AppArmor 3.0.1 is a maintenance release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied).

The kernel portion of the project is maintained and pushed separately.

Highlighted fixes or improvements

  • Adds support for capability checkpoint_restore for the 5.9 and later kernels

Obtaining the Release

Changes in this Release

These release notes cover all changes between 3.0 (5d51483bfecf556183558644dc8958135397a7e2) and 3.0.1 (b0f08aa9d678197b8e3477c2fbff790f50a1de5e) apparmor-3.0 branch.

Library

  • fix failure in procattr accesses due to domain change (MR:681, AABUG:131)
  • add missing include for socklen_t (MR:642)
  • add _aa_asprintf to private symbols (MR:643)
  • add aa_features_new_from_file to public symbols (MR:643)

Policy Compiler (a.k.a apparmor_parser)

  • add support for capability checkpoint_restore in the policy language.
  • Add support for CAP_CHECKPOINT_RESTORE (MR:654)
  • Fix warning message when complain mode is forced (MR:649, LP:1899218)
  • fix parser.conf commenting on pinning an abi (MR:648)
  • dont force host cpp to detect reallocarray (MR:647)

aa_status

  • Fix build issue with musl (MR:647)

aa-notify

Utils

  • add capability checkpoint_restore to the severity db (MR:656)
  • check if abstractions exist (MR:683, BOO:1178527)
  • aa-autodep: load abstractions on start (MR:682, BOO:1178527)
  • Fix hotkey conflict in utils de.po and id.po (MR:675)
  • fix failure of make -C profiles check-logprof (MR:663, AABUG:36)
  • split linting with PYFLAKES into a separate target. (AABUG:121)

Policy

abstractions

  • fonts
    • Add Fontmatrix support (MR:657)
  • mesa
    • tightens cache location and add fallback (AABUG:91)
  • ubuntu-browsers
    • Add support for brave browser (MR:667)
    • Adjust ubuntu-integration to use abstractions/exo-open (MR:666)
  • X
    • Allow (only) reading X compose cache (MR:685)
    • make x11 socket writable again (MR:664)
    • adjust for new ICEauthority path in run (MR:668)

profiles

  • dhclient-script
    • Fix invalid Pux (should be PUx) permissions (MR:676)
    • Fix dhclient and dhclient-script profiles to work on debian buster (MR:645)
  • dovecot
  • nscd

Documentation

  • Fix typos in man pages (MR:669)
  • apparmor_xattrs.7: fix whatis entry (MR:669)
  • fix manpage order (MR:646)

Tests

  • regression
    • Fix aa_policy_cache to use correct config file (MR:653)
    • Fix regression tests when using in tree parser (MR:653)

Note

There is a semantic change in the 4.8 kernel (commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46) that affects apparmor policy enforcement. Specifically it affects when the m permission bit is checked for elf binary executables. Policy and tests within apparmor 2.12 and later have been updated to support running on pre 4.8 and 4.8+ kernels.