AppArmor

AppArmor 2.13.3

  1. Series 2.13
  2. 2.13.3

Changes in this Release

Translations

sync to most up to date language translations available

Build Infrastructure

add files to .gitignore

swig auto generated files for ruby ([MR366][MR366])

fix libapparmor swig 4 failure 'aa_log_record' object has no attribute '__getattr__' ([BUG33][AABUG33])

libapparmor

fix segfault in overlaydirat_for_each causing overlayed cache directory failures
fix segfault when loading policy cache files
fix failure to merge overlay directories in some situations

Policy Compiler (a.k.a apparmor_parser)

clean up error handling ([dbug921866][dbug921866], [LP1815294][LP1815294])
fix parsing of target profile NAME in directed transitions “px -> NAME"
improve runtime attachment by determine xmatch priority based on smallest DFA match
don't skip cache loads just because optimizations flags are specified

Init

apparmor.systemd: fix minor issues detected by shellcheck
ensure error value is returned correctly ([MR352][MR352])

Utils

genprof/logprof
drop failing corner-case check in logparser.py ([bso1120472][bso1120472], [MR297][MR297])
drop unused get_profile_filename() from logparser.py ([MR297][MR297])
fix error KeyError: 'logfiles' when no logprof.conf exists ([MR365][MR365])
don't drop later events when user selects to deny a hat ([MR378][MR378])
update network keyword list and add corresponding tests ([MR350][MR350])

Policy

Profiles

dovecot

allow FD passing between dovecot and dovecot's anvil
allow chroot'ing the auth processes
let dovecot/anvil rw the auth-penalty socket
auth processes need to read from postfix auth socket
add abstractions/ssl_certs to lmtp
allow master to use SIGTERM on children that are slow to die
align {pop3,managesieve}-login to imap-login

identd: allow network netlink dgram ([MR353][MR353])
syslog-ng: add abstractions/python for python-parser
lsb_release profile: new abstraction
dnsmasq:

allow peer=libvirtd to support named profile
Work around breakage caused by {bin,sbin} alternation ([bso1127073][bso1127073], [MR346][MR346])
Revert /usr/{bin,sbin}/ alternation in dnsmasq profile name

msqld:

add mmap permission for mysqld (4.8 semantic change)
allow mysql to determine which cpus are online
allow locking of mysql files

Tunables

share:

make it play well with aliases
fix buggy syntax that broke the ~/.local/share part of the @{user_share_dirs} tunable

Abstractions

move dirc.d access from mesa to dir-common
base: allow mr permission on all .so common library paths
dri-common: allow reading /dev/dri/
ssl_certs,keys - add support for libdehydrated in /var/lib/
qt5: allow reading user configuration
qt5-settings-write: fix anonymous shared memory access
qt5-compose-cache-write: fix anonymous shared memory access
nameservice: allow access to /run/netconfig/resolv.conf ([bso1097370][bso1097370])
mesa: allow reading drirc.d
vulcan: allow reading /etc/vulkan/icd.d/ ([MR329][MR329])
nvidia: allow reading nvidia application profiles
postfix-common: make compatible with updated postfix profiles naming
python: allow reading /usr/local/lib/python3
ldapclient: allow rw access to the nslcd socket
ubuntu-browsers.d/multimedia: allow creating/writing config dirs
audio:

fix alsa settings access
grant read access to the system-wide asound.conf ([dbug920669][dbug920669], [MR320][MR320])
grant read access to the libao configuration files ([dbug920670][dbug920670], [MR320][MR320])

fonts:

Allow to read conf-avail dir itself.
Add various openSUSE-specific font config directories
allow creating/writing config dirs

kde:

allow access to common KDE-specific settings ([MR327][MR327])
allow access to global KDE settings ([MR327][MR327])

gnome:

allow reading gtk-3.0 cache files
allow creating config dirs

Tests

fix mount test to use next available loop device ([MR379][MR379])
update tests to support distros with user-merge where /bin and /sbin are symlinks ([MR331][MR331])
fix regression test failures around new binary cache layout
update tests for new network domain keywords
update tests for base abstraction changes

Documentation

apparmor.d (7):

update list of network domain keywords ([MR349][MR349])
drop unsupported 'to' option for link rules from manpage ([MR368][MR368])

Milestone information

Project:
AppArmor
Series:
2.13
Version:
2.13.3
Released:
 
Registrant:
John Johansen
Release registered:
Active:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata

Activities

Assigned to you:
No blueprints or bugs assigned to you.
Assignees:
No users assigned to blueprints and bugs.
Blueprints:
No blueprints are targeted to this milestone.
Bugs:
No bugs are targeted to this milestone.

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon apparmor-2.13.3.tar.gz (md5, sig) AppArmor 2.13.3 2,201
last downloaded 3 days ago
Total downloads: 2,201

Release notes 

This release does not have release notes.

Changelog 

View the full changelog

Changes in this Release

Translations

sync to most up to date language translations available

Build Infrastructure

add files to .gitignore

swig auto generated files for ruby ([MR366][MR366])

fix libapparmor swig 4 failure 'aa_log_record' object has no attribute '__getattr__' ([BUG33][AABUG33])

libapparmor

fix segfault in overlaydirat_for_each causing overlayed cache directory failures
fix segfault when loading policy cache files
fix failure to merge overlay directories in some situations

Policy Compiler (a.k.a apparmor_parser)

clean up error handling ([dbug921866][dbug921866], [LP1815294][LP1815294])
fix parsing of target profile NAME in directed transitions “px -> NAME"
improve runtime attachment by determine xmatch priority based on smallest DFA match
don't skip cache loads just because optimizations flags are specified

Init

apparmor.systemd: fix minor issues detected by shellcheck
ensure error value is returned correctly ([MR352][MR352])

Utils

genprof/logprof
drop failing corner-case check in logparser.py ([bso1120472][bso1120472], [MR297][MR297])
drop unused get_profile_filename() from logparser.py ([MR297][MR297])
fix error KeyError: 'logfiles' when no logprof.conf exists ([MR365][MR365])
don't drop later events when user selects to deny a hat ([MR378][MR378])
update network keyword list and add corresponding tests ([MR350][MR350])

Policy

Profiles

dovecot

allow FD passing between dovecot and dovecot's anvil
allow chroot'ing the auth processes
let dovecot/anvil rw the auth-penalty socket
auth processes need to read from postfix auth socket
add abstractions/ssl_certs to lmtp
allow master to use SIGTERM on children that are slow to die
align {pop3,managesieve}-login to imap-login

identd: allow network netlink dgram ([MR353][MR353])
syslog-ng: add abstractions/python for python-parser
lsb_release profile: new abstraction
dnsmasq:

allow peer=libvirtd to support named profile
Work around breakage caused by {bin,sbin} alternation ([bso1127073][bso1127073], [MR346][MR346])
Revert /usr/{bin,sbin}/ alternation in dnsmasq profile name

msqld:

add mmap permission for mysqld (4.8 semantic change)
allow mysql to determine which cpus are online
allow locking of mysql files

Tunables

share:

make it play well with aliases
fix buggy syntax that broke the ~/.local/share part of the @{user_share_dirs} tunable

Abstractions

move dirc.d access from mesa to dir-common
base: allow mr permission on all .so common library paths
dri-common: allow reading /dev/dri/
ssl_certs,keys - add support for libdehydrated in /var/lib/
qt5: allow reading user configuration
qt5-settings-write: fix anonymous shared memory access
qt5-compose-cache-write: fix anonymous shared memory access
nameservice: allow access to /run/netconfig/resolv.conf ([bso1097370][bso1097370])
mesa: allow reading drirc.d
vulcan: allow reading /etc/vulkan/icd.d/ ([MR329][MR329])
nvidia: allow reading nvidia application profiles
postfix-common: make compatible with updated postfix profiles naming
python: allow reading /usr/local/lib/python3
ldapclient: allow rw access to the nslcd socket
ubuntu-browsers.d/multimedia: allow creating/writing config dirs
audio:

fix alsa settings access
grant read access to the system-wide asound.conf ([dbug920669][dbug920669], [MR320][MR320])
grant read access to the libao configuration files ([dbug920670][dbug920670], [MR320][MR320])

fonts:

Allow to read conf-avail dir itself.
Add various openSUSE-specific font config directories
allow creating/writing config dirs

kde:

allow access to common KDE-specific settings ([MR327][MR327])
allow access to global KDE settings ([MR327][MR327])

gnome:

allow reading gtk-3.0 cache files
allow creating config dirs

Tests

fix mount test to use next available loop device ([MR379][MR379])
update tests to support distros with user-merge where /bin and /sbin are symlinks ([MR331][MR331])
fix regression test failures around new binary cache layout
update tests for new network domain keywords
update tests for base abstraction changes

Documentation

apparmor.d (7):

update list of network domain keywords ([MR349][MR349])
drop unsupported 'to' option for link rules from manpage ([MR368][MR368])

0 blueprints and 0 bugs targeted

There are no feature specifications or bug tasks targeted to this milestone. The project's maintainer, driver, or bug supervisor can target specifications and bug tasks to this milestone to track the things that are expected to be completed for the release.

This milestone contains Public information
Everyone can see this information.