ReleaseNotes 2 11 1

From AppArmor
Revision as of 13:35, 26 October 2017 by Jj (Talk | contribs) (Utils =)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Policy Compiler (a.k.a apparmor_parser)

  • Fix af_unix downgrade of network rules
  • Fix delete after new[]
  • Set parser executable path according to USE_SYSTEM make variable

Init

  • Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507 lp#1668892

Library

  • fix swig test_apparmor.py for zero length ptrace records
  • Don't print shell commands that check for test failures
  • Fix parallel make dependency issue in testsuite

Utils

  • aa-notify - update to use normal urgency notifications to obtain intended behavior across DEs
  • Add network 'smc' keyword in NetworkRule
  • Prevent 'wa' conflicts for file rules
  • Carry over all autodep-generated rules in handle_children()
  • Ignore ptrace log events without denied_mask
  • Fix aa-logprof crash on ptrace garbage log events lp#1689667
  • Fix regressions caused by init_aa()
  • apparmor.easyprof update
    • Fix import in test-aa-easyprof.py
    • Add option to specify the apparmor_parser path
  • Set parser base path according to USE_SYSTEM make variable
  • Accept parser base and include options in aa-easyprof
  • Update the logprof.conf in the test dir to point to in-tree paths
  • Improve error messages when profiles/parser is not found
  • Don't enforce ordering of dbus rule attributes lp#1628286
  • Fix failing tests in test-aa.py
  • Ignore change_hat events with error=-1 and "unconfined can not change_hat"
  • Remove re.LOCALE flag lp#1661766
  • update how questions are asked in profile generation

Policy

  • Abstractions
    • freedesktop.org - support /usr/local/applications; support subdirs of applications folder
    • fix for non-latin file/directory names
    • gnome - allow reading GLib schemas.
    • wayland - allow wayland-cursor-shared-*
    • python - Adjust for python3.6
    • perl-base - adjust the multiarch alternation rule in the perl abstraction for modern Debian and Ubuntu systems
    • base - Allow sysconf(_SC_NPROCESSORS_CONF)
    • nvidia - Update nvidia for newer nvidia drivers
    • Rename global variable "pid" to "log_pid"
    • glibc uses /proc/*/auxv and /proc/*/status files
    • Apache2 - profile updates for proper signal handling, optional saslauth,
 and OCSP stapling
  • sshd - drop local/ include
  • /etc/cron.daily/logrotate update
  • dovecot
    • Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles
    • add the attach_disconnected flag
    • change Px to mrPx for /usr/lib/dovecot/*
    • dovecot-lda update lp#1650827
      • the attach_disconnected flags
      • read access to /usr/share/dovecot/protocols.d/
      • rw for /run/dovecot/auth-userdb
  • Postfix
    • change abstractions/postfix-common to allow /etc/postfix/*.db k
    • add several permissions to postfix/error, postfix/lmtp and postfix/pipe
    • remove superfluous abstractions/kerberosclient from all postfix profiles - it's included via abstractions/nameservice
  • Samba profile updates for ActiveDirectory / Kerberos
  • traceroute - support TCP SYN for probes, quite net_admin request boo#1057900

Documentation

  • Add network 'smc' keyword to apparmor.d manpage
  • aa-status - update manpage for updated podchecker

Tests

  • libapparmor: fix ptrace regression test failure
  • Add --no-reload to various utils manpages
  • Ignore test failures about duplicated conditionals in dbus rules
  • readdir - test both getdents() and getdents64() if available
  • where necessary use getdents64 to fix arm64 build failure lp#1674245
  • No longer skip testing generated_perms_leading profiles
  • regression tests-
    • fix environ fail case