WARNING this is an alpha - NOT released targeted to fall 2023
AppArmor 4.0-alpha2 was released 2023-08-14.
Introduction
AppArmor 4.0 is a major new release of the AppArmor that is in development, these are not complete release notes of everything in alpha2 but just highlighting new or important developments
Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release. For questions around compatibility see the compatibility matrix.
These release notes cover changes between AppArmor-4.0~alpha1 and AppArmor-4.0~alpha2
Note
- Some features will work with older kernels but many of the features in apparmor 4 with require a development kernel.
- The kernel portion of the project is maintained and pushed separately.
- AppArmor 4.0 contains all bug fixes and policy updates from apparmor 3.1
- Some new features will not be fully supported in some utilities. In these cases it was decided that releasing a new feature earlier had more benefit than delaying it for full utility support. Please see the feature support matrix.
Obtaining the Release
There are two ways to obtain this release either through gitlab or a tarball in launchpad.
Important note: the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
- libapparmor
autogen.sh
is already done, meaning distros only need to use ./configure in their build setup - the docs for everything but libapparmor have already been built
gitlab
Launchpad
- https://launchpad.net/apparmor/4.0/4.0.0-alpha2/+download/apparmor-4.0.0\~alpha2.tar.gz
- sha256sum: 594fcace8fbfb656b2e991b33feb1270ea0fdc09ec3ae517290afd409a57b368
- signature: https://launchpad.net/apparmor/4.0/4.0.0-alpha2/+download/apparmor-4.0.0\~alpha2.tar.gz.asc
- signature sha256sum: b10d6d97040dd999e38e90dbeca3f4849b6169d7b1a83033b290e05d92474512
Highlighted new features in alpha 2
Libapparmor
- fix dynamic linkage since lto1 does not support -dynamic MR:1071
Utils
- add option to log aa-logprof json input and output MR:1078
Parser
- add ability to specify where a disconnected path is attached (attach_disconnected.path) MR:661
- make attach_disconnected.path enable attach_disconnected by default MR:1084
- fix encoding of unix permissions for setopt and getopt MR:1079
- add support for prompt profile mode MR:1062
Documentation
- document that attach_disconnected.path expects =PATH MR:1083
Misc
- add aa-logprof test framework MR:1082
- fix checking if a feature exists in the test by ignoring if feature file is actually a directory MR:1074
- improve parser test coverage by checking for non-existent profiles, convert to unittest.main MR:1070
Policy
- allow for the default libexec subdir /usr/libexec/dovecot MR:1080
- add "include if exists" to all tunables files to allow for customization MR:1077 AABUG:347
- fix path name and DBus access for the firefox profile MR:1076
Feature Support Matrix
Feature | policy extension | breaks 3.x | supported by utils | requires 4.x libapparmor | requires kernel support |
---|---|---|---|---|---|
prompt flag | Y | Y 1 | N | N | Y 2 |
attach_disconnected.path= flag | Y | Y 1 | N | N | Y 2 |
- If present in policy will cause previous versions of AppArmor to fail
- Requires kernel support, policy can be downgraded to work on kernels that do not support.
- Previous versions of AppArmor may not fail but will not behave correctly
- Feature can be functionally provided by may not be exactly the same
- If more than 12 transitions are used in a profile, AppArmor 3.x will fail
- Will break older policy if variable is not defined. Variable can be manually defined in older parser.
- AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
- These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
- Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
- If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
- Tools will work but may not deal with overlapping rules correctly in some cases