AppArmor 2.12.4 was released 2022-11-20.

Note: AppArmor 2.12 is end of life.

Introduction

AppArmor 2.12.4 is the final maintenance release of the 2.12 release of user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied). And supports features released in the 4.18 kernel and ubuntu 18.04 kernel with the apparmor 3 development patches.

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed: - libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup - the docs for everything but libapparmor have already been built

gitlab release

Launchpad Tarball

Changes in This Release

These release notes cover all changes between 2.12.3 (f2fb53c6c3752c5a816035b0561bb16e82f09dd9) and 2.12.4 (ad900176198150c6e09214c593f9b3b45ad59047) on the apparmor-2.12 branch.

Init

  • fix fails to load profiles in busybox (AABUG:80)

library

  • Grep away deprecation warning for distutils (MR:908)
  • add missing include for socklen_t
  • add _aa_asprintf to private symbols (MR:643)
  • fix a Python 3.8 autoconf check (MR:519, debug943657)

Policy Compiler (a.k.a apparmor_parser)

  • fix cache time stamp check to include dir time stamps (MR:760)
  • fix filter slashes for link targets (MR:723, AABUG:153)
  • fix backport of MR700 (fixing rule downgrade for unix rules) (MR:700, BOO:1180766)
  • fix –jobs so job scaling is applied correctly (MR:703)
  • call filter slashes for mount dbus conditionals (MR:607, MR:607)
  • enable variable expansion for mount type= and options= (MR:638, AABUG:99)
  • Fix expansion of variables in unix rules addr= conditional (MR:607, LP:1856738)
  • Fix automatic adding of rule for change_hat interface (MR:625)

utils

apparmor.vim:

  • add support for abi rules (MR:690)
  • allow leading whitespace on alias rules (MR:527)
  • support ‘include if exists’ (MR:500)

Policy

tunables

  • global
    • fix breakage due to gnome abstraction changes (MR:446)
  • run
    • add new variable to support /run and /var/run/ (MR:466, AABUG:88)
    • add trailing slash to the run variable definition (MR:533)
  • share
    • fix breakage due to gnome abstraction changes (MR:446)

abstractions

  • authentication
  • base
    • Allow access to possible cpus for glibc-2.36 (LP:1989073)
    • allow read access to /run/uuidd/request (MR:445)
    • allow read access to top-level ecryptfs directories (MR:443)
  • fonts
  • gnome
    • allow /usr/share/gtk-3.0/settings.ini (MR:592)
    • Allow access of /run/mount/utab
    • allow /etc/xdg/mimeapps.list (MR:444)
    • allow reading per-user themes from $XDG_DATA_HOME (MR:442, debug930031)
  • kerberosclient
    • allow reading /etc/krb5.conf.d/ (MR:425)
  • nameservice
    • allow accessing /run/systemd/userdb/ (AABUG:82)
  • openssl
    • allow /etc/ssl/{engdef,engines}.d/ (MR:818)
  • php
  • python
  • snap_browsers
  • ssl
    • Add support for Certbot on openSUSE Leap (MR:398)
  • video
    • fix sys rule for video4linux (MR:791)
  • wutmp
  • X

profiles

  • avahi
    • Add missing /proc permissions to avahi-daemon profile (MR:811, AABUG:203)
  • dhclient
  • dhcpd
  • dnsmasq
    • Add missing r permissions for libvirt_leaseshelper (MR:905, BOO:1202161)
    • add support for libvirt lease-helper (MR:618)
    • support dnsmasq 2.81 (MR:475)
  • dovecot
    • Allow dovecot to use all signals (MR:865)
    • allow Prometheus metrics end-point (MR:776)
    • allow reading dh.pem (MR:671)
    • allow kill signal (MR:671)
    • fix postfix binary paths (MR:602)
    • allow reading my.cnf in dovecot-dict
    • Allow /proc/*/attr/current in dovecot imap and lmtp
  • firefox
    • Add support for widevine DRM (MR:684)
  • nscd
  • postfix
    • allow reading icu *.dat (MR:615)
    • fix postfix binary paths (MR:602)
  • samba
  • winbindd
    • allow locking krb5 rcache files (MR:460)

Tests

  • Set (instead of compare) exresult (MR:907)
  • fix i18n.sh regression test on arm64 (MR:765, LP:1932331)
  • Don’t build syscall_sysctl if missing kernel headers (MR:637, AABUG:119, LP:1897288)
  • regression tests/prologue: adjust sed to not use ~ as regex separators (MR:599)
  • local target does not depend on parser (MR:586, AABUG:98)
  • fix aa-logprof invocation (MR:586, AABUG:98)
  • add check for built libapparmor (MR:586, AABUG:98)
  • Update ‘make check’ to select tools based on USE_SYSTEM (MR:580)
  • fix setting apparmor.aa.profile_dir (MR:574)

Documentation

Infrastructure

  • Enable CI for the 2.12 branch (MR:435)