diff --git a/Kernel_Feature_Matrix.md b/Kernel_Feature_Matrix.md
index f6cbae0..7599e42 100644
--- a/Kernel_Feature_Matrix.md
+++ b/Kernel_Feature_Matrix.md
@@ -13,7 +13,7 @@
| 3.13 - 4.7 | Bug fixes and code cleanups | |
| 4.8 | - allow CAP_SYS_RESOURCE to prlimit another task
- add kernel parameter and kconfig to allow controlling if profile hashing is used
- Bug fixes and code cleanups
| |
| 4.9 - 4.10 | Bug fixes and code cleanups | |
-| 4.11 | - add /sys/kernel/security/lsm to enable detecting currently in use lsm
- kernel parameters
- remove paranoid load parameter - all policy loads now do full checking
- speedup mediation by use of percpu buffers
- add sysctl /proc/sys/kernel/unprivileged_userns_apparmor_policy to allow disabling user namespaces from loading policy
- add query interface for extended profile key,value data store1
- allow profile hashing to be disabled with a kconfing
- policy namespaces
- add namespace view support and restrictions on visibility
- add per namespace policy interface file to directly load policy into a namespace
- policy/namespaces/NAMESPACE/.load
- policy/namespaces/NAMESPACE/.replace
- policy/namespaces/NAMESPACE/.remove
- allow introspecting and checkpoint and restore of loaded profile data via
- policy/profiles/PROFILE/raw_abi
- policy/profiles/PROFILE/raw_data
- policy/profiles/PROFILE/raw_sha1
- on exec dup2 opened files that the task won't have permission to access to a special .null device file
- Complain mode
- support force complain flag
- try to create null profiles using the exec name null-EXECNAME
- feature set
- add features/domain/fix_binfmt_elf_mmap to enable userspace to detect the semantic change caused by 9f834ec18def
- report namespace name in audit messages
- Bug fixes and code cleanups
| ```1``` ??? |
+| 4.11 | - add /sys/kernel/security/lsm to enable detecting currently in use lsm
- kernel parameters
- remove paranoid load parameter - all policy loads now do full checking
- speedup mediation by use of percpu buffers
- add sysctl /proc/sys/kernel/unprivileged_userns_apparmor_policy to allow disabling user namespaces from loading policy
- add query interface for extended profile key,value data store1
- allow profile hashing to be disabled with a kconfing2
- policy namespaces
- add namespace view support and restrictions on visibility
- add per namespace policy interface file to directly load policy into a namespace
- policy/namespaces/NAMESPACE/.load
- policy/namespaces/NAMESPACE/.replace
- policy/namespaces/NAMESPACE/.remove
- allow introspecting and checkpoint and restore of loaded profile data via
- policy/profiles/PROFILE/raw_abi
- policy/profiles/PROFILE/raw_data
- policy/profiles/PROFILE/raw_sha1
- on exec dup2 opened files that the task won't have permission to access to a special .null device file3
- Complain mode
- support force complain flag1
- try to create null profiles using the exec name null-EXECNAME
- feature set
- add features/domain/fix_binfmt_elf_mmap to enable userspace to detect the semantic change caused by 9f834ec18def
- report namespace name in audit messages
- Bug fixes and code cleanups
| ```1``` AppArmor 3.0
```2``` Disables kernel profile load dedup to improve initial profile load performance
```3``` Does not change file access permissions, just where the check is done. Can result in mediation that would not occur under the old scheme due to some inherited fds never being accessed.
```4``` gen/logprof support???
|
| 4.12 | - kernel parameters
- Bug fixes and code cleanups
| |
| 4.13 | - add v7 abi1
- speedup path lookups with preallocated buffers
- revalidate files at exec transition time
- fine grained ptrace mediation
- domain bounding through profile stacking1
- profile stacking api
- extended change_profile to support profile stacking
- support profile stacks in exec transitions
- apparmorfs interface
- apparmorfs policy virtualization
- the policy/ entry is now a special symlink to a virtualized policy directory
- policy/ directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view
- add namespace level rawdata files
- unique profile based rawdata files for each namespace in policy/raw_data/
- profile raw_data files are now a symlink to the appropriate policy/raw_data/ files.
- mkdir/rmdir fs based interface for creating namespaces
- mkdir policy/namespaces/NAMESPACE
- rmdir policy/namespaces/NAMESPACE
- revision file interface2
- read current policy revision and select/poll for when policy changes via
- revision for reading the current task's policy namespace revision
- policy/revision for the current namespace revision
- policy/namespaces/NAMESPACE/revision for a given namespace policy revision
- query interface
- support multiple queries per query transaction3
- support querying if a profile supports a given mediation type4
- features set
- add namespace support to available feature set
- add label data query availability to feature set
- Bug fixes and code cleanups
| ```1``` AppArmor 2.10
```2``` library interface added to AppArmor 3.0, can be used directly with any version apparmor
```3``` AppArmor 3.0
```4``` AppArmor 3.0???? |
| 4.14 | - mount mediation1
- new mount
- remount
- bind mount
- change type
- umount
- pivot_root
- signal mediation2
- policy unpack log extended error messages
- Bug fixes and code cleanups
| ```1``` AppArmor 2.8
```2``` AppArmor 2.9 |