i></li><li>allow human readable attachment string to be loaded and reported in the <i>policy/profiles/PROFILE/attach</i></li></ul></li></ul></li></ul></li><li>feature set<ul><li>export set of capabilities supported</li></ul></li><li>Bug fixes and code cleanups</li></ul>   |   |
+| 3.13 - 4.7       | Bug fixes and code cleanups       |   |
+| 4.8            | <ul><li>allow CAP_SYS_RESOURCE to prlimit another task</li><li>add kernel parameter and kconfig to allow controlling if profile hashing is used</li><li>Bug fixes and code cleanups</li></ul>        |   |
+| 4.9 - 4.10     | Bug fixes and code cleanups     |   |
+| 4.11           | <ul><ul><li>add <i>/sys/kernel/security/lsm</i> to enable detecting currently in use lsm</li><li>kernel parameters<ul><li>remove paranoid load parameter - all policy loads now do full checking</li></ul></li><li>speedup mediation by use of percpu buffers</li><li>add sysctl <i>/proc/sys/kernel/unprivileged_userns_apparmor_policy</i> to allow disabling user namespaces from loading policy</li><li>add query interface for extended profile <i>key/value</i> data store</ul><li>allow profile hashing to be disabled with a kconfing</li><li>policy namespaces<ul><li>add namespace view support and restrictions on visibility</li><li>add per namespace policy interface file to directly load policy into a namespace<ul><li><i>policy/namespaces/NAMESPACE/.load</i></li><li><i>policy/namespaces/NAMESPACE/.replace</i></li><li><i>policy/namespaces/NAMESPACE/.remove</i></li></ul></li></ul></li><li>allow introspecting and checkpoint and restore of loaded profile data via<ul><li><i>policy/profiles/PROFILE/raw_abi</i></li><li><i>policy/profiles/PROFILE/raw_data</i></li><li><i>policy/profiles/PROFILE/raw_sha1</i></li></ul></li><li> on exec dup2 opened files that the task won't have permission to access to a special <i>.null</i> device file</li><li>Complain mode<ul><li>support force complain flag</li><li>try to create null profiles using the exec name <i>null-EXECNAME</i></ul></li><li>feature set<ul><li> add <i>features/domain/fix_binfmt_elf_mmap</i> to enable userspace to detect the semantic change caused by <i>9f834ec18def</i></li></ul></li><li>report namespace name in audit messages</li><li>Bug fixes and code cleanups</li></ul>        |   |
+| 4.12           | <ul><li>kernel parameters<ul><li>make path_max readonly</li></ul></li><li>Bug fixes and code cleanups</li></ul>        |   |
+| 4.13           | <ul><li>add v7 abi</li><li>speedup path lookups with preallocated buffers</li><li>revalidate files at exec transition time</li><li>fine grained ptrace mediation</li><li>domain bounding through profile stacking<ul><li>profile stacking api</li><li>extended change_profile to support profile stacking</li><li>support profile stacks in exec transitions</li></ul></li><li>apparmorfs interface<ul><li> apparmorfs policy virtualization<ul><li>the <i>policy/</i> entry is now a special symlink to a virtualized policy directory</li><li><i>policy/</i> directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view</li></ul></li> <li>add namespace level rawdata files<ul><li>unique profile based rawdata files for each namespace in <i>policy/raw_data/</i></li><li> profile raw_data files are now a symlink to the appropriate <i>policy/raw_data/</i> files.</li></ul></li><li>mkdir/rmdir fs based interface for creating namespaces<ul><li>mkdir <i>policy/namespaces/NAMESPACE</i></li><li>rmdir policy/namespaces/NAMESPACE</li></ul></li><li>revision file interface<ul><li>read current policy revision and select/poll for when policy changes via<ul><li> <i>revision</i> for reading the current task's policy namespace revision</li><li><i>policy/revision for the current namespace revision</li><li><i>policy/namespaces/NAMESPACE/revision</i> for a given namespace policy revision</li></ul></li></ul></li><li>query interface<ul><li>support multiple queries per query transaction</li><li>support querying if a profile supports a given mediation type</li></ul></li></ul></li><li>features set<ul><li>add namespace support to available feature set</li><li>add label data query availability to feature set</li></ul></li><li>Bug fixes and code cleanups</li></ul>     |   |
+| 4.14           | <ul><li> mount mediation<ul><li>new mount</li><li>remount</li><li>bind mount</li><li>change type</li><li>umount</li><li>pivot_root</li></ul><li>signal mediation</li><li>policy unpack log extended error messages</li><li>Bug fixes and code cleanups</li></ul> |   |
+| 4.15 - 4.16 | Bug fixes and code cleanups|   |
+| 4.17           | <ul><li> v8 abi</li><li>generic socket mediation </li><li>improved profile attachment logic<ul><li>handle overlapping expression resolution up to 8 characters dynamic overlap in kernel</li><li>xattr attachment conditional</li><li>no_new_privs improved attachment with subset test based on confinement at time no_new_privs was entered</ul></li><li> signal mediation of profile stacks</li><li>Bug fixes and code cleanups</li></ul>       |   |
+| 4.18           | <ul><li>add support for secids and using secctxes</li><li>the ability to get a task's secid</li><li>add support for audit rules filtering. AppArmor task label can be used in audit rule filters</li><li>Bug fixes and code cleanups</li></ul>        |   |
+| 4.19           | Bug fixes and code cleanups|   |
 | 4.20           | <ul><li>Secmark mediation for custom policy</li><li>Bug fixes and code cleanups</li></ul> |
-| 5.0            | Bug fixes and code cleanups|
-| 5.1            | <ul><li>LSM stacking with generic blobs (sara/landlock). Does not include secids so insufficient to stack with selinux and smack.</li><li>Bug fixes and code cleanups</li></ul> |
-| 5.2            | wip    |
+| 5.0            | Bug fixes and code cleanups|    |
+| 5.1            | <ul><li>LSM stacking with generic blobs (sara/landlock). Does not include secids so insufficient to stack with selinux and smack.</li><li>Bug fixes and code cleanups</li></ul> |   |
+| 5.2            | wip    |   |
 
 # Suse kernel