diff --git a/Kernel_Feature_Matrix.md b/Kernel_Feature_Matrix.md
index 7065b54..23d5767 100644
--- a/Kernel_Feature_Matrix.md
+++ b/Kernel_Feature_Matrix.md
@@ -16,7 +16,7 @@
| 4.11 |
- add /sys/kernel/security/lsm to enable detecting currently in use lsm
- kernel parameters
- remove paranoid load parameter - all policy loads now do full checking
- speedup mediation by use of percpu buffers
- add sysctl /proc/sys/kernel/unprivileged_userns_apparmor_policy to allow disabling user namespaces from loading policy
- add query interface for extended profile key/value data store
- allow profile hashing to be disabled with a kconfing
- policy namespaces
- add namespace view support and restrictions on visibility
- add per namespace policy interface file to directly load policy into a namespace
- policy/namespaces/NAMESPACE/.load
- policy/namespaces/NAMESPACE/.replace
- policy/namespaces/NAMESPACE/.remove
- allow introspecting and checkpoint and restore of loaded profile data via
- policy/profiles/PROFILE/raw_abi
- policy/profiles/PROFILE/raw_data
- policy/profiles/PROFILE/raw_sha1
- on exec dup2 opened files that the task won't have permission to access to a special .null device file
- Complain mode
- support force complain flag
- try to create null profiles using the exec name null-EXECNAME
- feature set
- add features/domain/fix_binfmt_elf_mmap to enable userspace to detect the semantic change caused by 9f834ec18def
- report namespace name in audit messages
- Bug fixes and code cleanups
| |
| 4.12 | - kernel parameters
- Bug fixes and code cleanups
| |
| 4.13 | - add v7 abi
- speedup path lookups with preallocated buffers
- revalidate files at exec transition time
- fine grained ptrace mediation
- domain bounding through profile stacking
- profile stacking api
- extended change_profile to support profile stacking
- support profile stacks in exec transitions
- apparmorfs interface
- apparmorfs policy virtualization
- the policy/ entry is now a special symlink to a virtualized policy directory
- policy/ directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view
- add namespace level rawdata files
- unique profile based rawdata files for each namespace in policy/raw_data/
- profile raw_data files are now a symlink to the appropriate policy/raw_data/ files.
- mkdir/rmdir fs based interface for creating namespaces
- mkdir policy/namespaces/NAMESPACE
- rmdir policy/namespaces/NAMESPACE
- revision file interface
- read current policy revision and select/poll for when policy changes via
- revision for reading the current task's policy namespace revision
- policy/revision for the current namespace revision
- policy/namespaces/NAMESPACE/revision for a given namespace policy revision
- query interface
- support multiple queries per query transaction
- support querying if a profile supports a given mediation type
- features set
- add namespace support to available feature set
- add label data query availability to feature set
- Bug fixes and code cleanups
| |
-| 4.14 | - mount mediation1
- new mount
- remount
- bind mount
- change type
- umount
- pivot_root
- signal mediation
- policy unpack log extended error messages
- Bug fixes and code cleanups
| ```1``` AppArmor 2.8 |
+| 4.14 | - mount mediation1
- new mount
- remount
- bind mount
- change type
- umount
- pivot_root
- signal mediation2
- policy unpack log extended error messages
- Bug fixes and code cleanups
| ```1``` AppArmor 2.8
```2``` AppArmor 2.9 |
| 4.15 - 4.16 | Bug fixes and code cleanups| |
| 4.17 | - v8 abi1
- generic socket mediation1
- improved profile attachment logic
- handle overlapping expression resolution up to 8 characters dynamic overlap in kernel2
- xattr attachment conditional1
- no_new_privs improved attachment with subset test based on confinement at time no_new_privs was entered3
- signal mediation of profile stacks4
- Bug fixes and code cleanups
| ```1``` AppArmor 3.0
```2``` Any userspace that supports attachment conditionasl 2.5+
```3``` no userspace requirements, reduces cases where nnp prevents a transition
```4```Same userspace as regular signal mediation AppArmor 2.9 |
| 4.18 | - add support for secids and using secctxes
- the ability to get a task's secid
- add support for audit rules filtering. AppArmor task label can be used in audit rule filters
- Bug fixes and code cleanups
| No apparmor userspace requirements. |