AppArmor 2.12.3 is a maintenance release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied). And supports features released in the 4.18 kernel and ubuntu 18.04 kernel with the apparmor 3 development patches.

AppArmor 2.12.3 was released 2019-06-18.

Obtaining the Release

These release notes cover all changes between 2.12.2 50aa7293ddbba5bde10065761e9b83764f3d2449 and 2.12.3 f2fb53c6c3752c5a816035b0561bb16e82f09dd9 in the apparmor-2.12 branch.


Changes in This Release

Build Infrastructure

  • add files to .gitignore: swig auto generated files for ruby (MR366)
  • fix libapparmor swig 4 failure ‘aa_log_record’ object has no attribute ‘__getattr__’ (BUG33)

Policy Compiler (a.k.a apparmor_parser)

  • clean up error handling (dbug921866, LP1815294)
  • fix parsing of target profile NAME in directed transitions “px -> NAME” (MR334)
  • improve runtime attachment by determine xmatch priority based on smallest DFA match (MR326)
  • don’t skip cache just because parser optimizations are specified (MR385, LP1820068)


  • ensure error value is returned correctly (MR352)


  • logprof/genprof:
    • drop failing corner-case check in (boo1120472, MR297)
    • drop unused get_profile_filename() from (MR297)
    • fix error KeyError: 'logfiles' when no logprof.conf exists (MR365)
    • don’t drop later events when user selects to deny a hat (MR378)
  • update network keyword list and add corresponding tests (MR350)


  • Profiles

    • dnsmasq:
    • work around breakage caused by {bin,sbin} alternation (boo1127073, MR346)
    • allow peer=libvirtd to support named profile (MR304)
    • dovecot:
    • allow FD passing between dovecot and dovecot’s anvil (MR336)
    • allow chroot’ing the auth processes (MR336)
    • let dovecot/anvil rw the auth-penalty socket (MR336)
    • auth processes need to read from postfix auth socket (MR336)
    • add abstractions/ssl_certs to lmtp (MR336)
    • align {pop3,managesieve}-login to imap-login (MR389)
    • allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/ ([MR386][MR[386])
    • allow lmtp the dac_read_search capability (MR386)
    • allow master to use SIGTERM on children that are slow to die (MR357)
    • identd: allow network netlink dgram (MR353)
    • mysqld (MR310):
    • add mmap permission for mysqld (4.8 semantic change)
    • allow mysql to determine which cpus are online
    • allow locking of mysql files
    • syslog-ng: add abstractions/python for python-parser (MR361)
  • Abstractions

    • audio:
    • fix alsa settings access (MR303)
    • grant read access to the libao configuration files (dbug920670, MR320)
    • grant read access to the system-wide asound.conf (dbug920669, MR320)
    • fonts:
    • allow writing to owned fontconfig directories (MR165)
    • allow creating owned fontconfig directories (MR165)
    • add various openSUSE-specific font config directories (MR309)
    • gnome:
    • allow creating gtk-2, gtk-3 config directories (MR165)
    • allow read access to gtk-3 cache files (MR342)
    • kde:
    • update kde abstraction for common settings (MR327)
    • fix global settings access for Kubuntu and openSUSE (MR327)
    • ldapclient: allow read/write access to the nslcd socket (LP1575438)
    • nameservice: allow /run/netconfig/resolv.conf (boo1097370)
    • nvidia: allow reading nvidia application profiles (MR125)
    • postfix-common: make compatible with latest postfix profiles (MR387)
    • python: allow /usr/local/lib/python3 (MR171)
    • qt5: read user configuration (MR335)
    • qt5-compose-cache-write: fix anonymous shared memory access (MR301)
    • qt5-settings-write: fix anonymous shared memory access (MR302)
    • ssl_certs,keys: add support for libdehydrated in /var/lib/ (MR299)
    • ubuntu-browsers.d/multimedia: allow creating and writing to owned .adobe directory (MR165)
    • vulkan: allow reading /etc/vulkan/icd.d/ (MR329)


  • fix various tests to cope with usr-merge where /bin and /sbin are symlinks (MR331)
  • fix mount test to use next available loop device (MR379)


  • update list of network domain keywords in the apparmor.d manpage (MR349)
  • drop to option for link rules from the apparmor.d manpage (MR368)


There is a semantic change in the 4.8 kernel (commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46) that affects apparmor policy enforcement. Specifically it affects when the m permission bit is checked for elf binary executables. Policy and tests within apparmor 2.12 and later have been updated to support running on pre 4.8 and 4.8+ kernels.