Skip to content

  • Projects
  • Groups
  • Snippets
  • Help
  • This project
    • Loading...
  • Sign in / Register
apparmor
apparmor
  • Overview
    • Overview
    • Details
    • Activity
    • Cycle Analytics
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Charts
    • Locked Files
  • Issues 2
    • Issues 2
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 8
    • Merge Requests 8
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Charts
  • Registry
    • Registry
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Charts
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • AppArmor
  • apparmorapparmor
  • Wiki
  • Release_notes_2.11.1

Release_notes_2.11.1

Last edited by Christian Boltz Dec 13, 2017
Page history

Policy Compiler (a.k.a apparmor_parser)

  • Fix af_unix downgrade of network rules
  • Fix delete after new[]
  • Set parser executable path according to USE_SYSTEM make variable

Init

  • Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507

Library

  • fix swig test_apparmor.py for zero length ptrace records
  • Don't print shell commands that check for test failures
  • Fix parallel make dependency issue in testsuite

Utils

  • aa-notify - update to use normal urgency notifications to obtain intended behavior across DEs
  • Add network 'smc' keyword in NetworkRule
  • Prevent 'wa' conflicts for file rules
  • Carry over all autodep-generated rules in handle_children()
  • Ignore ptrace log events without denied_mask
  • Fix aa-logprof crash on ptrace garbage log events
  • Fix regressions caused by init_aa()
  • apparmor.easyprof update
    • Fix import in test-aa-easyprof.py
    • Add option to specify the apparmor_parser path
  • Set parser base path according to USE_SYSTEM make variable
  • Accept parser base and include options in aa-easyprof
  • Update the logprof.conf in the test dir to point to in-tree paths
  • Improve error messages when profiles/parser is not found
  • Don't enforce ordering of dbus rule attributes
  • Fix failing tests in test-aa.py
  • Ignore change_hat events with error=-1 and “unconfined can not change_hat”
  • Remove re.LOCALE flag
  • update how questions are asked in profile generation
  • YaST
    • Fix save_profiles() for YaST https://bugzilla.opensuse.org/show_bug.cgi?id=1062667
  • Add aa-remove-unknown utility to unload unknown profiles

Policy

  • Abstractions

    • freedesktop.org - support /usr/local/applications; support subdirs of applications folder
    • fix for non-latin file/directory names
    • gnome - allow reading GLib schemas.
    • wayland - allow wayland-cursor-shared-*
    • python - Adjust for python3.6
    • perl-base - adjust the multiarch alternation rule in the perl abstraction for modern Debian and Ubuntu systems
    • base - Allow sysconf(_SC_NPROCESSORS_CONF)
    • nvidia - Update nvidia for newer nvidia drivers
    • Rename global variable “pid” to “log_pid”
    • glibc uses /proc/*/auxv and /proc/*/status files
    • Apache2 - profile updates for proper signal handling, optional saslauth, and OCSP stapling
  • sshd - drop local/ include

  • /etc/cron.daily/logrotate update

  • dovecot

    • Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
    • add the attach_disconnected flag
    • change Px to mrPx for /usr/lib/dovecot/*
    • dovecot-lda update
      • the attach_disconnected flags
      • read access to /usr/share/dovecot/protocols.d/
      • rw for /run/dovecot/auth-userdb
  • Postfix

    • change abstractions/postfix-common to allow /etc/postfix/*.db k
    • add several permissions to postfix/error, postfix/lmtp and postfix/pipe
    • remove superfluous abstractions/kerberosclient from all postfix profiles - it's included via abstractions/nameservice
  • Samba profile updates for ActiveDirectory / Kerberos

  • traceroute - support TCP SYN for probes, quite net_admin request

Documentation

  • Add network 'smc' keyword to apparmor.d manpage
  • aa-status - update manpage for updated podchecker

Tests

  • libapparmor: fix ptrace regression test failure
  • Add --no-reload to various utils manpages
  • Ignore test failures about duplicated conditionals in dbus rules
  • readdir - test both getdents() and getdents64() if available
  • where necessary use getdents64 to fix arm64 build failure
  • No longer skip testing generated_perms_leading profiles
  • regression tests
    • fix environ fail case
Clone repository
  • About
  • Apparmorapis
  • Apparmordelegation
  • Apparmorgsettings
  • Apparmorinsystemd
  • Apparmorinterfaces
  • Apparmorlabelsandtypes
  • Apparmorlog
  • Apparmormls
  • Apparmormonitoring
  • Apparmornamespaces
  • Apparmorpolicy
  • Apparmorpolicyscope
  • Apparmorpolicytoc
  • Apparmorpolicyview
More Pages
×

New Wiki Page

Tip: You can specify the full path for the new file. We will automatically create any missing directories.