ReleaseNotes 2 9 3

From AppArmor
Jump to: navigation, search

AppArmor 2.9.3 Release Notes

AppArmor 2.9.3 is an incremental bug fix release over AppArmor 2.9.2 that is focused on fixing issues in the userspace code.

Improvements and Bugs Fixed

Policy Compiler (a.k.a. apparmor_parser)

  • set cache file timestamp to the mtime of most recent policy file tstamp (lp#1460152)
  • respect $CPPFLAGS
  • fix ptrace tests for arm64 and s390 (lp#1470985, lp#1531325)
  • allow "unspec" (AF_UNSPEC) family in network rules (lp#1546455)


  • respect $CPPFLAGS


  • aa-logprof, aa-genprof, aa-mergeprof
    • ignore (no longer supported) hat declarations ("^foo,")
    • don't forget to write unix rules when saving a profile (lp#1522938, boo#954104)
    • fix handling link events
    • fix crash with #include <directory> when hitting a capability or network log event (lp#1471425)
    • ignore log events that look like file events (based on operation=), but aren't (lp#1466812, lp#1466812, lp#1525119, lp#1540562)
    • fix crash on change_hat log events (lp#1523297)
    • accept more log formats
    • fix crash with hats in included files
    • make sure pux, cux and CUx modes are accepted as valid
    • fix handling capability rules in aa-mergeprof
    • add python to the "no Px rule" list in logprof.conf
    • map 'c' (create) log events to 'w' instead of 'a' - if a program opens a file without O_APPEND, 'a' permissions aren't enough
    • several fixes on parsing and writing variable definitions
    • fix aa-mergeprof crash on files containing more than one profile
    • several small bugfixes
  • aa-complain, aa-enforce, aa-audit, aa-disable
    • set the flags for all hats, not only in the main profile
    • add a --no-reload parameter (lp#1458480
    • work for non-existing binaries (lp#1416346)
    • let aa-audit print a warning on disabled profiles (lp#1429448)
    • let aa-complain delete the disable symlink
  • aa-status
    • make check if a file is readable more robust (lp#1466768)
  • aa-notify:
    • also display notification for complain mode events
  • tests
    • use in-tree libapparmor by default and add support for USE_SYSTEM variable
    • change to use --no-reload so that they can run as non-root


Updates to the following profiles:

  • change /bin/ paths in all profiles to also match /usr/bin/
  • sbin.dhclient: allow executing nm-dhcp-helper and access to some files in /var/lib/dhcp6/ and /var/lib/NetworkManager/
  • sbin.syslog-ng: add several permissions (abstractions/openssl, reading the journal etc.) which are needed by the latest syslog-ng (boo#948584, boo#948753)
  • allow reading @{PROC}/@{pid}/net/dev (boo#939568)
  • usr.lib.dovecot.auth: allow writing to /var/run/dovecot/user-stats (needed by dovecot >= 2.2.22)
  • usr.lib.dovecot.lmtp: add openssl and ssl_keys abstractions
  • usr.lib.dovecot.imap: allow reading /run/dovecot/mounts
  • usr.lib.dovecot.dovecot-lda:
  • usr.lib.postfix.master: add 'k' permissions for
  • usr.sbin.avahi-daemon: allow write access to /run/systemd/notify (needed on systems with systemd)
  • usr.sbin.dnsmasq:
    • allow /bin/sh and /bin/dash in addition to /bin/bash (boo#940749, non-public)
    • allow /dev/tty rw which is needed by the --dhcp-script's shell (boo#940749, non-public)
    • add attach_disconnected flag (lp#1569316)
  • usr.sbin.nscd: allow reading /proc/self/cmdline, needed for paranoia mode (boo#971790)
  • usr.sbin.ntpd:
    • add attach_disconnected flag (needed for using nscd)
    • allow reading the directory listing of $PATH (boo#945592)
  • usr.sbin.smbd: allow capability sys_admin which is needed because smbd stores ACLs in the security.NTACL namespace (boo#964971, Discussion on the Samba mailinglist)
  • usr.sbin.winbindd:

Updates to the following abstractions:

  • base: allow reading /usr/share/locale-bundle/ (contains translations in openSUSE)
  • nameservice: allow reading /run/systemd/resolve/resolv.conf
  • python: update for python3
  • samba: update for Samba 4.2 (boo#921098, boo#923201)
  • ssl_certs, ssl_keys: allow reading acmetool-generated certificates in /var/lib/acme/
  • X: allow unix connections to @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird


  • apparmor.d manpage:
    • document @{pids} and @{apparmorfs}
    • document realtime signals
  • fix incorrect statement in aa_change_profile manpage
  • aa_change_profile manpage:
    • fix description of EPERM
    • clarify handling of open file descriptors


  • fix error handling in rc.apparmor.suse for "rcapparmor kill" (boo#862170, non-public)

Complete Changelog

AppArmor 2.9.3 includes revisions 3005 through 2911 from the 2.9 branch.