AppArmor 2.11.1

AppArmor 2.11.1 Release

Milestone information

John Johansen
Release registered:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
1 Christian Boltz, 1 Colin Ian King, 1 Tyler Hicks
No blueprints are targeted to this milestone.
11 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon apparmor-2.11.1.tar.gz (md5, sig) AppArmor 2.11.1 1,382
last downloaded 5 weeks ago
Total downloads: 1,382

Release notes 

Policy Compiler (a.k.a apparmor_parser)

    Fix af_unix downgrade of network rules
    Fix delete after new[]
    Set parser executable path according to USE_SYSTEM make variable


    Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507 lp#1668892


    fix swig for zero length ptrace records
    Don't print shell commands that check for test failures
    Fix parallel make dependency issue in testsuite

Utils =

    aa-notify - update to use normal urgency notifications to obtain intended behavior across DEs
    Add network 'smc' keyword in NetworkRule
    Prevent 'wa' conflicts for file rules
    Carry over all autodep-generated rules in handle_children()
    Ignore ptrace log events without denied_mask
    Fix aa-logprof crash on ptrace garbage log events lp#1689667
    Fix regressions caused by init_aa()
    apparmor.easyprof update
        Fix import in
        Add option to specify the apparmor_parser path
    Set parser base path according to USE_SYSTEM make variable
    Accept parser base and include options in aa-easyprof
    Update the logprof.conf in the test dir to point to in-tree paths
    Improve error messages when profiles/parser is not found
    Don't enforce ordering of dbus rule attributes lp#1628286
    Fix failing tests in
    Ignore change_hat events with error=-1 and "unconfined can not change_hat"
    Remove re.LOCALE flag lp#1661766
    update how questions are asked in profile generation

        Fix save_profiles() for YaST
    Add aa-remove-unknown utility to unload unknown profiles lp#1668892


    Abstractions - support /usr/local/applications; support subdirs of applications folder
        fix for non-latin file/directory names
        gnome - allow reading GLib schemas.
        wayland - allow wayland-cursor-shared-*
        python - Adjust for python3.6
        perl-base - adjust the multiarch alternation rule in the perl abstraction for modern Debian and Ubuntu systems
        base - Allow sysconf(_SC_NPROCESSORS_CONF)
        nvidia - Update nvidia for newer nvidia drivers
        Rename global variable "pid" to "log_pid"
        glibc uses /proc/*/auxv and /proc/*/status files
        Apache2 - profile updates for proper signal handling, optional saslauth,

 and OCSP stapling

    sshd - drop local/ include
    /etc/cron.daily/logrotate update

        Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
        add the attach_disconnected flag
        change Px to mrPx for /usr/lib/dovecot/*
        dovecot-lda update lp#1650827
            the attach_disconnected flags
            read access to /usr/share/dovecot/protocols.d/
            rw for /run/dovecot/auth-userdb

        change abstractions/postfix-common to allow /etc/postfix/*.db k
        add several permissions to postfix/error, postfix/lmtp and postfix/pipe
        remove superfluous abstractions/kerberosclient from all postfix profiles - it's included via abstractions/nameservice

    Samba profile updates for ActiveDirectory / Kerberos
    traceroute - support TCP SYN for probes, quite net_admin request


    Add network 'smc' keyword to apparmor.d manpage
    aa-status - update manpage for updated podchecker


    libapparmor: fix ptrace regression test failure
    Add --no-reload to various utils manpages
    Ignore test failures about duplicated conditionals in dbus rules
    readdir - test both getdents() and getdents64() if available
    where necessary use getdents64 to fix arm64 build failure lp#1674245
    No longer skip testing generated_perms_leading profiles
    regression tests-
        fix environ fail case


This release does not have a changelog.

0 blueprints and 11 bugs targeted

Bug report Importance Assignee Status
1628286 #1628286 [utils] DBus rules enforce stricter ordering of dbus attributes 3 High Tyler Hicks  10 Fix Released
1512131 #1512131 Apparmor complains about multiple /run/dovecot file access 1 Undecided   10 Fix Released
1650827 #1650827 /usr/lib/dovecot/dovecot-lda: "Failed name lookup - disconnected path" 1 Undecided   10 Fix Released
1658238 #1658238 apache2 abstraction incomplete 1 Undecided   10 Fix Released
1658238 #1658238 apache2 abstraction incomplete 1 Undecided   10 Fix Released
1658239 #1658239 base abstraction missing glibc /proc/$pid/ things 1 Undecided   10 Fix Released
1658239 #1658239 base abstraction missing glibc /proc/$pid/ things 1 Undecided   10 Fix Released
1661766 #1661766 aa-genprof crashes on start due to python 3.6 bug 1 Undecided   10 Fix Released
1668892 #1668892 CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles 1 Undecided   10 Fix Released
1674245 #1674245 SYS_getdents undecleared for readdir regression test on arm64 1 Undecided Colin Ian King  10 Fix Released
1719195 #1719195 aa-logprof: apparmor.common.AppArmorBug: Passed unknown <class 'NoneType'> object to PtraceRule: None 1 Undecided Christian Boltz  10 Fix Released
This milestone contains Public information
Everyone can see this information.