From 4af3f8775a78656bf19bf5e576b7cc1509247e60 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 19 Feb 2025 03:05:46 +0000 Subject: [PATCH] Update Release_Notes_4.1 beta5 --- Release_Notes_4.1-beta5.md | 113 ++++++++----------------------------- 1 file changed, 22 insertions(+), 91 deletions(-) diff --git a/Release_Notes_4.1-beta5.md b/Release_Notes_4.1-beta5.md index 644ce00..4ea6c80 100644 --- a/Release_Notes_4.1-beta5.md +++ b/Release_Notes_4.1-beta5.md @@ -14,7 +14,7 @@ These release notes cover changes between ```AppArmor-4.1~beta1 and AppArmor-4.1 # Notes -- This Release contains bug fixes to AppArmor 4.1 beta1, beta2, beta3. +- This Release contains bug fixes to AppArmor 4.1 beta4 - This release includes new CI E2E testing via the spread frame work. A big thanks to Zygmunt Krynicki for all his work on improving the testing. ## Known issues @@ -38,112 +38,41 @@ This beta release is only available through gitlab ### gitlab -- https://gitlab.com/apparmor/apparmor/-/releases/4.1.0-beta4 +- https://gitlab.com/apparmor/apparmor/-/releases/4.1.0-beta5 # Changes in this Release -## Misc - -- apparmor.vim - - add missing units for rlimit cpu and rttime ([MR:1336](https://gitlab.com/apparmor/apparmor/-/merge_requests/1336)) -- aa-remove-unknown - - fix readability check ([MR:1438](https://gitlab.com/apparmor/apparmor/-/merge_requests/1438), [HUBMR:285915](https://github.com/NixOS/nixpkgs/pull/285915), [HUB:273164](https://github.com/NixOS/nixpkgs/issues/273164)) -- aa-status - - fix json generation ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470)) -- replace uses of `which` for `command -v` for POSIX compatibility and to fix running the test suite on openSUSE Tumbleweed ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) -- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) - - -# Bug Fixes - -- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306)) -- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309)) -- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307)) -- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427)) -- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429)) -- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430)) -- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435)) -- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436)) -- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452)) -- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452)) -- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399)) -- fix compiler warnings in fd_inheritance.c and pivot_root.c of the regression test suite ([MR:1407](https://gitlab.com/apparmor/apparmor/-/merge_requests/1407)) -- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461)) -- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462)) -- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461)) -- fix equality tests for priority ([MR:1455](https://gitlab.com/apparmor/apparmor/-/merge_requests/1455)) -- fix awk not being found on openSuse 15.6 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) -- fix json generation on aa-status ([MR:1451](https://gitlab.com/apparmor/apparmor/-/merge_requests/1451), [AABUG:470](https://gitlab.com/apparmor/apparmor/-/issues/470)) -- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) - -## Libraries -- bug fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461)) -- fix af_protos.h generation so it's consistent between different architectures ([MR:1309](https://gitlab.com/apparmor/apparmor/-/merge_requests/1309)) -- fix ABI break for aa_log_record ([MR:1345](https://gitlab.com/apparmor/apparmor/-/merge_requests/1345), [LP:2083435](https://bugs.launchpad.net/bugs/2083435)) -- Improvements to the SWIG bindings (https://gitlab.com/apparmor/apparmor/-/merge_requests/1338, https://gitlab.com/apparmor/apparmor/-/merge_requests/1342, [AABUG:439](https://gitlab.com/apparmor/apparmor/-/issues/439), https://gitlab.com/apparmor/apparmor/-/merge_requests/1352, https://gitlab.com/apparmor/apparmor/-/merge_requests/1337, https://gitlab.com/apparmor/apparmor/-/merge_requests/1334) -- fixes to the SWIG bindings for SWIG 4.3 and later ([AABUG:475](https://gitlab.com/apparmor/apparmor/-/issues/475), [MR:1504](https://gitlab.com/apparmor/apparmor/-/merge_requests/1504)) - -## policy compiler (aka apparmor_parser) -- add port range support on network policy ([MR:1321](https://gitlab.com/apparmor/apparmor/-/merge_requests/1321)) -- fix mapping of AA_CONT_MATCH for policydb compat entries ([MR:1409](https://gitlab.com/apparmor/apparmor/-/merge_requests/1409), [AABUG:462](https://gitlab.com/apparmor/apparmor/-/issues/462)) -- improve profile build and dump info - - add the abilitiy to dump the permissions table ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410)) - - add the accept2 table entry to the chfa dump ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410)) - - fix and cleanup libapparmor_re/Makefile ([MR:1410](https://gitlab.com/apparmor/apparmor/-/merge_requests/1410)) -- restore MatchFlag dump from being hex encoded to decimal ([MR:1419](https://gitlab.com/apparmor/apparmor/-/merge_requests/1419)) -- fix make setup when bison is not installed by quoting BISON_MAJOR ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) -- replace uses of MS_SYNC by MS_SYNCHRONOUS in mount flags ([MR:1458](https://gitlab.com/apparmor/apparmor/-/merge_requests/1458)) -- add separator between mount flags in dump_flags ([MR:1465](https://gitlab.com/apparmor/apparmor/-/merge_requests/1465)) -- allow make-* flags with remount operations ([MR:1466](https://gitlab.com/apparmor/apparmor/-/merge_requests/1466), [LP:2091424](https://bugs.launchpad.net/bugs/2091424)) -- convert uint to unsigned int ([MR:1478](https://gitlab.com/apparmor/apparmor/-/merge_requests/1478)) -- fix rule priority destroying rule permissions for io_uring and userns classes ([MR:1307](https://gitlab.com/apparmor/apparmor/-/merge_requests/1307)) -- fix integer overflow bug in rule priority comparisons ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452)) -- fix minimization check for filtering deny ([MR:1396](https://gitlab.com/apparmor/apparmor/-/merge_requests/1396), [AABUG:452](https://gitlab.com/apparmor/apparmor/-/issues/452)) -- fix memory leak in aare_rules UniquePermsCache ([MR:1399](https://gitlab.com/apparmor/apparmor/-/merge_requests/1399)) -- fix do not change auditing information when applying deny ([MR:1408](https://gitlab.com/apparmor/apparmor/-/merge_requests/1408), [AABUG:461](https://gitlab.com/apparmor/apparmor/-/issues/461)) -- fix priority so it is handled on a per permission basis ([MR:1522](https://gitlab.com/apparmor/apparmor/-/merge_requests/1522)) +# Build & Infrastructure +- utils + - allow install locations to be overridden in Makefile ([MR:1542](https://gitlab.com/apparmor/apparmor/-/merge_requests/1542)) + - aa-notify + - fix package build install of polkit files ([MR:1540](https://gitlab.com/apparmor/apparmor/-/merge_requests/1540), [AABUG:486](https://gitlab.com/apparmor/apparmor/-/issues/486)) +- libapparmor + - build fixes for 32-bit systems and older systems ([MR:1536](https://gitlab.com/apparmor/apparmor/-/merge_requests/1536)) ## Utils +- aa-genprof + - fix failure on lxd with OSError: Read-only file system ([MR:1539](https://gitlab.com/apparmor/apparmor/-/merge_requests/1539)) +- aa-notify + - rename polkit files and template info from com.ubuntu ([MR:1540](https://gitlab.com/apparmor/apparmor/-/merge_requests/1540), [MR:1541](https://gitlab.com/apparmor/apparmor/-/merge_requests/1541), [AABUG:486](https://gitlab.com/apparmor/apparmor/-/issues/486)) + - aa-notify: make ttkthemes conditional - extracted and backported from [MR:](https://gitlab.com/apparmor/apparmor/-/merge_requests/1324) -- fix creation of path `/usr/share/polkit-1/actions/` in python tools setup to create intermediary directories ([MR:1306](https://gitlab.com/apparmor/apparmor/-/merge_requests/1306)) -- improve UX when allowing rules in aa-notify and update the man page ([MR:1313](https://gitlab.com/apparmor/apparmor/-/merge_requests/1313)) -- store the child profile/hat name if we are in a child profile or hat instead of the main profile ([MR:1359](https://gitlab.com/apparmor/apparmor/-/merge_requests/1359)) -- aa-mergeprof: prevent backtrace if file not found ([MR:1403](https://gitlab.com/apparmor/apparmor/-/merge_requests/1403)) -- Remove match statements in utils for older Python compatibility ([MR:1440](https://gitlab.com/apparmor/apparmor/-/merge_requests/1440)) -- fixes/workarounds for python 3.13 missing cgitb ([MR:1439](https://gitlab.com/apparmor/apparmor/-/merge_requests/1439), [AABUG:447](https://gitlab.com/apparmor/apparmor/-/issues/447)) -- fix E502 error on Python 3.11 ([MR:1431](https://gitlab.com/apparmor/apparmor/-/merge_requests/1431)) -- limit buildpath.py setuptools version check to the relevant bits ([MR:1460](https://gitlab.com/apparmor/apparmor/-/merge_requests/1460)) -- fix tools to ignore peer when parsing logs for non-peer access modes ([MR:1314](https://gitlab.com/apparmor/apparmor/-/merge_requests/1314), [AABUG:427](https://gitlab.com/apparmor/apparmor/-/issues/427)) -- fix exception when replacing `owner file,` rules by `file,` by suggesting `mrwlkix` instead ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:429](https://gitlab.com/apparmor/apparmor/-/issues/429)) -- fix wrong order of the owner keyword when cleaning file rules ([MR:1320](https://gitlab.com/apparmor/apparmor/-/merge_requests/1320), [AABUG:430](https://gitlab.com/apparmor/apparmor/-/issues/430)) -- fix thrown TypeError exception when passing binary logs to the tools ([MR:1354](https://gitlab.com/apparmor/apparmor/-/merge_requests/1354), [AABUG:436](https://gitlab.com/apparmor/apparmor/-/issues/436)) -- look for 'file' class when parsing logs ([AABUG:478](https://gitlab.com/apparmor/apparmor/-/issues/478), [MR:1507](https://gitlab.com/apparmor/apparmor/-/merge_requests/1507)) ## Policy #### abstractions +- tunables + - add letter, alphanumeric character, int, hex and words variables ([MR:1546](https://gitlab.com/apparmor/apparmor/-/merge_requests/1546), [MR:1544](https://gitlab.com/apparmor/apparmor/-/merge_requests/1544)) +- new devices-usb & devices-usb-read ([MR:1545](https://gitlab.com/apparmor/apparmor/-/merge_requests/1545)) -- dconf - - use @{etc_ro} instead of `/etc/... r,` ([MR:1402](https://gitlab.com/apparmor/apparmor/-/merge_requests/1402)) - - allow write access to /run/user/*/dconf/user ([MR:1471](https://gitlab.com/apparmor/apparmor/-/merge_requests/1471)) -- mesa - - allow ~/.cache/mesa_shader_cache_db/ ([MR:1333](https://gitlab.com/apparmor/apparmor/-/merge_requests/1333), [LP:2081692](https://bugs.launchpad.net/bugs/2081692)) -- nameservice - * support name resolution via libnss-libvirt ([MR:1362](https://gitlab.com/apparmor/apparmor/-/merge_requests/1362)) - * include abstractions/nameservice-strict ([MR:1373](https://gitlab.com/apparmor/apparmor/-/merge_requests/1373)) - * tighten libnss_libvirt file access ([MR:1379](https://gitlab.com/apparmor/apparmor/-/merge_requests/1379)) -- nameservice-strict - - add more strict version of abstractions/nameservice -- php - - add support for ArchLinux php-legacy package to php-fpm ([MR:1401](https://gitlab.com/apparmor/apparmor/-/merge_requests/1401), [AABUG:454](https://gitlab.com/apparmor/apparmor/-/issues/454)) -- python - - allow python cache under @{HOME}/.cache/ ([MR:1467](https://gitlab.com/apparmor/apparmor/-/merge_requests/1467)) #### profiles -- php-fpm: +- unshare + - fix non-user-namespace-related sandbox bypass in unshare profile ([MR:1533](https://gitlab.com/apparmor/apparmor/-/merge_requests/1533)) + ## Tests - CI/CD spread tests @@ -151,4 +80,6 @@ This beta release is only available through gitlab - mark fixed regression tests ([MR:1547](https://gitlab.com/apparmor/apparmor/-/merge_requests/1547)) ## Documentation +- apparmor.d: document how variable expansion and path sanitization works ([MR:1532](https://gitlab.com/apparmor/apparmor/-/merge_requests/1532)) +