What's new in AppArmor 2.13.3
Jun 19, 2019
- AppArmor 2.13.3 is a maintenance release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.
- This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied). And supports features released in the 4.18 kernel and ubuntu 18.04 kernel with the apparmor 3 development patches.
New in AppArmor 2.13.2 (Dec 22, 2018)
- This version of the userspace should work with all kernel versions from
- 2.6.15 and later (some earlier version of the kernel if they have the
- apparmor patches applied). And supports features released in the 4.18
- kernel and ubuntu 18.04 kernel with the apparmor 3 development patches.
New in AppArmor 2.13.1 (Oct 15, 2018)
- This release was focused on fixing bugs and making minor improvements to tools and policy.
New in AppArmor 2.13 (Apr 20, 2018)
- This release was focused on fixing bugs and making minor improvements to tools and policy.
New in AppArmor 2.11 (Jan 15, 2017)
- This release was focused on improving the profiling tools and adding support for apparmor policy stacking when used with the AppArmor 3 development kernel patches.
New in AppArmor 2.10.1 (Apr 20, 2016)
- This release was focused on fixing bugs and making minor improvements.
New in AppArmor 2.9.2 (Apr 25, 2015)
- Policy Compiler (a.k.a. apparmor_parser):
- Fix incorrect compilation of audit modifiers for exec and pivot_root (lp#1431717, lp#1432045)
- Fix compilation failure of deny link rules (lp#1433829)
- Fix organization of network families data structure (thanks to Philip Withnall and Simon McVittie)
- Correct handling of error result from readdir_r(3)
- Fix compilation failures when building with gcc 5.
- Ensure debugging and error reporting goes to stderr
- Added test cases and improvements to test infrastructure.
- Utils:
- Support additional syslog format (lp#1399027)
- Fix minitools to work with multiple profiles at once (lp#1378095)
- aa-unconfined: work with profile names that don't start with /
- aa-status: don't crash when mountpoints contain UTF-8 chars (lp#1310598, thanks to Alain BENEDETTI)
- aa-easyprof: add --include-templates-dir and --include-policy-groups-dir options
- aa-complain: don't require strict names for profiles (lp#1128468)
- Ignore disconnected path events rather than crashing (bnc#918787)
- Clean up profile preamble and flag handling and add support for profile attachment
- Clean up network rule writing
- Fix doubled '->' when writing out exec rules (lp#1437901)
- Fix crashes when reading 'send' and 'trace' log events (lp#1243932, lp#1426651)
- Fix problems handling additional variable assignments
- Fix crash when path rules are separated by non-path rules.
- Sync the utils and the parsers notion of which files and directories to ignore
- Other minor improvements
- Numerous added test cases and improvements to test infrastructure
- Policy:
- Updates to the following profiles...
- mysqld
- dovecot (lp#1296667)
- dnsmasq (bnc#911001, lp#1403468, thanks to Cédric Bosdonnat and Cameron Norman)
- Updates to the following abstractions:
- base - Allow writes to the systemd journal socket (lp#1413232)
- aspell - allow access to /usr/share/aspell/ (thanks to Felix Geyer)
- ssl_certs - Add support for /etc/pki (thanks to Gregor Dschung)
- ubuntu_email - Add geary email client (thanks to Cameron Normon)
- ubuntu-helpers - allow generation of texlive fonts (lp#1010909)
- X - add new gdm path (lp#1432126)
- mir - new abstraction (lp#1422521)
- Documentation:
- Fix network rule description and remove obsolete references to program-chunks in apparmor.d(5)
New in AppArmor 2.9.1 (Dec 17, 2014)
- Improvements and Bugs Fixed:
- libapparmor:
- fix log parsing for 3.16 kernels + syslog-ng, that was preventing utils from working (lp#1399027, bnc#905368)
- allow skipping build of man pages via configure option
- Policy Parser:
- parsing of mount option fixups:
- fix incorrect mount options
- fail compilation if unknown mount options are found
- don't treat recursive mount options as normal options
- fix error typo
- add language parsing test cases
- clean up some minor file descriptor handling issues
- Utils:
- Numerous improvements and bug fixes were made to the python tools, including...
- proposing abstractions for missing network rules (lp#1380368)
- don't ask for existing existing network rules (lp#1380367)
- performance improvements when parsing log files
- other miscellaneous bug fixes
- Policy:
- Updates to the following profiles...
- dnsmasq
- nscd
- useradd
- sendmail
- man
- passwd
- Documentation:
- document ability to load profiles from a directory
- sync documentation on mount rules with parser's implementation
- Translations:
- updated German, Italian translations
New in AppArmor 2.8.3 (Feb 17, 2014)
- This release is an incremental improvement over the AppArmor 2.8.2 release, focusing on fixing bugs in the userspace code.
New in AppArmor 2.8.2 (Aug 17, 2013)
- Bug fixes:
- Kshitij Gupta fixed a display bug in aa-logprof, aa-genprof, with the Glob and Glob with Ext putting duplicate entries in the list. The fix introduced a Perl 5.10.1 or higher dependency.
- Gernot Vormayr fixed a potential NULL-write in aa_getprocattr() error path
- Michael Palimaka fixed hu translations
- Fix for cache failures when the feature file is larger than internal buffer
- Fix apparmor_parser cache tempfile location to use passed arg
- Improvements:
- Dmitrijs Ledkovs fixed configure to use python-config if it exists
- Dmitrijs Ledkovs provided python3 compability changes
- Reference Profile updates:
- Intrigeri provided abstractions/fonts improvements
- Felix Geyer added Dolphin (default Kubuntu file manager) to the list of file managers in abstractions/ubuntu-browsers.d/ubuntu-integration.
- Move poppler's cMaps from gnome to fonts; gnome includes fonts
- Deny writes to upstart user sessions jobs in abstractions/private-files
- Deny @{HOME}/.gnome2/keyrings/** to abstractions/private-files-strict
- Add read access to @{PROC}/sys/vm/overcommit_memory to abstractions/base
- Update pulseaudio directory and cookie file paths
- Add missing permissions to the nscd profile.
- Deny capability block_suspend to nscd
- MariaDB compatability in abstractions/mysql
New in AppArmor 2.8.1 (Jan 10, 2013)
- This release is an incremental improvement over the AppArmor 2.8.0 release, focusing on fixing bugs in the userspace code.
New in AppArmor 2.6.1 (Mar 25, 2011)
- Improvements and Bugs Fixed:
- AppArmor apache2 module (mod_apparmor):
- Fix build time linking issue that prevented mod_apparmor from working (LP: #737074)
- AppArmor Parser:
- Allow the parser to specify more network protocols by fixing the set filtered out at build time (LP: #732837)
- Fix parser to check its own timestamp against cached profiles, to ensure that on parser upgrades, the caches get regenerated (LP: #731184)
- Fix profile matching when an attachement name doesn't contain a regex pattern (e.g. profile chromium-browser /usr/lib/chromium-browser/chromium-browser) (LP: #731155)
- Add workaround for older kernels that didn't properly filter out newer network protocols beyond AF_MAX (LP: #727478)
- Fix rc.apparmor.functions breakage (LP: #735429)
- AppArmor Profiles:
- Minor fixups to profiles
- Fix 'make check' test target to cover the profiles in extras as intended
- AppArmor regression tests:
- Fix simple tcp test and re-enable by default
New in AppArmor 2.6.0 (Mar 11, 2011)
- AppArmor Parser:
- add support for profile names that are independent of attachment specification
- faster policy compilation, with less peak memory use
- add a safe exec transition keyword
- make leading x permissions consistent with trailing x permissions
- new policy compilation information dump flags
- write_cache is no longer a privileged operation (DAC permissions still apply)
- use file timestamps to determine if cache is stale on load
- fix dfa graph dumping
- add -o option to dump compiled policy to a file
- reintroduce -p (preprocess) flag
- fix two x (execute) transition conflict bugs (LP: #693082) and add testcases
- enable initscripts to work with upstream kernel that is missing compatibility patches
- skip cache tests during build when securityfs is not mounted
- break out make targets so that distributors that don't want full documentation can pick the targets they want
- AppArmor Utils (aa-genprof/aa-logprof):
- standardize on all utils using the "aa-" prefix
- add aa-disable, a utility to disable profiles
- updated apparmor.vim to more accurately parse current policy language syntax
- abstract out the perl vendor location for distros to override if necessary at installation time
- fix to set complain mode on subprofiles (LP: #707092)
- other minor bugfixes
- AppArmor Library (libapparmor):
- add support for newer auditd formatted messages.
- make change_hatv(), change_hat_varargs() available via swig interfaces
- fix python swig bindings to be functional
- AppArmor release wide changes:
- new/updated regression tests
- new and updated profile abstractions
- new and updated reference profiles
- refreshed kernel compatibility patches for most recent versions of the kernel
- updated documentation and translation files
- Fix up tomcat build
- make setup target work independently
- replace SubDomain with AppArmor in most instances
- build, code, and comment cleanups
New in AppArmor 2.5.1 (Sep 21, 2010)
- Bug Fixes and Enhancements:
- AppArmor Profiles:
- (LP: #611248) Fix gnome abstraction for gdk pixbuf loaders
- (LP: #538661) Adjust cgi path for php5 abstraction
- Add 'k' to /var/lib/samba/**.tdb in the samba abstraction
- abstractions/user-tmp: require 'owner' matching
- profiles/apparmor.d/abstractions/base: statvfs allowed by default
- Add dbus-session abstraction (and use Pix rather than Uix)
- AppArmor Parser:
- (LP: #599450) Change the table resizing so that there is always sufficient high entries in the table, preventing bounds violations from occurring.
- (LP: #626984) Prevent the parser from crashing when run against 2.6.36 upstream version of AppArmor which doesn't present information parser expects.
- Move expression tree node labeling into expr node themselves to reduce memory usage and make node labeling per dfa rather than global.
- Clean up the sets firstpos, lastpos, and followpos early to reduce peak memory usage.
- Add the ability for the apparmor_parser to dump flattened profiles. Passing the -p flag to the apparmor_parser causes it to dump a flattened profile that includes all the text for all includes to stdout.
- Fix memory leak during dfa minimization.
- (LP: #588012) Fix leaking file descriptors on included files.
- (LP: #588014) Report correct filename/line number on errors in the parser.
- Detect when abstractions have been modified, and invalidate profile cache file when reloading.
- Fix compilation/build warnings.
- AppArmor Library (libapparmor):
- Fix perl swig bindings so that libapparmor can be built when configured without perl.
- Add support for LSM_AUDIT format messages
- Update support for minor message changes that occurred as part of upstreaming effort
- AppArmor Desktop Notifier (apparmor_notify):
- Fix memory leak
- (LP: #582075) apparmor_notify group like entries together when using -v with -s
- Setting in notify.conf now defaults to on (apparmor_notify is not usually installed by default)
- Add long options
- Cleanup output
- Better handle auditd
- Handle logfile rotation
- Use seteuid() to drop privileges so we can raise/drop after log file rotation. Add -u USER option for dropping privileges when not using sudo
- Update man page
- AppArmor Utils (genprof/logprof):
- (LP: #623467) SubDomain.pm: add support for distinct reported truncate, rename_src, rename_dest, and mkdir operations
- AppArmor PAM Library (pam_apparmor):
- (LP: #619521) Teach pam_apparmor about the current errno returned by the kernel when the hat that was passed does not exist in the profile (but other hats exist).