The released versions documented below are for the AppArmor userspace
utils. The apparmor kernel module does not track versions the same way
as it primarily track Linux kernel releases. In general the apparmor
kernel module tries to support old versions of the apparmor userspace
(at this time versions 2.1 - 2.10), and the apparmor userspace supports
the current and previous releases of the kernel.
For new features to be supported, a version of the userspace utils
and a kernel that supports the feature are required. If the apparmor
userspace utils are too old they will fail to recognize the feature
and policy compilation will fail. If the kernel version is to old
either the apparmor utils will compile the policy to what is supported
by the kernel, thus dropping the unsupported feature, or the kernel
will ignore the unsupported feature, or the kernel will reject the
policy load if it is for an abi it does not support.
AppArmor kernel module versions
There kernel module breaks down into several development epochs.
Pre LSM kernel patch. Not upstreamed and lost long ago.
apparmor 2.0: LSM rewrite.
apparmor 2.1: dfa & and invasive VFS hooks patch
apparmor 2.5: creds & LSM path hooks rewrite
apparmor 3: labeling - a development series that was a precursor to type splitting. Carried by Ubuntu but never upstreamed
apparmor 3.5 - 3.6: stacking which exposes compound task labeling to user interfaces. Carried by Ubuntu but never upstreamed
apparmor 4: labeling upstreamed
apparmor 4.5: typesplitting
apparmor 5: Delegation
The 2.x series reworked the backend several times but kept the same
basic profile model.
The 3.x series transitioned to using a labeling model based on DTE that
allowed for more than one profile to be stored in a label associated
with a subject or object.
The 4.x series finished the transition to a DTE type splitting model,
which is a finer grained evolution of the labeling in the 3.x series.
Development target: incremental improvement over AppArmor 2.7.x, with more code cleanups and bug fixes to the userspace tools. Mount rules, and the start of a new introspection interface in the kernel.
In this version of AppArmor development of new features was largely halted and the kernel module was rewritten to use the new path_permission hooks provided by the LSM. This necessitated some changes to user space as well and some features were lost.
Profile names can now contain regular expressions allowing all profile to match against multiple binaries.
pux profile transitions so that x transitions can fall back to unconfined if a profile is not present
Better support of profile namespaces
The ability for an unconfined process to arbitrarily set a tasks profile
AppArmor 2.1+ is based on 2.1.1 plus some of the development for
2.3. Specifically it contains kernel and parser support for profile
namespaces, link pairs, and file rules conditional upon user. The
tools however do not support any of these features so they are of
This is a back port of AppArmor 2.1 to SLES10SP2. It has the 2.1
feature set + a modified apparmor_parser capable of loading both older
2.0/2.0.1 (pcre based) policy and the newer 2.1 (dfa based) policy.