From cc9737eb9d80af9f1cc2690c162c6a4a5ab99356 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Mon, 6 Nov 2017 20:41:48 -0800 Subject: [PATCH] AppArmor_versions: initial markdown conversion --- AppArmor_versions.md | 431 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 431 insertions(+) create mode 100644 AppArmor_versions.md diff --git a/AppArmor_versions.md b/AppArmor_versions.md new file mode 100644 index 0000000..534096b --- /dev/null +++ b/AppArmor_versions.md @@ -0,0 +1,431 @@ +Kernel vs. Userspace versions +============================= + +The released versions documented below are for the AppArmor userspace +utils. The apparmor kernel module does not track versions the same way +as it primarily track Linux kernel releases. In general the apparmor +kernel module tries to support old versions of the apparmor userspace +(at this time versions 2.1 - 2.10), and the apparmor userspace supports +the current and previous releases of the kernel. + +For new features to be supported, a version of the userspace utils +and a kernel that supports the feature are required. If the apparmor +userspace utils are too old they will fail to recognize the feature +and policy compilation will fail. If the kernel version is to old +either the apparmor utils will compile the policy to what is supported +by the kernel, thus dropping the unsupported feature, or the kernel +will ignore the unsupported feature, or the kernel will reject the +policy load if it is for an abi it does not support. + +AppArmor kernel module versions +=============================== + +There kernel module breaks down into several development epochs. + +- Pre LSM kernel patch. Not upstreamed and lost long ago. +- apparmor 2.0: LSM rewrite. +- apparmor 2.1: dfa & and invasive VFS hooks patch +- apparmor 2.5: creds & LSM path hooks rewrite +- apparmor 3: labeling - a development series that was a precursor to type splitting. Carried by Ubuntu but never upstreamed +- apparmor 3.5 - 3.6: stacking which exposes compound task labeling to user interfaces. Carried by Ubuntu but never upstreamed +- apparmor 4: labeling upstreamed +- apparmor 4.5: typesplitting +- apparmor 5: Delegation + +The 2.x series reworked the backend several times but kept the same +basic profile model. + +The 3.x series transitioned to using a labeling model based on DTE that +allowed for more than one profile to be stored in a label associated +with a subject or object. + +The 4.x series finished the transition to a DTE type splitting model, +which is a finer grained evolution of the labeling in the 3.x series. + +Released Versions of AppArmor Userspace Utils +============================================= + +[AppArmor 4.0](ReleaseNotes_4_0) +------------------------------------------- + +- Release Date: 2017-10-08 +- Shipped in: Debian ?, Ubuntu ?, Suse ? +- Kernels supported: 4.13 and upwards +- [Release Notes](ReleaseNotes_4_0) +- Development target: improved userspace libraries, new policy models leveraging stacking and namespaces, new upstream kernel module + +[AppArmor 2.12](ReleaseNotes_2_12) +--------------------------------------------- + +- Release Date: 2017-??-?? +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_12) +- Development target: Bug fixes, policy improvements, new feature support + +[AppArmor 2.11.1](ReleaseNotes_2_11_1) +------------------------------------------------- + +- Release Date: 2017-10-19 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_11_1) +- Development target: Bug fixes and policy improvements for AppArmor 2.11 + +[AppArmor 2.11](ReleaseNotes_2_11) +--------------------------------------------- + +- Release Date: 2017-01-08 +- Shipped in: Debian ?, Ubuntu 17.04, Suse ? +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_11) +- Development target: support basic policy stacking, and lxc when combined with development kernel + +[AppArmor 2.10.3](ReleaseNotes_2_10_3) +------------------------------------------------- + +- Release Date: 2017-10-19 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_10_3) +- Development target: bug fix release for 2.10.2 + +[AppArmor 2.10.2](ReleaseNotes_2_10_2) +------------------------------------------------- + +- Release Date: 2017-01-08 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_10_2) +- Development target: bug fix release for 2.10.1 + +AppArmor 2.10.1 +--------------- + +- Release Date: 2016-04-20 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_10_1) +- Development target: bug fix release for 2.10 + +AppArmor 2.10 +------------- + +- Release Date: 2015-07-14 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_10) +- Development target: libapparmor apis for managing and working with cache loading of apparmor policy into the kernel + +[AppArmor 2.9.5](ReleaseNotes_2_9_5) +----------------------------------------------- + +- Release Date: 2017-10-18 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_9_5) +- Development target: bug fix only release over 2.9.4 + +[AppArmor 2.9.4](ReleaseNotes_2_9_4) +----------------------------------------------- + +- Release Date: 2017-01-08 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_9_4) +- Development target: bug fix only release over 2.9.3 + +AppArmor 2.9.3 +-------------- + +- Release Date: 2016-04-15 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_9_3) +- Development target: bug fix only release over 2.9.2 + +AppArmor 2.9.2 +-------------- + +- Release Date: 2015-04-23 +- Shipped in: Ubuntu 15.04 +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_9_2) +- Development target: bug fix only release over 2.9.1 + +AppArmor 2.9.1 +-------------- + +- Release Date: 2014-12-15 +- Shipped in: Ubuntu 14.10 +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_9_1) +- Development target: bug fix only release over 2.9.0 + +AppArmor 2.9.0 +-------------- + +- Release Date: 2014-10-17 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_9_0) +- Development target: support dbus, unix abstract sockets, ptrace mediation, new python tools + +AppArmor 2.8.5 +-------------- + +- Release Date: 2017-10-18 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_8_5) +- Development target: bug fix only release over 2.8.4, add policy updates + +AppArmor 2.8.4 +-------------- + +- Release Date: 2014-10-13 +- Shipped in: +- Kernels supported: 3.3 and upwards +- [Release Notes](ReleaseNotes_2_8_4) +- Development target: bug fix only release over 2.8.3, add mod\_apparmor regression + +AppArmor 2.8.3 +-------------- + +- Release Date: 2014-02-16 +- Shipped in: +- Kernels supported: 3.3 through 3.6 +- [Features and Release Notes](ReleaseNotes_2_8_3) +- Development target: bug fix only release over 2.8.2, new apparmor\_parser --create-cache-dir command line option + +AppArmor 2.8.2 +-------------- + +- Release Date: 2013-08-16 +- Shipped in: +- Kernels supported: 3.3 through 3.6 +- [Features and Release Notes](ReleaseNotes_2_8_2) +- Development target: bug fix only release over 2.8.1 + +AppArmor 2.8.1 +-------------- + +- Release Date: 2013-01-09 +- Shipped in: +- Kernels supported: 3.3 through 3.6 +- [Features and Release Notes](ReleaseNotes_2_8_1) +- Development target: bug fix only release over 2.8.0 + +AppArmor 2.8.0 +-------------- + +- Release Date: 2012-05-31 +- Shipped in: Ubuntu 12.10, openSUSE 12.2 +- Kernels supported: 3.3, 3.4 +- [Features and Release Notes](ReleaseNotes_2_8) +- Development target: incremental improvement over AppArmor 2.7.x, with more code cleanups and bug fixes to the userspace tools. Mount rules, and the start of a new introspection interface in the kernel. + +AppArmor 2.7.2 +-------------- + +- Release Date: 2012-01-31 +- Shipped in: Ubuntu 11.10 (Oneiric Ocelot) +- Kernels supported: 2.6.35 2.6.36 2.6.37 2.6.38 2.6.39 3.0 3.1 3.2 +- [Features and Release Notes](ReleaseNotes_2_7_1) +- Development target - Bug Fix release to 2.7.0 + +AppArmor 2.7.1 +-------------- + +- Not released due to a problem with the generated tarball, superceded by 2.7.2 + +AppArmor 2.7.0 +-------------- + +- Release Date: 2011-12-15 +- Shipped in: Ubuntu 11.10 (Oneiric Ocelot) +- Kernels supported: 2.6.35 2.6.36 2.6.37 2.6.38 2.6.39 3.0 3.1 3.2 +- [Features and Release Notes](ReleaseNotes_2_7) +- Development target - this is an incremental improvement over AppArmor 2.6.x, with more code cleanups and bug fixes to the userspace tools. + +AppArmor 2.6.1 +-------------- + +- Release Date: Mar 24, 2011 +- Shipped in: Ubuntu 11.04 (Natty Narwhal) +- Kernels supported: 2.6.31 (patched), 2.6.32 (patched), 2.6.33 - 2.6.38 +- [Release Notes](ReleaseNotes_2_6_1) +- Development target: this is a bug fix release of AppArmor 2.6 with bug fixes and minor improvements to userspace. + +AppArmor 2.6.0 +-------------- + +- Release Date: Feb 24. 2011 +- Shipped in: Ubuntu 11.04 (Natty Narwhal) +- Kernels supported: 2.6.31 (patched), 2.6.32 (patched), 2.6.33 - 2.6.38 +- [Features and Release Notes](ReleaseNotes_2_6_0) +- Development target: this is an incremental improvement over AppArmor 2.5.x, with some more invasive cleanups to the userspace tools. + +AppArmor 2.5.2 +-------------- + +- Release Date: Mar 7, 2011 +- Shipped in: +- Kernels supported: 2.6.31 (patched), 2.6.32 (patched), 2.6.33 - 2.6.38 +- [Release Notes](ReleaseNotes_2_5_2) +- Development target: this is a bug fix release of AppArmor 2.5 with Kernel module upstreaming changes, bug fixes and minor improvements to userspace. + +AppArmor 2.5.1 +-------------- + +- Release Date: Sep 21, 2010 +- Shipped in: Ubuntu 10.10 (Maverick Meerkat) +- Kernels supported: 2.6.31 (patched), 2.6.32 (patched), 2.6.33 - 2.6.37 +- [Release Notes](ReleaseNotes_2_5_1) +- Development target - this is a bug fix release of AppArmor 2.5 with Kernel module upstreaming changes, bug fixes and minor improvements to userspace + +AppArmor 2.5 +------------ + +- Release Date: May 1, 2010 +- Shipped in: Ubuntu 10.04 (Lucid Lynx) +- Kernels supported: 2.6.31 (patched), 2.6.32 (patched), 2.6.33 +- [Features and Release Notes](ReleaseNotes_2_5) +- Development target - this will be a slightly updated version of AppArmor 2.4 with Kernel module upstreaming changes, bug fixes and improvements in the parser dfa generation + +AppArmor 2.4 +------------ + +- Release Date: Feb 1, 2010 (generic tarballs made available) +- Shipped in: opensuse 11.2, Ubuntu 9.10 (Karmic Koala) +- Kernels supported: 2.6.31, 2.6.32 +- [Features and Release Notes](ReleaseNotes_2_4) + +In this version of AppArmor development of new features was largely halted and the kernel module was rewritten to use the new path\_permission hooks provided by the LSM. This necessitated some changes to user space as well and some features were lost. + +- Features added + - Profile names can now contain regular expressions allowing all profile to match against multiple binaries. + - pux profile transitions so that x transitions can fall back to unconfined if a profile is not present + - Better support of profile namespaces +- Features lost + - The ability for an unconfined process to arbitrarily set a tasks profile + - chmod, chown mediation + - xattr mediation + +AppArmor 2.3.1 +-------------- + +- Release Date: +- Shipped in: opensuse 11.1, SLES11, Ubuntu 9.04 (Jaunty Jackalope) +- kernels supported: 2.6.27 2.6.28 +- [Features and Release Notes](ReleaseNotes_2_3_1) + +AppArmor 2.3 +------------ + +- Release Date: June 2008 +- Shipped in: openSUSE 11.0, opensuse 11.1, Ubuntu 8.04 (Hardy Haron), Ubuntu 8.10 (Intrepid Ibex) +- kernels supported: 2.6.24, 2.6.25 +- [Features and Release Notes](http://developer.novell.com/wiki/index.php/Apparmor_2_3) + +AppArmor 2.3 builds incrementally one the AppArmor 2.1 release. The main thrust of its development was extending the profile and file rule features. + +AppArmor 2.2 +------------ + +AppArmor 2.2 was purposely skipped due to versioning conflicts in +the newer version of libapparmor in AppArmor 2.1, which for reasons +unknown was given a version of 2.2 instead of 2.1.x + +AppArmor 2.1+ (Deprecated) +-------------------------- + +- Release Date: + - 2.1+ +- Shipped in: Ubuntu 8.04 (Hardy Heron) +- kernels supported: 2.6.24 +- [AppArmor 2.1+ Features and Release Notes](http://developer.novell.com/wiki/index.php/Apparmor/Ubuntu8.04) + +AppArmor 2.1+ is based on 2.1.1 plus some of the development for +2.3. Specifically it contains kernel and parser support for profile +namespaces, link pairs, and file rules conditional upon user. The +tools however do not support any of these features so they are of +limited use. + +AppArmor 2.1 SLES10SP2 release (Deprecated) +------------------------------------------- + +- Release Date: + - 2.1 SP2: +- Shipped in: SLES10 SP2 +- kernels supported: 2.6.16 +- [Features and Release Notes](http://developer.novell.com/wiki/index.php/Apparmor/SLES10_SP2) + +This is a back port of AppArmor 2.1 to SLES10SP2. It has the 2.1 +feature set + a modified apparmor\_parser capable of loading both older +2.0/2.0.1 (pcre based) policy and the newer 2.1 (dfa based) policy. + +AppArmor 2.1 (Deprecated) +------------------------- + +- Release Date: September 2007 + - 2.1.1 - bug fix for 2.1 + - 2.1.2 - bug fix for 2.1.1 +- Shipped in: openSUSE 10.3, Mandrivia ??? +- kernels supported: 2.6.23, 2.6.24 +- [Features and Release Notes](http://developer.novell.com/wiki/index.php/Apparmor_2_1) + +AppArmor 2.0.1 (Deprecated) +--------------------------- + +- shipped in: sles9, opensuse 10.1?, Ubuntu 7.10 (Gutsy Gibbon) + +AppArmor 2.0 (Deprecated) +------------------------- + +AppArmor versions prior to 2.0 exist only in the linux distro Immunix +and are not covered here. + +Versions of AppArmor under Development +====================================== + +AppArmor 2.11.0 (In development) +-------------------------------- + +- Release Date: target 2016.05.01 +- Release Manager: sbeattie +- Shipped in: +- Kernels supported: +- Development target: profile stacking +- Status: preparing for release, 2.10.95 (Beta 1) released + +AppArmor 2.10.1 (In development) +-------------------------------- + +- Release Date: target 2016.05.01 +- Release Manager: sbeattie +- Shipped in: +- Kernels supported: +- Development target: bug fix release for 2.10 + +AppArmor 3.0 +------------ + +- Futuristic roadmap version of apparmor (ie. where we would like to be now but it won't happen for a few years). +- updated applet +- kde based applet +- updated audit dbus dispatcher +- updated tools +- profile layout and installation improvements +- improvements to the profile repository + + + +- extended owner permissions +- mount rules +- ptrace rules +- signal mediation +- bind based network rules +- ... + +The final feature list will be determined closer to the release date.