From f6d2a1f289e655200f4cc7dd6ec610011a36fdba Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Thu, 9 May 2019 10:41:52 +0000
Subject: [PATCH] Update Kernel_Feature_Matrix

---
 Kernel_Feature_Matrix.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Kernel_Feature_Matrix.md b/Kernel_Feature_Matrix.md
index 7599e42..d1fbebc 100644
--- a/Kernel_Feature_Matrix.md
+++ b/Kernel_Feature_Matrix.md
@@ -15,7 +15,7 @@
 | 4.9 - 4.10     | Bug fixes and code cleanups     |   |
 | 4.11           | <ul><ul><li>add <i>/sys/kernel/security/lsm</i> to enable detecting currently in use lsm</li><li>kernel parameters<ul><li>remove paranoid load parameter - all policy loads now do full checking</li></ul></li><li>speedup mediation by use of percpu buffers</li><li>add sysctl <i>/proc/sys/kernel/unprivileged_userns_apparmor_policy</i> to allow disabling user namespaces from loading policy</li><li>add query interface for extended profile <i>key,value</i> data store<sup>1</sup></ul><li>allow profile hashing to be disabled with a kconfing<sup>2</sup></li><li>policy namespaces<ul><li>add namespace view support and restrictions on visibility</li><li>add per namespace policy interface file to directly load policy into a namespace<ul><li><i>policy/namespaces/NAMESPACE/.load</i></li><li><i>policy/namespaces/NAMESPACE/.replace</i></li><li><i>policy/namespaces/NAMESPACE/.remove</i></li></ul></li></ul></li><li>allow introspecting and checkpoint and restore of loaded profile data via<ul><li><i>policy/profiles/PROFILE/raw_abi</i></li><li><i>policy/profiles/PROFILE/raw_data</i></li><li><i>policy/profiles/PROFILE/raw_sha1</i></li></ul></li><li> on exec dup2 opened files that the task won't have permission to access to a special <i>.null</i> device file<sup>3</sup></li><li>Complain mode<ul><li>support force complain flag<sup>1</sup></li><li>try to create null profiles using the exec name <i>null-EXECNAME</i><sup></sup></ul></li><li>feature set<ul><li> add <i>features/domain/fix_binfmt_elf_mmap</i> to enable userspace to detect the semantic change caused by <i>9f834ec18def</i></li></ul></li><li>report namespace name in audit messages</li><li>Bug fixes and code cleanups</li></ul>        |  ```1``` AppArmor 3.0<br>```2``` Disables kernel profile load dedup to improve initial profile load performance<br>```3``` Does not change file access permissions, just where the check is done. Can result in mediation that would not occur under the old scheme due to some inherited fds never being accessed.<br>```4``` gen/logprof support???<br> |
 | 4.12           | <ul><li>kernel parameters<ul><li>make path_max readonly</li></ul></li><li>Bug fixes and code cleanups</li></ul>        |   |
-| 4.13           | <ul><li>add v7 abi<sup>1</sup></li><li>speedup path lookups with preallocated buffers</li><li>revalidate files at exec transition time</li><li>fine grained ptrace mediation</li><li>domain bounding through profile stacking<sup>1</sup><ul><li>profile stacking api</li><li>extended change_profile to support profile stacking</li><li>support profile stacks in exec transitions</li></ul></li><li>apparmorfs interface<ul><li> apparmorfs policy virtualization<ul><li>the <i>policy/</i> entry is now a special symlink to a virtualized policy directory</li><li><i>policy/</i> directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view</li></ul></li> <li>add namespace level rawdata files<ul><li>unique profile based rawdata files for each namespace in <i>policy/raw_data/</i></li><li> profile raw_data files are now a symlink to the appropriate <i>policy/raw_data/</i> files.</li></ul></li><li>mkdir/rmdir fs based interface for creating namespaces<ul><li>mkdir <i>policy/namespaces/NAMESPACE</i></li><li>rmdir policy/namespaces/NAMESPACE</li></ul></li><li>revision file interface<sup>2</sup><ul><li>read current policy revision and select/poll for when policy changes via<ul><li> <i>revision</i> for reading the current task's policy namespace revision</li><li><i>policy/revision for the current namespace revision</li><li><i>policy/namespaces/NAMESPACE/revision</i> for a given namespace policy revision</li></ul></li></ul></li><li>query interface<ul><li>support multiple queries per query transaction<sup>3</sup></li><li>support querying if a profile supports a given mediation type<sup>4</sup></li></ul></li></ul></li><li>features set<ul><li>add namespace support to available feature set</li><li>add label data query availability to feature set</li></ul></li><li>Bug fixes and code cleanups</li></ul>     | ```1``` AppArmor 2.10<br>```2``` library interface added to AppArmor 3.0, can be used directly with any version apparmor<br>```3``` AppArmor 3.0<br>```4``` AppArmor 3.0???? |
+| 4.13           | <ul><li>add v7 abi<sup>1</sup></li><li>speedup path lookups with preallocated buffers</li><li>revalidate files at exec transition time</li><li>fine grained ptrace mediation</li><li>domain bounding through profile stacking<sup>1</sup><ul><li>profile stacking api</li><li>extended change_profile to support profile stacking</li><li>support profile stacks in exec transitions</li><li>nnp restrictions loosened to any transition that is a strict subset</li></ul></li><li>apparmorfs interface<ul><li> apparmorfs policy virtualization<ul><li>the <i>policy/</i> entry is now a special symlink to a virtualized policy directory</li><li><i>policy/</i> directory is now virtualized based on opening task confinement so tasks can only see the subset of policy in their view</li></ul></li> <li>add namespace level rawdata files<ul><li>unique profile based rawdata files for each namespace in <i>policy/raw_data/</i></li><li> profile raw_data files are now a symlink to the appropriate <i>policy/raw_data/</i> files.</li></ul></li><li>mkdir/rmdir fs based interface for creating namespaces<ul><li>mkdir <i>policy/namespaces/NAMESPACE</i></li><li>rmdir policy/namespaces/NAMESPACE</li></ul></li><li>revision file interface<sup>2</sup><ul><li>read current policy revision and select/poll for when policy changes via<ul><li> <i>revision</i> for reading the current task's policy namespace revision</li><li><i>policy/revision for the current namespace revision</li><li><i>policy/namespaces/NAMESPACE/revision</i> for a given namespace policy revision</li></ul></li></ul></li><li>query interface<ul><li>support multiple queries per query transaction<sup>3</sup></li><li>support querying if a profile supports a given mediation type<sup>4</sup></li></ul></li></ul></li><li>features set<ul><li>add namespace support to available feature set</li><li>add label data query availability to feature set</li></ul></li><li>Bug fixes and code cleanups</li></ul>     | ```1``` AppArmor 2.10<br>```2``` library interface added to AppArmor 3.0, can be used directly with any version apparmor<br>```3``` AppArmor 3.0<br>```4``` AppArmor 3.0???? |
 | 4.14           | <ul><li> mount mediation<sup>1</sup><ul><li>new mount</li><li>remount</li><li>bind mount</li><li>change type</li><li>umount</li><li>pivot_root</li></ul><li>signal mediation<sup>2</sup></li><li>policy unpack log extended error messages</li><li>Bug fixes and code cleanups</li></ul> | ```1``` AppArmor 2.8<br>```2``` AppArmor 2.9  |
 | 4.15 - 4.16 | Bug fixes and code cleanups|   |
 | 4.17           | <ul><li> v8 abi<sup>1</sup></li><li>generic socket mediation (ie. basic network mediation)<sup>1</sup></li><li>improved profile attachment logic<ul><li>handle overlapping expression resolution up to 8 characters dynamic overlap in kernel<sup>2</sup></li><li>xattr attachment conditional<sup>1</sup></li><li>no_new_privs improved attachment with subset test based on confinement at time no_new_privs was entered<sup>3</sup></ul></li><li> signal mediation of profile stacks<sup>4</sup></li><li>Bug fixes and code cleanups</li></ul>       | ```1``` AppArmor 3.0 and requires policy using feature abi rules<br>```2``` Any userspace that supports attachment conditionasl 2.5+<br>```3``` no userspace requirements, reduces cases where nnp prevents a transition<br>```4```Same userspace as regular signal mediation AppArmor 2.9  |