AppArmor Changelog

New in version 2.9.1

December 17th, 2014
  • Improvements and Bugs Fixed:
  • libapparmor:
  • fix log parsing for 3.16 kernels + syslog-ng, that was preventing utils from working (lp#1399027, bnc#905368)
  • allow skipping build of man pages via configure option
  • Policy Parser:
  • parsing of mount option fixups:
  • fix incorrect mount options
  • fail compilation if unknown mount options are found
  • don't treat recursive mount options as normal options
  • fix error typo
  • add language parsing test cases
  • clean up some minor file descriptor handling issues
  • Utils:
  • Numerous improvements and bug fixes were made to the python tools, including...
  • proposing abstractions for missing network rules (lp#1380368)
  • don't ask for existing existing network rules (lp#1380367)
  • performance improvements when parsing log files
  • other miscellaneous bug fixes
  • Policy:
  • Updates to the following profiles...
  • dnsmasq
  • nscd
  • useradd
  • sendmail
  • man
  • passwd
  • Documentation:
  • document ability to load profiles from a directory
  • sync documentation on mount rules with parser's implementation
  • Translations:
  • updated German, Italian translations

New in version 2.8.3 (February 17th, 2014)

  • This release is an incremental improvement over the AppArmor 2.8.2 release, focusing on fixing bugs in the userspace code.

New in version 2.8.2 (August 17th, 2013)

  • Bug fixes:
  • Kshitij Gupta fixed a display bug in aa-logprof, aa-genprof, with the Glob and Glob with Ext putting duplicate entries in the list. The fix introduced a Perl 5.10.1 or higher dependency.
  • Gernot Vormayr fixed a potential NULL-write in aa_getprocattr() error path
  • Michael Palimaka fixed hu translations
  • Fix for cache failures when the feature file is larger than internal buffer
  • Fix apparmor_parser cache tempfile location to use passed arg
  • Improvements:
  • Dmitrijs Ledkovs fixed configure to use python-config if it exists
  • Dmitrijs Ledkovs provided python3 compability changes
  • Reference Profile updates:
  • Intrigeri provided abstractions/fonts improvements
  • Felix Geyer added Dolphin (default Kubuntu file manager) to the list of file managers in abstractions/ubuntu-browsers.d/ubuntu-integration.
  • Move poppler's cMaps from gnome to fonts; gnome includes fonts
  • Deny writes to upstart user sessions jobs in abstractions/private-files
  • Deny @{HOME}/.gnome2/keyrings/** to abstractions/private-files-strict
  • Add read access to @{PROC}/sys/vm/overcommit_memory to abstractions/base
  • Update pulseaudio directory and cookie file paths
  • Add missing permissions to the nscd profile.
  • Deny capability block_suspend to nscd
  • MariaDB compatability in abstractions/mysql

New in version 2.8.1 (January 10th, 2013)

  • This release is an incremental improvement over the AppArmor 2.8.0 release, focusing on fixing bugs in the userspace code.

New in version 2.6.1 (March 25th, 2011)

  • Improvements and Bugs Fixed:
  • AppArmor apache2 module (mod_apparmor):
  • Fix build time linking issue that prevented mod_apparmor from working (LP: #737074)
  • AppArmor Parser:
  • Allow the parser to specify more network protocols by fixing the set filtered out at build time (LP: #732837)
  • Fix parser to check its own timestamp against cached profiles, to ensure that on parser upgrades, the caches get regenerated (LP: #731184)
  • Fix profile matching when an attachement name doesn't contain a regex pattern (e.g. profile chromium-browser /usr/lib/chromium-browser/chromium-browser) (LP: #731155)
  • Add workaround for older kernels that didn't properly filter out newer network protocols beyond AF_MAX (LP: #727478)
  • Fix rc.apparmor.functions breakage (LP: #735429)
  • AppArmor Profiles:
  • Minor fixups to profiles
  • Fix 'make check' test target to cover the profiles in extras as intended
  • AppArmor regression tests:
  • Fix simple tcp test and re-enable by default

New in version 2.6.0 (March 11th, 2011)

  • AppArmor Parser:
  • add support for profile names that are independent of attachment specification
  • faster policy compilation, with less peak memory use
  • add a safe exec transition keyword
  • make leading x permissions consistent with trailing x permissions
  • new policy compilation information dump flags
  • write_cache is no longer a privileged operation (DAC permissions still apply)
  • use file timestamps to determine if cache is stale on load
  • fix dfa graph dumping
  • add -o option to dump compiled policy to a file
  • reintroduce -p (preprocess) flag
  • fix two x (execute) transition conflict bugs (LP: #693082) and add testcases
  • enable initscripts to work with upstream kernel that is missing compatibility patches
  • skip cache tests during build when securityfs is not mounted
  • break out make targets so that distributors that don't want full documentation can pick the targets they want
  • AppArmor Utils (aa-genprof/aa-logprof):
  • standardize on all utils using the "aa-" prefix
  • add aa-disable, a utility to disable profiles
  • updated apparmor.vim to more accurately parse current policy language syntax
  • abstract out the perl vendor location for distros to override if necessary at installation time
  • fix to set complain mode on subprofiles (LP: #707092)
  • other minor bugfixes
  • AppArmor Library (libapparmor):
  • add support for newer auditd formatted messages.
  • make change_hatv(), change_hat_varargs() available via swig interfaces
  • fix python swig bindings to be functional
  • AppArmor release wide changes:
  • new/updated regression tests
  • new and updated profile abstractions
  • new and updated reference profiles
  • refreshed kernel compatibility patches for most recent versions of the kernel
  • updated documentation and translation files
  • Fix up tomcat build
  • make setup target work independently
  • replace SubDomain with AppArmor in most instances
  • build, code, and comment cleanups

New in version 2.5.1 (September 21st, 2010)

  • Bug Fixes and Enhancements:
  • AppArmor Profiles:
  • (LP: #611248) Fix gnome abstraction for gdk pixbuf loaders
  • (LP: #538661) Adjust cgi path for php5 abstraction
  • Add 'k' to /var/lib/samba/**.tdb in the samba abstraction
  • abstractions/user-tmp: require 'owner' matching
  • profiles/apparmor.d/abstractions/base: statvfs allowed by default
  • Add dbus-session abstraction (and use Pix rather than Uix)
  • AppArmor Parser:
  • (LP: #599450) Change the table resizing so that there is always sufficient high entries in the table, preventing bounds violations from occurring.
  • (LP: #626984) Prevent the parser from crashing when run against 2.6.36 upstream version of AppArmor which doesn't present information parser expects.
  • Move expression tree node labeling into expr node themselves to reduce memory usage and make node labeling per dfa rather than global.
  • Clean up the sets firstpos, lastpos, and followpos early to reduce peak memory usage.
  • Add the ability for the apparmor_parser to dump flattened profiles. Passing the -p flag to the apparmor_parser causes it to dump a flattened profile that includes all the text for all includes to stdout.
  • Fix memory leak during dfa minimization.
  • (LP: #588012) Fix leaking file descriptors on included files.
  • (LP: #588014) Report correct filename/line number on errors in the parser.
  • Detect when abstractions have been modified, and invalidate profile cache file when reloading.
  • Fix compilation/build warnings.
  • AppArmor Library (libapparmor):
  • Fix perl swig bindings so that libapparmor can be built when configured without perl.
  • Add support for LSM_AUDIT format messages
  • Update support for minor message changes that occurred as part of upstreaming effort
  • AppArmor Desktop Notifier (apparmor_notify):
  • Fix memory leak
  • (LP: #582075) apparmor_notify group like entries together when using -v with -s
  • Setting in notify.conf now defaults to on (apparmor_notify is not usually installed by default)
  • Add long options
  • Cleanup output
  • Better handle auditd
  • Handle logfile rotation
  • Use seteuid() to drop privileges so we can raise/drop after log file rotation. Add -u USER option for dropping privileges when not using sudo
  • Update man page
  • AppArmor Utils (genprof/logprof):
  • (LP: #623467) SubDomain.pm: add support for distinct reported truncate, rename_src, rename_dest, and mkdir operations
  • AppArmor PAM Library (pam_apparmor):
  • (LP: #619521) Teach pam_apparmor about the current errno returned by the kernel when the hat that was passed does not exist in the profile (but other hats exist).