AppArmor 2.10.6 was released 2020-12-08.

Introduction

AppArmor 2.10.6 is a maintenance release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied).

The kernel portion of the project is maintained and pushed separately.

Important Note

• This is the last release in the 2.10 series.

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

• libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup

gitlab

• https://gitlab.com/apparmor/apparmor/-/releases/v2.10.6

Launchpad

• https://launchpad.net/apparmor/2.10/2.10.6/+download/apparmor-2.10.6.tar.gz
• sha256sum: 751b8df8f8526167d6f3164c6b6d73f2b1398c96458412e6b87058220789f257
• signature: https://launchpad.net/apparmor/2.0/2.10.6/+download/apparmor-2.10.6.tar.gz.asc

Changes in this Release

These release notes cover all changes between 2.10.5 (6a871a50) and 2.10.6 (ac03ae4e) apparmor-2.10 branch.

Library

• add _aa_asprintf to private symbols (MR:643)
• add missing include for socklen_t (MR:561](!561))

Policy Compiler (a.k.a apparmor_parser)

• call filter slashes for mount and dbus path conditionals (MR:607)
• enable variable expansion for mount type= and options= (MR:638, AABUG:99)
• Fix expansion of variables in unix rules addr= conditional (MR:607, LP:1856738)

aa_status

• handle profile names containing '(' (MR:415, AABUG:51)

Utils

• Add CAP_CHECKPOINT_RESTORE to severity.db (MR:656)
• Add CAP_BPF and CAP_PERFMON to severity.db (MR:589, LP:1890547)
• Fix crash when log message contains a filename with unbalanced parenthesis (MR402)

Policy

abstractions

• X
  • Allow (only) reading X compose cache (MR:685)
• kerberosclient
  • allow reading /etc/krb5.conf.d/ (MR:425)
• ssl_certs/ssl_keys
  • add support for cert bot (MR397)

apparmor.vim

• Fix capability mispelling in syntax highlighting (MR:421)

Documentation

• apparmor.d (7)
  • fix typos in documentation for dbus and unix rules (LP1838991, MR410)
  • fix typo in man doc of unix rules

Tests

• Don't build syscall_sysctl if missing kernel headers (MR:637, AABUG:119, LP:1897288)

Note

There is a semantic change in the 4.8 kernel (commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46) that affects apparmor policy enforcement. Specifically it affects when the m permission bit is checked for elf binary executables. Policy and tests within apparmor 2.12 and later have been updated to support running on pre 4.8 and 4.8+ kernels.