Changes in this Release
Translations
sync to most up to date language translations available
Build Infrastructure
add files to .gitignore
swig auto generated files for ruby ([MR366][MR366])
fix libapparmor swig 4 failure 'aa_log_record' object has no attribute '__getattr__' ([BUG33][AABUG33])
libapparmor
fix segfault in overlaydirat_for_each causing overlayed cache directory failures
fix segfault when loading policy cache files
fix failure to merge overlay directories in some situations
Policy Compiler (a.k.a apparmor_parser)
clean up error handling ([dbug921866][dbug921866], [LP1815294][LP1815294])
fix parsing of target profile NAME in directed transitions “px -> NAME"
improve runtime attachment by determine xmatch priority based on smallest DFA match
don't skip cache loads just because optimizations flags are specified
Init
apparmor.systemd: fix minor issues detected by shellcheck
ensure error value is returned correctly ([MR352][MR352])
Utils
genprof/logprof
drop failing corner-case check in logparser.py ([bso1120472][bso1120472], [MR297][MR297])
drop unused get_profile_filename() from logparser.py ([MR297][MR297])
fix error KeyError: 'logfiles' when no logprof.conf exists ([MR365][MR365])
don't drop later events when user selects to deny a hat ([MR378][MR378])
update network keyword list and add corresponding tests ([MR350][MR350])
Policy
Profiles
dovecot
allow FD passing between dovecot and dovecot's anvil
allow chroot'ing the auth processes
let dovecot/anvil rw the auth-penalty socket
auth processes need to read from postfix auth socket
add abstractions/ssl_certs to lmtp
allow master to use SIGTERM on children that are slow to die
align {pop3,managesieve}-login to imap-login
identd: allow network netlink dgram ([MR353][MR353])
syslog-ng: add abstractions/python for python-parser
lsb_release profile: new abstraction
dnsmasq:
allow peer=libvirtd to support named profile
Work around breakage caused by {bin,sbin} alternation ([bso1127073][bso1127073], [MR346][MR346])
Revert /usr/{bin,sbin}/ alternation in dnsmasq profile name
msqld:
add mmap permission for mysqld (4.8 semantic change)
allow mysql to determine which cpus are online
allow locking of mysql files
Tunables
share:
make it play well with aliases
fix buggy syntax that broke the ~/.local/share part of the @{user_share_dirs} tunable
Abstractions
move dirc.d access from mesa to dir-common
base: allow mr permission on all .so common library paths
dri-common: allow reading /dev/dri/
ssl_certs,keys - add support for libdehydrated in /var/lib/
qt5: allow reading user configuration
qt5-settings-write: fix anonymous shared memory access
qt5-compose-cache-write: fix anonymous shared memory access
nameservice: allow access to /run/netconfig/resolv.conf ([bso1097370][bso1097370])
mesa: allow reading drirc.d
vulcan: allow reading /etc/vulkan/icd.d/ ([MR329][MR329])
nvidia: allow reading nvidia application profiles
postfix-common: make compatible with updated postfix profiles naming
python: allow reading /usr/local/lib/python3
ldapclient: allow rw access to the nslcd socket
ubuntu-browsers.d/multimedia: allow creating/writing config dirs
audio:
fix alsa settings access
grant read access to the system-wide asound.conf ([dbug920669][dbug920669], [MR320][MR320])
grant read access to the libao configuration files ([dbug920670][dbug920670], [MR320][MR320])
fonts:
Allow to read conf-avail dir itself.
Add various openSUSE-specific font config directories
allow creating/writing config dirs
kde:
allow access to common KDE-specific settings ([MR327][MR327])
allow access to global KDE settings ([MR327][MR327])
gnome:
allow reading gtk-3.0 cache files
allow creating config dirs
Tests
fix mount test to use next available loop device ([MR379][MR379])
update tests to support distros with user-merge where /bin and /sbin are symlinks ([MR331][MR331])
fix regression test failures around new binary cache layout
update tests for new network domain keywords
update tests for base abstraction changes
Documentation
apparmor.d (7):
update list of network domain keywords ([MR349][MR349])
drop unsupported 'to' option for link rules from manpage ([MR368][MR368])