ReleaseNotes 2 8 1

From AppArmor
Jump to: navigation, search

AppArmor 2.8.1 Release Notes

AppArmor 2.8.1 is an incremental bug fix release over AppArmor 2.8.0 that is focused on bug fixing userspace code.

Linux kernel compatability

As with prior releases, the AppArmor user space utilities are dependent on a few bits of kernel functionality that were not accepted by upstream when the kernel portion of AppArmor was merged into the Linux kernel. Compatibility patches are included in this user space release through kernel 3.6.

See upstream release notes for more information.

Detailed changes

The following list of changes was taken from bzr log.

revno: 2067
  Subject: profiles - adjust pulseaudio in abstraction (ixr -> Pixr)
revno: 2066
  The following patch extends the libraries log parsing to support more date
  time formats. As this is causing failures on some systems

revno: 2065
  Subject: add aa-decode test script

revno: 2064
  Backported merge of various fixes from trunk in preparation of the 2.8.1
  release. In this merge are the following trunk commits:
  2050 - parser - network rules debugging statements
  2057 - update ubuntu-browsers.d/java for IcedTea 7
  2058 - let sanitized-helper also allow access to /usr/local
  2059 - ubuntu-integration does not work properly with exo-open
  2062 - support alternate ping install location in /usr
  2064 - parser - update apparmor_parser man page
  2065 - parser - correct apparmor_parser -N command privilege
  2066 - parser - *just* the updated caching test message from this commit
  2065.1.1 - profiles update fonts abstraction for new fontconfig paths
  2065.1.{3,4} - profiles - Gnome applications are now quite interested
         in reading /usr/share/poppler/cMap/**
  2069 - profiles - update extras README with mail list info
  2074 - tests - fix clone test on arm
  2076 - parser tests - fix test driver for exec() failure
  2079 - libapparmor - add pkgconfig support
  2083 - parser tests - fix fine grained timestamp detection in caching tests
  2090 - nvidia abstractions cleanups
  2092 - update skype profile
  2093 - add XCompose to abstractions/X
  2096 - dnsmasq network-manager integration
revno: 2063
  fix aa-decode by backporting all changes from trunk to 2.8 branch
  - speed up aa-decode by using a bash regex matching instead of calling egrep for each line.
  - Fix aa-decode handling of stdin
  - fix error handling in aa-decode

revno: 2062
  Add a small sleep call to the onexec test to give the forked process a
  chance to run before verifying it's current and future confinement
  state. In testing the combined sleeps added roughly a second to's total time on relatively reasonable hardware.

revno: 2061
  add CAP_BLOCK_SUSPEND to severity.db

revno: 2060
  Add a testcase for the issue fixed in commit 2059.

revno: 2059
  fix a nasty little bug that can surface in apparmor 2.8 when
  Hats/children profiles are used.
  the matchflags in the dfa backend are not getting properly reset, which
  results in a previously processed profiles match flags being used. This is
  not a problem for most permissions but can result in x conflict errors.
  Note: this should not result in profiles with the wrong x transitions loaded
  as it causes compilation to file with an x conflict.

revno: 2058
  Add kernel patches for 3.5 and 3.6 kernels

revno: 2057
  Update documentation of change_hat and change_profile apis

revno: 2056
  So the library version has not been being correctly bumped.
  Make this a little bit easier to follow

revno: 2055
  The apparmor coredump regression test was broken.
  - It failed to remove coredump files named "core"
  - It failed to properly detect "core.<pid>" files
  - And it would fail if the coredump_pattern had been modified to
    a different location.
  This lead one of the tests to report it was passing when it
  wasn't because it was detecting the previous tests core file.
  - Fix the test to set the coredump_pattern, to dump into the
    tmpdir used for the test.
  - Make it so it will only detect the core file for the pid of
    the last test run.
  - And extend the test to have a couple of extra test cases.

revno: 2054
  apparmor: add clearing the profile cache when inconsistent

revno: 2053
  ls moved from /bin/ to /usr/bin/ on openSUSE (usrMove)

revno: 2052
  The previous patch to fix policy compilation around the network flag had a
  serious flaw. The test for the network flag was being applied against both
  the kernel flags and the cache flags. This means that if either the kernel
  or the cache did not have the flag set then network mediation would be
  turned off.
  Thus if a kernel was booted without the flag, and a cache was generated
  based on that kernel and then the system was rebooted into a kernel with
  the network flag present, the parser on generating the new policy would
  detect the old cache did not support network and turn it off for the
  new policy as well.
  This can be fixed by either removing the old cache first or regenerating
  the cache twice. As the first generation will write that networking is
  supported in the cache (even though the policy will have it disabled), and
  the second generation will generate the correct policy.
  The following patch moves the test so that it is only applied to the kernel
  flags set.

revno: 2051
  Fix the parser so it checks for the presence of the network feature in the
  compatibility interface. Previously it was assuming that if the compatibility
  interface was present that network rules where also present, this is not
  necessarily true and causes apparmor to break when only the compatibility
  patch is applied.

revno: 2050
  Have build check for presence of awk and fail with a sensible error message

revno: 2049 was failing on systems with python 2.5, fix that