AppArmor 3.0.2 is a maintenance release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied).

The kernel portion of the project is maintained and pushed separately.

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

  • libapparmor is already done, meaning distros only need to use ./configure in their build setup
  • the docs for everything but libapparmor have already been built



Changes in this Release

These release notes cover all changes between 3.0.1 (b0f08aa9d678197b8e3477c2fbff790f50a1de5e) and 3.0.2 (59ec31bcb3c3ce186de5c6d97c8928ac8878a8af) apparmor-3.0 branch.

Build Infrastructure

  • .gitignore: Add aa-features-abi and utils coverage files (MR:748)


  • add support for abi rules (MR:690)


Policy Compiler (a.k.a apparmor_parser)

  • update the parser to add interface rules for change_XXX (MR:713, AABUG:150)
  • Detect and handle include loop when parsing profiles (MR:743, MR:750, MR:743, BOO:1184779)
  • fix cache time stamp check to include dir time stamps (MR:760)
  • Fix comment wording in file_cache.h (MR:752)
  • Fix invalid reference to name in attachment warning (MR:727)
  • fix filter slashes for profile attachments (MR:727, AABUG:154)
  • fix filter slashes for link targets (MR:723, AABUG:153)
  • fix rule downgrade for unix rules (MR:700, BOO:1180766)
  • fix build issue with REALLOCARRAY check (MR:712)
  • fix –jobs so job scaling is applied correctly (MR:703)
  • don’t abort profile compile if the kernel is missing caps/mask (MR:691, AABUG:140)




  • authentication
  • crypto
    • Add crypto abstraction to 3.0 Branch (MR:773)
  • php
  • ssl_certs
    • allow reading crypto policies (MR:720)
    • add /etc/ca-certificates/ and /etc/libressl/ (MR:698)
  • private-files-strict
    • add new deny path for kwallet (used in KDE 5) (MR:704)
  • ubuntu-browsers.d/user-files

    • add new deny path for kwallet (used in KDE 5) (MR:704)
  • wutmp


  • dovecot
    • - allow Prometheus metrics end-point in dovecot/stats (MR:776)
  • dhclient
  • dhcpd
  • firefox
    • Add support for widevine DRM (MR:684)
  • nscd
  • ntpd
    • add abstractions/ssl_certs (MR:698)
  • postfix
    • Update postfix profiles to support latest release (MR:753)
    • postfix-flush and -showq: add permissions needed with latest postfix (MR:717)
    • allow access to *.lmdb files (MR:717)
    • cleanup postfix profiles (MR:717)


  • python tools

    • add re_match_include_parse() test with invalid rule name (MR:695)
    • Add missing test for ProfileList add_alias() (MR:694)
    • Fix comment in split_name() tests (MR:692)
  • regression

    • Fix aa_policy_cache to use correct config file (MR:653)
    • Fix regression tests when using in tree parser (MR:653)
    • fix regression test on arm64 (MR:765, LP:1932331)


There is a semantic change in the 4.8 kernel (commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46) that affects apparmor policy enforcement. Specifically it affects when the m permission bit is checked for elf binary executables. Policy and tests within apparmor 2.12 and later have been updated to support running on pre 4.8 and 4.8+ kernels.