mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-30 05:47:59 +00:00
Create Release_Notes_4.1.0
John Johansen
parent
6879773a51
commit
5cdc99b4c0
156
Release_Notes_4.1.0.md
Normal file
156
Release_Notes_4.1.0.md
Normal file
@ -0,0 +1,156 @@
|
||||
AppArmor 4.1 was released 2025-03-08.
|
||||
|
||||
# Introduction
|
||||
|
||||
AppArmor 4.1 is a major new release of the AppArmor user space that makes several important changes to policy development and support. Its focus is transitioning policy to the new policy features.
|
||||
|
||||
Apprmor 4.1 is a stable release for the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a long term support release.
|
||||
|
||||
This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied). And supports features released in the 4.20 kernel.
|
||||
|
||||
Note: that while older kernels are supported, not all features available in AppArmor 4.1 policy can be enforced on older kernels.
|
||||
|
||||
The kernel portion of the project is maintained and pushed separately.
|
||||
|
||||
# Highlighted new features
|
||||
|
||||
-
|
||||
|
||||
|
||||
# Important Notes
|
||||
|
||||
- gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
|
||||
- libapparmor `autogen.sh` is already done, meaning distros only need to use ./configure in their build setup
|
||||
- the docs for everything but libapparmor have already been built
|
||||
- Potentially breaking changes:
|
||||
|
||||
|
||||
# Obtaining the Release
|
||||
|
||||
There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
|
||||
|
||||
- libapparmor `autogen.sh` is already done, meaning distros only need to use ./configure in their build setup
|
||||
- the docs for everything but libapparmor have already been built
|
||||
|
||||
### gitlab release
|
||||
|
||||
- https://gitlab.com/apparmor/apparmor/-/releases/v4.1.0
|
||||
|
||||
### Launchpad Tarball
|
||||
|
||||
- https://launchpad.net/apparmor/4.1/4.1/+download/apparmor-4.1.0.tar.gz
|
||||
- sha256sum: ???
|
||||
- signature: https://launchpad.net/apparmor/4.1/4.1/+download/apparmor-4.1.0.tar.gz.asc
|
||||
|
||||
# Changes since [AppArmor 4.0???](https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1-beta6)
|
||||
|
||||
## policy compiler (aka apparmor_parser)
|
||||
|
||||
|
||||
## Policy
|
||||
|
||||
#### profiles
|
||||
|
||||
|
||||
#### unconfined profiles
|
||||
|
||||
- new
|
||||
|
||||
## Documentation
|
||||
|
||||
|
||||
## Regression Tests
|
||||
|
||||
|
||||
# Changes in this Release
|
||||
|
||||
These release notes cover all changes between 4.0??? ( ???) and 4.1.0 ( ??? ) [apparmor-4.1 branch](https://gitlab.com/apparmor/apparmor/tree/apparmor-4.1).
|
||||
|
||||
## General improvements
|
||||
|
||||
New Profile Flags
|
||||
|
||||
???
|
||||
|
||||
New Mediation rules
|
||||
|
||||
|
||||
## Policy Compiler (a.k.a apparmor_parser)
|
||||
|
||||
|
||||
## Library
|
||||
|
||||
|
||||
## Utils
|
||||
|
||||
|
||||
## Policy
|
||||
|
||||
#### abstractions
|
||||
|
||||
#### profiles
|
||||
|
||||
|
||||
|
||||
#### unconfined profiles
|
||||
|
||||
|
||||
## Documentation
|
||||
|
||||
|
||||
|
||||
## Translations
|
||||
|
||||
- sync translation from launchpad
|
||||
|
||||
## Infrastructure
|
||||
|
||||
|
||||
## Tests
|
||||
|
||||
### regression tests
|
||||
|
||||
|
||||
### tools tests
|
||||
|
||||
|
||||
## Feature Matrix
|
||||
|
||||
|
||||
??????
|
||||
|
||||
The feature matrix provides an overview of which features/changes are supported on which release and or kernel.
|
||||
|
||||
| Feature | policy extension | breaks 3.x | supported by utils | requires 4.x libapparmor | requires kernel support |
|
||||
|:-------:|:----------------:|:----------:|:------------------:|:------------------------:|:-----------------------:|
|
||||
| [unconfined flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| [debug flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| [prompt flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| [audit.mode flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| [kill.signal flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| [attach_disconnected.path flag](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#namespace-controls) | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| [default_allow](https://gitlab.com/apparmor/apparmor/-/wikis/profileflags#profile-modes) | Y | Y <sup>1</sup> | N | N | N |
|
||||
| all rule | Y | Y <sup>1</sup> | N | N | N |
|
||||
| userns | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| rootless apparmor_parser | N | N | n/a | N | N |
|
||||
| improved -O rule-merge | N | N | n/a | N | N |
|
||||
| aa-status filters | N | N | n/a | N | N |
|
||||
| aa-load | N | N | n/a | Y | N |
|
||||
| io_uring | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| port level network <sup>12</sup> | Y | Y <sup>1</sup> | N | N | Y <sup>2</sup> |
|
||||
| [unconfined ns restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
|
||||
| [unconfined change_profile stacking](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
|
||||
| [unconfined io_uring restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined_restriction) | N | Y <sup>8</sup> | n/a | N | Y |
|
||||
|
||||
1. If present in policy will cause previous versions of AppArmor to fail
|
||||
2. Requires kernel support, policy can be downgraded to work on kernels that do not support.
|
||||
3. Previous versions of AppArmor may not fail but will not behave correctly
|
||||
4. Feature can be functionally provided by may not be exactly the same
|
||||
5. If more than 12 transitions are used in a profile, AppArmor 3.x will fail
|
||||
6. Will break older policy if variable is not defined. Variable can be manually defined in older parser.
|
||||
7. AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
|
||||
8. These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
|
||||
9. Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
|
||||
10. If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
|
||||
11. Tools will work but may not deal with overlapping rules correctly in some cases
|
||||
12. Experimental
|
||||
Loading…
x
Reference in New Issue
Block a user