The upstream AppArmor project has cut the 2.11 Beta 1 release. It contains a large number of bug fixes and a key feature. The feature is to allow profiles and applications to take advantage of the policy namespace stacking that has landed in the Xenial kernel. This will allow LXD containers to be confined with an over-arching AppArmor profile while individual processes inside the container can be further confined with an individual profile.
Here's the changelog, containing Debian/Ubuntu bug fixes, that I have accumulated so far:
* Update to apparmor 2.10.95 (2.11 Beta 1)
- Allow Apache prefork profile to chown(2) files (LP: #1210514)
- Allow deluge-gtk and deluge-console to handle torrents opened in
browsers (LP: #1501913)
- Allow file accesses needed by some programs using libnl-3-200
(Closes: #810888)
- Allow file accesses needed on systems that use NetworkManager without
resolvconf (Closes: #813835)
- Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
- Fix aa-logprof(8) crash when operating on files containing multiple
profiles with certain rules (LP: #1528139)
- Fix log parsing crashes, in the Python utilities, caused by certain file
related events (LP: #1525119, LP: #1540562)
- Fix log parsing crasher, in the Python utilities, caused by certain
change_hat events (LP: #1523297)
- Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
when Python 3 is not available (LP: #1513880)
- Send aa-easyprof(8) error messages to stderr instead of stdout
(LP: #1521400)
- Fix aa-autodep(8) failure when the shebang line of a script contained
parameters (LP: #1505775)
- Don't depend on the system logprof.conf when running utils/ build tests
(LP: #1393979)
- Fix apparmor_parser(8) bugs when parsing profiles that use policy
namespaces in the profile declaration or profile transition targets
(LP: #1540666, LP: #1544387)
- Regression fix for apparmor_parser(8) bug that resulted in the
--namespace-string commandline option being ignored causing profiles to
be loaded into the root policy namespace (LP: #1526085)
- Fix crasher regression in apparmor_parser(8) when the parser was asked
to process a directory (LP: #1534405)
- Fix bug in apparmor_parser(8) to honor the specified bind flags remount
rules (LP: #1272028)
- Support tarball generation for Coverity scans and fix a number of issues
discovered by Coverity
- Fix regression test failures on s390x systems (LP: #1531325)
- Adjust expected errno values in changeprofile regression test
(LP: #1559705)
- The Python utils gained support for ptrace and signal rules
- aa-exec(8) received a rewrite in C
- apparmor_parser(8) gained support for stacking multiple profiles, as
supported by the Xenial kernel (LP: #1379535)
- libapparmor gained new public interfaces, aa_stack_profile(2) and
aa_stack_onexec(2), allowing applications to utilize the new kernel
stacking support (LP: #1379535)
* Drop the following patches since they've been incorporated upstream:
- aa-status-dont_require_python3-apparmor.patch
- r3209-dnsmasq-allow-dash
- r3227-locale-indep-capabilities-sorting.patch
- r3277-update-python-abstraction.patch
- r3366-networkd.patch,
- tests-fix_sysctl_test.patch
- parser-fix-cache-file-mtime-regression.patch
- parser-verify-cache-file-mtime.patch
- parser-run-caching-tests-without-apparmorfs.patch
- parser-do-cleanup-when-test-was-skipped.patch
- parser-allow-unspec-in-network-rules.patch
* debian/rules, debian/apparmor.install, debian/apparmor.manpages: Update
for new upstream binutils directory and the new aa-exec and aa-enabled
binaries
* debian/libapparmor-dev.manpages: Include the new aa_stack_profile.2 man
page
* debian/patches/r3424-nscd-profile-allow-paranoia-mode.patch: Allow file
access needed for nscd's paranoia mode
* debian/patches/r3425-adjust-stacking-tests-version-check.patch: Adjust the
regression test build time checks, for libapparmor stacking support, to
look for the 2.10.95 versioning rather than 2.11
The upstream AppArmor project has cut the 2.11 Beta 1 release. It contains a large number of bug fixes and a key feature. The feature is to allow profiles and applications to take advantage of the policy namespace stacking that has landed in the Xenial kernel. This will allow LXD containers to be confined with an over-arching AppArmor profile while individual processes inside the container can be further confined with an individual profile.
Here's the changelog, containing Debian/Ubuntu bug fixes, that I have accumulated so far:
apparmor (2.10.95- 0ubuntu1~ tyhicks2) xenial; urgency=medium
* Update to apparmor 2.10.95 (2.11 Beta 1) -namespace- string commandline option being ignored causing profiles to stack_onexec( 2), allowing applications to utilize the new kernel dont_require_ python3- apparmor. patch allow-dash indep-capabilit ies-sorting. patch python- abstraction. patch patch, sysctl_ test.patch fix-cache- file-mtime- regression. patch verify- cache-file- mtime.patch run-caching- tests-without- apparmorfs. patch do-cleanup- when-test- was-skipped. patch allow-unspec- in-network- rules.patch apparmor. install, debian/ apparmor. manpages: Update libapparmor- dev.manpages: Include the new aa_stack_profile.2 man patches/ r3424-nscd- profile- allow-paranoia- mode.patch: Allow file patches/ r3425-adjust- stacking- tests-version- check.patch: Adjust the
- Allow Apache prefork profile to chown(2) files (LP: #1210514)
- Allow deluge-gtk and deluge-console to handle torrents opened in
browsers (LP: #1501913)
- Allow file accesses needed by some programs using libnl-3-200
(Closes: #810888)
- Allow file accesses needed on systems that use NetworkManager without
resolvconf (Closes: #813835)
- Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
- Fix aa-logprof(8) crash when operating on files containing multiple
profiles with certain rules (LP: #1528139)
- Fix log parsing crashes, in the Python utilities, caused by certain file
related events (LP: #1525119, LP: #1540562)
- Fix log parsing crasher, in the Python utilities, caused by certain
change_hat events (LP: #1523297)
- Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
when Python 3 is not available (LP: #1513880)
- Send aa-easyprof(8) error messages to stderr instead of stdout
(LP: #1521400)
- Fix aa-autodep(8) failure when the shebang line of a script contained
parameters (LP: #1505775)
- Don't depend on the system logprof.conf when running utils/ build tests
(LP: #1393979)
- Fix apparmor_parser(8) bugs when parsing profiles that use policy
namespaces in the profile declaration or profile transition targets
(LP: #1540666, LP: #1544387)
- Regression fix for apparmor_parser(8) bug that resulted in the
-
be loaded into the root policy namespace (LP: #1526085)
- Fix crasher regression in apparmor_parser(8) when the parser was asked
to process a directory (LP: #1534405)
- Fix bug in apparmor_parser(8) to honor the specified bind flags remount
rules (LP: #1272028)
- Support tarball generation for Coverity scans and fix a number of issues
discovered by Coverity
- Fix regression test failures on s390x systems (LP: #1531325)
- Adjust expected errno values in changeprofile regression test
(LP: #1559705)
- The Python utils gained support for ptrace and signal rules
- aa-exec(8) received a rewrite in C
- apparmor_parser(8) gained support for stacking multiple profiles, as
supported by the Xenial kernel (LP: #1379535)
- libapparmor gained new public interfaces, aa_stack_profile(2) and
aa_
stacking support (LP: #1379535)
* Drop the following patches since they've been incorporated upstream:
- aa-status-
- r3209-dnsmasq-
- r3227-locale-
- r3277-update-
- r3366-networkd.
- tests-fix_
- parser-
- parser-
- parser-
- parser-
- parser-
* debian/rules, debian/
for new upstream binutils directory and the new aa-exec and aa-enabled
binaries
* debian/
page
* debian/
access needed for nscd's paranoia mode
* debian/
regression test build time checks, for libapparmor stacking support, to
look for the 2.10.95 versioning rather than 2.11
-- Tyler Hicks <email address hidden> Thu, 24 Mar 2016 12:12:11 -0500