Changes in This Release
Build Infrastructure
add files to .gitignore:
swig auto generated files for ruby (MR366)
fix libapparmor swig 4 failure 'aa_log_record' object has no attribute '__getattr__' (BUG33)
Policy Compiler (a.k.a apparmor_parser)
clean up error handling (dbug921866, LP1815294)
fix parsing of target profile NAME in directed transitions “px -> NAME"
improve runtime attachment by determine xmatch priority based on smallest DFA match
don't skip cache just because parser optimizations are specified
Init
ensure error value is returned correctly (MR352)
Utils
logprof/genprof:
drop failing corner-case check in logparser.py (bso1120472, MR297)
drop unused get_profile_filename() from logparser.py (MR297)
fix error KeyError: 'logfiles' when no logprof.conf exists (MR365)
don't drop later events when user selects to deny a hat (MR378)
update network keyword list and add corresponding tests (MR350)
Policy
Profiles
dnsmasq: Work around breakage caused by {bin,sbin} alternation (bso1127073, MR346)
dovecot:
allow FD passing between dovecot and dovecot's anvil (MR336)
allow chroot'ing the auth processes (MR336)
let dovecot/anvil rw the auth-penalty socket (MR336)
auth processes need to read from postfix auth socket (MR336)
add abstractions/ssl_certs to lmtp (MR336)
align {pop3,managesieve}-login to imap-login
allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/
allow lmtp the dac_read_search capability
allow master to use SIGTERM on children that are slow to die
identd: allow network netlink dgram (MR353)
syslog-ng: add abstractions/python for python-parser
Abstractions
audio:
grant read access to the libao configuration files (dbug920670, MR320)
grant read access to the system-wide asound.conf (dbug920669, MR320)
fonts:
allow writing to owned fontconfig directories
allow creating owned fontconfig directories
gnome:
allow creating gtk-2, gtk-3 config directories
allow read/write access to gtk-3 config directory
kde:
update kde abstraction for common settings (MR327)
fix global settings access for Kubuntu and openSUSE (MR327)
ldapclient: allow read/write access to the nslcd socket
nameservice: allow /run/netconfig/resolv.conf (bso1097370)
nvidia: allow reading nvidia application profiles
postfix-common: make compatible with latest postfix profiles
python: allow /usr/local/lib/python3
qt5: read user configuration
ubuntu-browsers.d/multimedia: allow creating and writing to owned .adobe directory
vulkan: allow reading /etc/vulkan/icd.d/ (MR329)
Tests
fix various tests to cope with usr-merge (MR331)
fix mount test to use next available loop device (MR379)
Documentation
update list of network domain keywords in the apparmor.d manpage (MR349)
drop to option for link rules from the apparmor.d manpage (MR368)