WARNING this is a beta - NOT a final release
AppArmor 4.0-beta3 was released 2024-03-17.
Introduction
AppArmor 4.0 is a major new release of the AppArmor that is in development.
Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release. For questions around compatibility see the compatibility matrix.
These release notes cover changes between AppArmor-4.0~beta2 and AppArmor-4.0~beta3
Notes
- new dependency build dependency ** autoconf-archive **
This Release contains only Bug Fixes to AppArmor 4.0 beta2
Misc
- Some features will work with older kernels but many of the features in apparmor 4 with require a development kernel.
- The kernel portion of the project is maintained and pushed separately.
- AppArmor 4.0 contains all bug fixes and policy updates from apparmor 3.1
- Some new features will not be fully supported in some utilities. In these cases it was decided that releasing a new feature earlier had more benefit than delaying it for full utility support. Please see the feature support matrix.
Features
libraries
- fix syntax in configure (MR:1184)
policy compiler (aka apparmor_parser)
Utils
- mount rules Fix _is_covered_localvars (MR:1182)
- MountRule to fix make check failure (MR:1176,AABUG:370)
- aa-notify
- Fix test-aa-notify on openSUSE Tumbleweed (new 'last') (MR:1180)
Policy
abstractions
- authentication
- Allow pam_unix to execute unix_chkpwd (MR:1181,BOO:1219139)
- crypto (MR:1178,LP:2056747,LP:2056739)
- allow read of openssl config
- allow read of gnutls config
- kde-open5
- Clean superfluous openssl abstraction includes (MR:1179)
profiles
- new unix_chkpwd - required by authentication (MR:1181,BOO:1219139)
- php-fpm
- Clean superfluous openssl abstraction includes (MR:1179)
- samba-bgqd
- Clean superfluous openssl abstraction includes (MR:1179)
- sbin.syslog-ng
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.lib.dovecot.auth
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.lib.dovecot.dict
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.lib.dovecot.imap-login
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.lib.dovecot.lmtp
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.lib.dovecot.managesieve-login
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.lib.dovecot.pop3-login
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.ntpd
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.smbd
- Clean superfluous openssl abstraction includes (MR:1179)
- postfix-proxymap
- Clean superfluous openssl abstraction includes (MR:1179)
- postfix-smtp
- Clean superfluous openssl abstraction includes (MR:1179)
- postfix-smtpd
- Clean superfluous openssl abstraction includes (MR:1179)
- postfix-tlsmgr
- Clean superfluous openssl abstraction includes (MR:1179)
- sbin.dhclient
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.bin.freshclam
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.clamd
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.haproxy
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.httpd2-prefork
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.imapd
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.ipop2d
- Clean superfluous openssl abstraction includes (MR:1179)
- usr.sbin.ipop3d
- Clean superfluous openssl abstraction includes (MR:1179)
unconfined profiles
- update
- firefox (MR:1185,LP:2046844)
- new
- goldendict (MR:1186,LP2046844:)
- kchmviewer (MR:1186,LP2046844:)
- notepadqq (MR:1186,LP2046844:)
- pageedit (MR:1186,LP2046844:)
- privacybrowser (MR:1186,LP2046844:)
- qmapshack (MR:1186,LP2046844:)
- qutebrowser (MR:1186,LP2046844:)
- rssguard (MR:1186,LP2046844:)
- scide (MR:1186,LP2046844:)
- geary (MR:1185,LP:2046844)
- loupe (MR:1185,LP:2046844)
Infrastructure
- don't ship /var in downstream packages (MR:1167)