Kernel vs. Userspace versions
The released versions documented below are for the AppArmor userspace utils. The apparmor kernel module does not track versions the same way as it primarily track Linux kernel releases. In general the apparmor kernel module tries to support old versions of the apparmor userspace (at this time versions 2.1 - 2.10), and the apparmor userspace supports the current and previous releases of the kernel.
For new features to be supported, a version of the userspace utils and a kernel that supports the feature are required. If the apparmor userspace utils are too old they will fail to recognize the feature and policy compilation will fail. If the kernel version is to old either the apparmor utils will compile the policy to what is supported by the kernel, thus dropping the unsupported feature, or the kernel will ignore the unsupported feature, or the kernel will reject the policy load if it is for an abi it does not support.
AppArmor kernel module versions
There kernel module breaks down into several development epochs.
- Pre LSM kernel patch. Not upstreamed and lost long ago.
- apparmor 2.0: LSM rewrite.
- apparmor 2.1: dfa & and invasive VFS hooks patch
- apparmor 2.5: creds & LSM path hooks rewrite
- apparmor 3: labeling - a development series that was a precursor to type splitting. Carried by Ubuntu but never upstreamed
- apparmor 3.5 - 3.6: stacking which exposes compound task labeling to user interfaces. Carried by Ubuntu but never upstreamed
- apparmor 4: typesplitting?
- apparmor 5: Delegation?
The 2.x series reworked the backend several times but kept the same basic profile model.
The 3.x series transitioned to using a labeling model based on DTE that allowed for more than one profile to be stored in a label associated with a subject or object.
The 4.x series finished the transition to a DTE type splitting model, which is a finer grained evolution of the labeling in the 3.x series.
What release version does Distro X have
With the caveat that several distros (especially Ubuntu), have distro patches, backports etc on top of their version of apparmor, a mapping of the apparmor packaging to distros can be found here
Available Features
The actual set of mediation available depends on both the userspace version and the kernel version available.
Released Versions of AppArmor Userspace Utils
- AppArmor 4.1
- AppArmor 4.0
- AppArmor 3.1
- AppArmor 3.0
- AppArmor 2.14 - Cancelled
- AppArmor 2.13
- AppArmor 2.12
- AppArmor 2.11
- AppArmor 2.10
- AppArmor 2.9
- AppArmor 2.8
- AppArmor 2.7
- AppArmor 2.6
- AppArmor 2.5
- AppArmor 2.4
- AppArmor 2.3
- AppArmor 2.2 skipped. AppArmor 2.2 was purposely skipped due to versioning conflicts in the newer version of libapparmor in AppArmor 2.1, which for reasons unknown was given a version of 2.2 instead of 2.1.x
- AppArmor 2.1
- AppArmor 2.0.1 (Deprecated) shipped in: sles9, opensuse 10.1?, Ubuntu 7.10 (Gutsy Gibbon)
- AppArmor 2.0 (Deprecated)
AppArmor versions prior to 2.0 exist only in the linux distro Immunix and are not covered here.