AppArmor 2.11.1

Policy Compiler (a.k.a apparmor_parser)

    Fix af_unix downgrade of network rules
    Fix delete after new[]
    Set parser executable path according to USE_SYSTEM make variable

Init

    Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507 lp#1668892

Library

    fix swig test_apparmor.py for zero length ptrace records
    Don't print shell commands that check for test failures
    Fix parallel make dependency issue in testsuite

Utils =

    aa-notify - update to use normal urgency notifications to obtain intended behavior across DEs
    Add network 'smc' keyword in NetworkRule
    Prevent 'wa' conflicts for file rules
    Carry over all autodep-generated rules in handle_children()
    Ignore ptrace log events without denied_mask
    Fix aa-logprof crash on ptrace garbage log events lp#1689667
    Fix regressions caused by init_aa()
    apparmor.easyprof update
        Fix import in test-aa-easyprof.py
        Add option to specify the apparmor_parser path
    Set parser base path according to USE_SYSTEM make variable
    Accept parser base and include options in aa-easyprof
    Update the logprof.conf in the test dir to point to in-tree paths
    Improve error messages when profiles/parser is not found
    Don't enforce ordering of dbus rule attributes lp#1628286
    Fix failing tests in test-aa.py
    Ignore change_hat events with error=-1 and "unconfined can not change_hat"
    Remove re.LOCALE flag lp#1661766
    update how questions are asked in profile generation

    YaST
        Fix save_profiles() for YaST https://bugzilla.opensuse.org/show_bug.cgi?id=1062667
    Add aa-remove-unknown utility to unload unknown profiles lp#1668892

Policy

    Abstractions
        freedesktop.org - support /usr/local/applications; support subdirs of applications folder
        fix for non-latin file/directory names
        gnome - allow reading GLib schemas.
        wayland - allow wayland-cursor-shared-*
        python - Adjust for python3.6
        perl-base - adjust the multiarch alternation rule in the perl abstraction for modern Debian and Ubuntu systems
        base - Allow sysconf(_SC_NPROCESSORS_CONF)
        nvidia - Update nvidia for newer nvidia drivers
        Rename global variable "pid" to "log_pid"
        glibc uses /proc/*/auxv and /proc/*/status files
        Apache2 - profile updates for proper signal handling, optional saslauth,

 and OCSP stapling

    sshd - drop local/ include
    /etc/cron.daily/logrotate update

    dovecot
        Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
        add the attach_disconnected flag
        change Px to mrPx for /usr/lib/dovecot/*
        dovecot-lda update lp#1650827
            the attach_disconnected flags
            read access to /usr/share/dovecot/protocols.d/
            rw for /run/dovecot/auth-userdb

    Postfix
        change abstractions/postfix-common to allow /etc/postfix/*.db k
        add several permissions to postfix/error, postfix/lmtp and postfix/pipe
        remove superfluous abstractions/kerberosclient from all postfix profiles - it's included via abstractions/nameservice

    Samba profile updates for ActiveDirectory / Kerberos
    traceroute - support TCP SYN for probes, quite net_admin request

Documentation

    Add network 'smc' keyword to apparmor.d manpage
    aa-status - update manpage for updated podchecker

Tests

    libapparmor: fix ptrace regression test failure
    Add --no-reload to various utils manpages
    Ignore test failures about duplicated conditionals in dbus rules
    readdir - test both getdents() and getdents64() if available
    where necessary use getdents64 to fix arm64 build failure lp#1674245
    No longer skip testing generated_perms_leading profiles
    regression tests-
        fix environ fail case