Policy Compiler (a.k.a apparmor_parser)

• Fix af_unix downgrade of network rules
• Fix delete after new[]
• Set parser executable path according to USE_SYSTEM make variable

Init

• Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507

Library

• fix swig test_apparmor.py for zero length ptrace records
• Don't print shell commands that check for test failures
• Fix parallel make dependency issue in testsuite

Utils

• aa-notify - update to use normal urgency notifications to obtain intended behavior across DEs
• Add network 'smc' keyword in NetworkRule
• Prevent 'wa' conflicts for file rules
• Carry over all autodep-generated rules in handle_children()
• Ignore ptrace log events without denied_mask
• Fix aa-logprof crash on ptrace garbage log events
• Fix regressions caused by init_aa()
• apparmor.easyprof update
  • Fix import in test-aa-easyprof.py
  • Add option to specify the apparmor_parser path
• Set parser base path according to USE_SYSTEM make variable
• Accept parser base and include options in aa-easyprof
• Update the logprof.conf in the test dir to point to in-tree paths
• Improve error messages when profiles/parser is not found
• Don't enforce ordering of dbus rule attributes
• Fix failing tests in test-aa.py
• Ignore change_hat events with error=-1 and “unconfined can not change_hat”
• Remove re.LOCALE flag
• update how questions are asked in profile generation
• YaST
  • Fix save_profiles() for YaST https://bugzilla.opensuse.org/show_bug.cgi?id=1062667
• Add aa-remove-unknown utility to unload unknown profiles

Policy

• Abstractions

  • freedesktop.org - support /usr/local/applications; support subdirs of applications folder
  • fix for non-latin file/directory names
  • gnome - allow reading GLib schemas.
  • wayland - allow wayland-cursor-shared-*
  • python - Adjust for python3.6
  • perl-base - adjust the multiarch alternation rule in the perl abstraction for modern Debian and Ubuntu systems
  • base - Allow sysconf(_SC_NPROCESSORS_CONF)
  • nvidia - Update nvidia for newer nvidia drivers
  • Rename global variable “pid” to “log_pid”
  • glibc uses /proc/*/auxv and /proc/*/status files
  • Apache2 - profile updates for proper signal handling, optional saslauth, and OCSP stapling

• sshd - drop local/ include

• /etc/cron.daily/logrotate update

• dovecot

  • Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
  • add the attach_disconnected flag
  • change Px to mrPx for /usr/lib/dovecot/*
  • dovecot-lda update
    • the attach_disconnected flags
    • read access to /usr/share/dovecot/protocols.d/
    • rw for /run/dovecot/auth-userdb

• Postfix

  • change abstractions/postfix-common to allow /etc/postfix/*.db k
  • add several permissions to postfix/error, postfix/lmtp and postfix/pipe
  • remove superfluous abstractions/kerberosclient from all postfix profiles - it's included via abstractions/nameservice

• Samba profile updates for ActiveDirectory / Kerberos

• traceroute - support TCP SYN for probes, quite net_admin request

Documentation

• Add network 'smc' keyword to apparmor.d manpage
• aa-status - update manpage for updated podchecker

Tests

• libapparmor: fix ptrace regression test failure
• Add --no-reload to various utils manpages
• Ignore test failures about duplicated conditionals in dbus rules
• readdir - test both getdents() and getdents64() if available
• where necessary use getdents64 to fix arm64 build failure
• No longer skip testing generated_perms_leading profiles
• regression tests
  • fix environ fail case