mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 14:55:10 +00:00
Code Issues Releases Wiki Activity

Update Release_Notes_4.0 alpha2

John Johansen
2023-07-02 03:38:11 +00:00
parent d10b68158f
commit cfecddda82
1 changed files with 110 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
Release_Notes_4.0-alpha2.md

@@ -30,57 +30,116 @@ TODO: before release
- remove parser.conf pin - remove parser.conf pin
- -
wip - not in this alpha, not guaranteed to land in 4.0 wip - not in this alpha, not guaranteed to land in 4.0
- replace unconfined - kernel & userspace
- mount, rename, hardlink restrictions, requires tracking - in policy stream conditionals
- ioctl
- user
- policy
- attachment
- user mediation
- conditionals
- owner
- mac_override (for change_hat, hardlink, mv, bind mount)
- case insensite fs ???
- bpf mediation
- ioctl mediation
- module mediation
- sysv mqueue
- io_uring
- revised af_unix
- fine grained ipv4/ipv6
- ns
- tracking
- pivot root var setting
- setns
- conditionals around what other namespaces being created
- profile flags
- prompt
- unconfined
- per profile audit control flags audit.mode=XXX
- debug
- kill.signal
- attach_disconnected.path
- extended perms
- dfa32
- still need accept2 cond command table
- userspace support for full width of bits and mappings
- kernel bit mapping of userspace so we can do merge
- reduce file table size by conditional on only accept states that are different
- raw text in policy
- compressed cache
- additional restrictions policy guard retsrictions
- change_profile - stack if not policy admin, mac_override
- policy conditional to allow specifying in policy
- link - fail if not mac override
- policy conditional to allow specifying in policy
- rename - fail if not mac override
- policy conditional to allow specifying in policy
- bind - fail if not mac override
- policy conditional to allow specifying in policy
- unconfined
- additional restrictions around link, change_profile, rename, bind
- replace unconfined
- kernel
- per ns control of unmediated
- force mediation on unmediated
- force mediation on complain
- deal with stacked attachment lookup
- optimize stacking name lookup to
- single buffer alloc
- single name lookup
- audit caching
- complain
- improved complain learning
- ioctl interface
- message dedup
- merge file and policy db dfa
- dedup, file and policy code paths
- improve shared code callback
- refcount policydb
- shared dfa, and policydb
- rewrite apparmorfs
- dynamic
- ima support
- userspace
- mount
- per fs mount option matching. ??? does kernel need anything more???
- allow all
- aa_load
- drop root check
- userspace binary dfa
- policy debug
- improved rule prefixes
- allow all
- policy overlays
- extended xindex (part of extended perms)
- boolean ops
- policy hash
- kernel supports conditionals
- improved policy conditionals
- dominance fix
- fs specific mount option matching
- expr simplify optimizations
- policy
- new abi
- remove unconfined from policy
- bpf
- ioctl
- module
- ns tracking
- pivot root var
- deal with stacked attachment lookup
- optimize stacking name lookup to
- single buffer alloc
- single name lookup
- setns
-
- audit control flags audit.mode=XXX
- prompt, kill, unconfined
- kill.signal=XXX
- debug flags
- attach_disconnected.path
- unconfined profile flag
- audit.mode flag control
- allow all
- aa_load
- drop root check
- sysv mqueue
- debug flags
- io_uring
- revised af_unix
- fine grained ipv4/ipv6
- improved rule prefixes
- allow all
- policy overlays
- dfa merge in kernel
-
- extended xindex
- user conditional
- policy
- attachment
- user mediation
- conditionals
- owner
- mac_override (for change_hat, hardlink, mv, bind mount)
- case insensite fs ???
- -
- module mediation
- boolean ops
- raw text in policy
- compressed cache
- policy hash
- kernel supports conditionals
- improved policy conditionals
- dominance fix
- fs specific mount option matching
- -