AppArmor 2.10.1

Milestone information

John Johansen
Release registered:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
9 Christian Boltz
No blueprints are targeted to this milestone.
17 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon apparmor-2.10.1.tar.gz (md5, sig) AppArmor 2.10.1 4,542
last downloaded 13 weeks ago
Total downloads: 4,542

Release notes 

Bug fix release for apparmor 2.10


View the full changelog

=== Policy Compiler (a.ka. apaprmor_parser) ===

* Caching
** Fix caching timestamp mtime issues ({{lp|1484178}})
** bump abi to force policy recompiles for bad caches
** Fix uninitialized variable and reference leak

* allow "unspec" (AF_UNSPEC) family in network rules ({{lp|1546455}})
* properly parse named transition targets ({{lp|1540666}})
* allow profile keyword to be used with namespaces ({{lp|1544387}})
* Fix segfault when processing profile directories ({{lp|1534405}})
* Fix regression: Honor the --namespace-string commandline option ({{lp|1526085}})
* Fix remount with bind ({{lp|1272028}})
* Fix a missing comma in when dumping capability names for debugging
* Fix incorrect output of child profile names (-N) which could cause policy reload to remove children profiles that should not have been. ({{lp|1551950}})

=== Library ===

* Fix crash on change_hat events ({{lp|1523297}})
* fix log parsing memory leaks

=== Utils ===

* aa-status
** make aa-status work without python3-apparmor ({{lp|1480492}})
* aa-easyprof
** Use for AppArmorException handling in aa-easyprof
* aa-logprof, aa-genprof, aa-mergeprof
** Fix wrong usage of write_prof_data in serialize_profile_from_old_profile() ({{lp|1528139}})
** Fix aa-mergeprof crash with files containing multiple profiles
** Add simple_tests/profile/ to utils test exception list
** Remove pname to bin_name mapping in autodep()
** do sanity check for all file events ({{lp|1540562}})
** handle versioned ruby interpreters
** print test filenames in 'make check' and 'make coverage'
** Better error message on unknown profile lines
** AARE: escape reserved exclamation mark symbol
** More useful logparser failure reports
** Fix handling of link events in aa-logprof
** Write unix rules when saving a profile ({{lp|1522938}}, {{954104}})
** Adjust for python2
** Adjust type(x) == str checks in the rule classes for py2 ({{lp|1513880}})
** Let the error handler print to stderr ({{lp|1521400}})
** ignore log event if request_mask == '' ({{lp|1525119}})
** Fix crash on change_hat events ({{lp|1523297}})
** Several fixes for variable handling
** Change abstract methods in BaseRule to use NotImplementedError
** Map c (create) log events to w instead of a
** Also add python 3.5 to logprof.conf
** Add debug info to profile_storage()
** Fix parsing/storing bare file rules
** update PYMODULES in tools/Makefile
** Add python to the "no Px rule" list in logprof.conf
** let ignore file_inherit events without request_mask ({{lp|1466812}})
** Let 'make check' work without logprof.conf ({{lp|1393979}})
** Fix handling of interpreters with parameters ({{lp|1505775}})
** merge script handling into get_interpreter_and_abstraction()
** Add tests for create_new_profile()
** Change utils/test/Makefile to use the in-tree libapparmor
** Parse all parser simple_tests with the utils code
** Get rid of global variable 'logger'
** make 'ldd' variable non-global
** Fix missing profile init in create_new_profile()
** Store filename for includes and hats
** Add AARE tests for [chars] and [^chars] style globbing to
** load_include(): use include_dir_filelist()
** remove unused code from load_include()
** load_include(): avoid loading directory includes multiple times
** Reset aa and original_aa in read_profiles()
** move tests for convert_regexp() to (new)
** Accept more log formats in
** Test libapparmor test_multi tests against
** utils/aa-logprof.pod: fix typo in manpage ({{lp|1485855}})
** Add network mpls and ib to rule/ and the apparmor.d manpage
** map socket_create events to 'net' events
** Check for duplicate profiles
** Fix name_to_prof_filename() error behaviour
** Change RE_PROFILE_START to accept variables
** Split add_event_to_tree() into multiple functions
** drop shebang from apparmor/rule/*.py

=== Policy ===

* Change /bin/ paths in profiles to also match on /usr/bin/

Updates to the following profiles:
* sbin.dhclient: allow executing nm-dhcp-helper and access to some files in /var/lib/dhcp6/ and /var/lib/NetworkManager/
* sbin.syslog-ng: add several permissions (abstractions/openssl, reading the journal etc.) which are needed by the latest syslog-ng ({{boo|948584}}, {{boo|948753}})
* allow reading @{PROC}/@{pid}/net/dev ({{boo|939568}})
* usr.lib.dovecot.auth: allow writing to /var/run/dovecot/user-stats (needed by dovecot >= 2.2.22)
* usr.lib.dovecot.lmtp: add openssl and ssl_keys abstractions
* usr.lib.dovecot.imap: allow reading /run/dovecot/mounts
* usr.lib.dovecot.dovecot-lda:
** allow to write tempfiles ({{boo|954959}})
** allow to execute sendmail ({{boo|954958}})
* usr.sbin.avahi-daemon: allow write access to /run/systemd/notify (needed on systems with systemd)

* usr.sbin.dnsmasq:
** allow /bin/sh and /bin/dash in addition to /bin/bash ({{boo|940749}}, non-public)
** allow /dev/tty rw which is needed by the --dhcp-script's shell ({{boo|940749}}, non-public)
** add attach_disconnected flag ({{lp|1569316}})

* usr.sbin.nscd: allow reading /proc/self/cmdline, needed for paranoia mode ({{boo|971790}})
* usr.sbin.ntpd:
** add attach_disconnected flag (needed for using nscd)
** allow reading the directory listing of $PATH ({{boo|945592}})
* usr.sbin.smbd: allow capability sys_admin which is needed because smbd stores ACLs in the security.NTACL namespace ({{boo|964971}}, [ Discussion on the Samba mailinglist])
* usr.sbin.winbindd:
** update for Samba 4.2 ({{boo|921098}}, {{boo|923201}})
** allow k for /etc/samba/smbd.tmp/msg/* ({{boo|921098#c15}})

Updates to the following abstractions:
* base: allow reading /usr/share/locale-bundle/ (contains translations in openSUSE)
* nameservice: allow reading /run/systemd/resolve/resolv.conf ({{LP|1529074}})
* python: update for python3
* samba: update for Samba 4.2 ({{boo|921098}})
* ssl_certs, ssl_keys: allow reading acmetool-generated certificates in /var/lib/acme/
* X: allow unix connections to @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird
* allow dconf abstraction to read /etc/dconf/**

=== Documentation ===

* Correct meaning of EPERM in aa_change_profile man page
* document open fds may be revalidated after aa_change_profile()
* document exec deny rules don't allow tranisition quanifier ix, Px, Ux etc. - only 'deny /foo x,' is allowed.
* Add realtime signals to SIGNALS list in apparmor.d manpage
* Add realtime signal example to the apparmor.d manpage
* Add missing variables @{pids} and @{apparmorfs} to the apparmor.d manpage
* fix typo "sinlge" in apparmor_parser manpage ({{lp|1485530}})
* Remove incorrect statement in aa_change_profile man page

=== Init Scripts ===

commit 78c5ed675ef0bcda0be971c9d72d5645efacab1d
* Fix aa_log_end_msg() in rc.apparmor.suse ({{boo|862170}))

=== Regression and Unit Tests ===

* fix ptrace tests for arm64 and s390 ({{lp|1470985}}, {{lp|1531325}})
* Add parser tests for various rules outside of a profile body
* make caching tests not fail w/python <= 3.2
* Don't skip parser unit test cleanup when the test was skipped
* Run caching tests even when apparmorfs is not mounted
* Verify cache file mtime in caching tests
* make sysctl(2) regression test a bit more resiliant
* fix memory leaks in libapparmor's aalogmisc unit tests.
* Add a new test that was posted on IRC to the test_multi set

0 blueprints and 17 bugs targeted

Bug report Importance Assignee Status
1324608 #1324608 when aa-logprof processed file access rules with mask of "c" the resulting profile doesn't work 4 Medium   10 Fix Released
1531325 #1531325 AppArmor tests fail on Xenial kernel on s390x arch 4 Medium   10 Fix Released
1485530 #1485530 typo in apparmor_parser(8) manpage 5 Low   10 Fix Released
1485855 #1485855 typo in aa-logprof(8) manpage: and -> an 5 Low   10 Fix Released
1393979 #1393979 py tests depend on /etc/apparmor/logprof.conf 1 Undecided Christian Boltz  10 Fix Released
1505775 #1505775 aa-autodep fails if shebang line contains parameters 1 Undecided Christian Boltz  10 Fix Released
1509030 #1509030 file_inherit log events crash aa-logprof 1 Undecided Christian Boltz  10 Fix Released
1513880 #1513880 [python2] aa-logprof: AppArmorBug: Passed unknown object to NetworkRule: inet 1 Undecided Christian Boltz  10 Fix Released
1521400 #1521400 aa-easyprof prints to stdout upon manifest parsing errors 1 Undecided   10 Fix Released
1522938 #1522938 unix rules not written to profile 1 Undecided Christian Boltz  10 Fix Released
1523297 #1523297 crash for change_hat event 1 Undecided Christian Boltz  10 Fix Released
1525119 #1525119 Cannot permit some operations for sssd 1 Undecided Christian Boltz  10 Fix Released
1526085 #1526085 apparmor_parser --namespace-string does not load profiles in the specified ns in 2.10 1 Undecided   10 Fix Released
1528139 #1528139 serialize_profile_from_old_profile() crash if file contains multiple profiles 1 Undecided Christian Boltz  10 Fix Released
1534405 #1534405 Regression in parser compiling/loading a directory 1 Undecided   10 Fix Released
1540562 #1540562 aa-genprof crashes in logparser NoneType has no "replace" 1 Undecided Christian Boltz  10 Fix Released
1551950 #1551950 reloading profiles doesn't load all hats 1 Undecided   10 Fix Released
This milestone contains Public information
Everyone can see this information.