AppArmor 3.1.7 is a bug fix release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.
This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied).
Important Note
This release fixes a regression in 3.1.5 introduced by its fix to mount rule generations.
Obtaining the Release
There are two ways to obtain this release either through gitlab or a tarball in launchpad.
Important note: the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
- libapparmor
autogen.shis already done, meaning distros only need to use ./configure in their build setup - the docs for everything but libapparmor have already been built
gitlab
Changes in this Release
These release notes cover all changes between 3.1.6 (tag v3.1.6) ) and 3.1.7 (tag v3.1.7) on the apparmor-3.1 branch.
Policy Compiler (a.k.a apparmor_parser)
- Fix subprofile name in profile serialization (MR:1127)
- Fix typo in apparmor_parser manpage (MR:1128)
Policy
abstractions
- kde
- fonts
- pipewire
- Allow use of client-rt.conf file (MR:1113)
- nameservice
- Allow reading /etc/authselect/nsswitch.conf (MR:1119)
wutmp
Allow reading /run/systemd/sessions/ (MR:1121)
profiles
dovecot
- Allow for the default dovecot libexecdir (MR:1080)
Tests
- Fail iopl/ioperm with lockdown on the syscall test (MR:1063)
- Fix regression tests to run on kernels that only have network_v8 (MR:1120)
Tools
- Attach null-* events to correct target profile (MR:1092)
- Ignore ´//null-` peers in signal and ptrace events (MR:1107)
- Fix aa-cleanprof to work with named profiles (MR:1108)
- Remove unnecessary regex backslashes and resolve string escape sequence DeprecationWarnings (MR:1130)
- No longer skip exec events in hats (MR:1134)
- Prevent ANSI terminal injection in aa-unconfined (MR:1142)