Upstream AppArmor Releases

AppArmor user space Version	Feature	Minimum Supported Kernel	Required Kernel Version for supported featutres	Notes
2\.3	* change_profile allows unconfined processes to enter confinement * add aa-repo.pl tool * Allow for profile creation without attachment specification * Children (local) profiles * Add "cx" execute permission * Named profile transitions * Hats * change_hat rules * change_profile rules * Profile namespaces * Link pair rules * File rules conditional on file ownership * Per rule audit control * Deny rules * Alias rules * Rlimit rules * Set capabilities per profile
pre 2.6.24 + out of tree patches (v4 abi)	2\.6.24+ (v5 bi)1	`1` * 2\.3 features not supported due to upstreaming changes * basic socket mediation - requires out of tree patch * xattr mediation * the ability to set confinement on a pre-existing task * semantics of file mediation changed some
2\.3.1			2\.6.27, 2.6.28
[2\.4](../documentation/release-notes/Release_Notes_2.4.md)	* pux transitions * Improved profile namespace support * Caching of compiled profiles * kill mode * audit control * change profile on exec		2\.6.31, 2.6.32	Removed support for: * chown, chmod, and xattr mediation * Path-based mediation of unix domain sockets * Set profile interface
[2\.5](../documentation/release-notes/Release_Notes_2.5.md)	* Improved policy and DFA verification * chmod/chown mediation * change_hatv * Use CAP_MAC_ADMIN to determine if policy modification is allowed * Hierarchical namespaces * New profile flags * Renaming replace * DFA minimization * Improved table compression * New optimization and debugging flags for dfa creation * aa-decode utility * apparmor_notifier rewrite		2\.6.31	Removed support for: * set capabilities * Unnecessary /proc//xaddr/\* restrictions * Parallel profile load
[2\.5.1](../documentation/release-notes/Release_Notes_2.5.1.md)	* Reduce memory usage * Add ability for apparmor_parser to dump flattened profiles * Add support for LSM_AUDIT format messages * Improved auditd handling * Add support for truncate, rename_src, and rename_dest operation sin SubDomain.pm		2\.6.31 (patched), 2.6.32 (patched), 2.6.33 - 2.6.37
[2\.5.2](../documentation/release-notes/Release_Notes_2.5.2.md)	* change_hatv(), change_hat_vargs() available via swig interfaces * Bug fixes		2\.6.31 (patched), 2.6.32 (patched), 2.6.33 - 2.6.38	Removed utils/severity.pl due to incorrect license/copyright statement
[2\.6.0](../documentation/release-notes/Release_Notes_2.6.0.md)	* Add support for profile names that are independent of attachment specification * Add ability to dump compiled policy to a file * Add aa-disable utility * Add support for newer auditd formatted messages * Make change_hatv(), change_hat_varargs() available via swig interfaces		2\.6.31 (patched), 2.6.32 (patched), 2.6.33 - 2.6.38
[2\.6.1](../documentation/release-notes/Release_Notes_2.6.1.md)	* Bug fixes		2\.6.31 (patched), 2.6.32 (patched), 2.6.33 - 2.6.38
[2\.7](../documentation/release-notes/Release_Notes_2.7.md)	* Support for systemd * Support for CAP_SYSLOG * Support rlimit cpu		2\.6.35 - 2.6.39, 3.0, 3.1, 3.2	last point release to support old immunix/suse kernels using out of tree patches and pcre matching engine (v3 abi)
[2\.7.2](../documentation/release-notes/Release_Notes_2.7.2.md)	* Bug fixes * Profile fixes and updates		2\.6.35 - 2.6.39, 3.0, 3.1, 3.2
[2\.8](../documentation/release-notes/Release_Notes_2.8.md)	* Basic mount rules * New introspection interface * New aa-exec utility * New aa-easyprof utility * Language improvements		3\.3, 3.4	Support for basic mount rules requires the mount kernel patch.
[2\.8.1](../documentation/release-notes/Release_Notes_2.8.1.md)	* Bug fixes		3\.3 - 3.6
[2\.8.2](../documentation/release-notes/Release_Notes_2.8.2.md)	* Bug fixes * Policy updates		3\.3 - 3.6
[2\.8.3](../documentation/release-notes/Release_Notes_2.8.3.md)	* Add --create-cache-dir command line option to apparmor_parser * Bug fixes * Profile fixes		3\.3 - 3.6
[2\.8.4](../documentation/release-notes/Release_Notes_2.8.4.md)	* Policy updates * Bug fixes		3\.3+
[2\.8.5](../documentation/release-notes/Release_Notes_2.8.5.md)	* Policy updates * Bug fixes		3\.3+
[2\.9.0](../documentation/release-notes/Release_Notes_2.9.0.md)	* Support for mediation of * dbus * signals * ptrace * unix abstract sockets * New "allow" keyword		3\.3+
[2\.9.1](../documentation/release-notes/Release_Notes_2.9.1.md)	* Policy updates * Bug fixes		3\.3+
[2\.9.2](../documentation/release-notes/Release_Notes_2.9.2.md)	* Policy updates * Bug fixes		3\.3+
[2\.9.3](../documentation/release-notes/Release_Notes_2.9.3.md)	* Policy updates * Bug fixes		3\.3+
[2\.9.4](../documentation/release-notes/Release_Notes_2.9.4.md)	* Policy updates * Bug fixes		3\.3+
[2\.9.5](../documentation/release-notes/Release_Notes_2.9.5.md)	* Policy updates * Bug fixes * Partial fix for CVE-2017-6507		3\.3+
[2\.10](../documentation/release-notes/Release_Notes_2.10.md)	* New libapparmor APIs * Improved policy compile times * Ability to use variables in profile names * AppArmor Tools add support for * pux, cux, CUx exec modes * Profile attachment specifications * Profile de-duplication * change_profile rules * \--no-reload option		3\.3+
[2\.10.1](../documentation/release-notes/Release_Notes_2.10.1.md)	* Allow "unspec" (AF_UNSPEC) family in network rules * Policy Updates * Bug Fixes		3\.3+
[2\.10.2](../documentation/release-notes/Release_Notes_2.10.2.md)	* Policy Updates * Bug Fixes		3\.3+
[2\.10.3](../documentation/release-notes/Release_Notes_2.10.3.md)	* Policy Updates * Bug Fixes * Fix CVE-2017-6507		3\.3+
[2\.10.4](../documentation/release-notes/Release_Notes_2.10.4.md)	* Policy Updates * Bug Fixes * Add support for zsh in logprof.conf		3\.3+
[2\.11](../documentation/release-notes/Release_Notes_2.11.md)	* apparmor_parser supports parallel compiles and loads * Utils fully support dbus, ptrace, and signal rules/events * Support stacking in exec and change_profile rules * change_profile rules accept exec mode modifier * Utils switched to python3 (python2 deprecated)		3\.3+
[2\.11.1](../documentation/release-notes/Release_Notes_2.11.1.md)	* Add network 'smc' keyword in NetworkRule * Policy updates * Bug fixes		3\.3+
[2\.11.2](../documentation/release-notes/Release_Notes_2.11.2.md)	* Policy updates * Bug fixes		3\.3+
[2\.12](../documentation/release-notes/Release_Notes_2.12.md)	* Reworked YaST interface * Add support for 'owner' events to aa-logprof and aa-genprof * Bug Fixes * Policy Updates		3\.3+
[2\.12.1](../documentation/release-notes/Release_Notes_2.12.1.md)	* Add support for conditional includes in policy * Policy Updates * Bug Fixes		3\.3+
[2\.12.2](../documentation/release-notes/Release_Notes_2.12.2.md)	* Policy Updates * Bug Fixes		3\.3+
[2\.13](../documentation/release-notes/Release_Notes_2.13.md)	* Support conditional includes in policy * Allow policy caches to be retained between kernel versions * Overlay cache locations * Add ablity to customize aa-notify notification message		3\.3+
[2\.13.1](../documentation/release-notes/Release_Notes_2.13.1.md)	* Policy updates * Bug fixes		3\.3+
[2\.13.2](../documentation/release-notes/Release_Notes_2.13.2.md)	* Policy updates * Bug fixes		3\.3+
[3\.0](../documentation/release-notes/Release_Notes_3.0.md)	* feature abi tagging of policy * The use of profile names that are based on pathnames are deprecated * upstream v8 network socket rules * xattr attachment conditionals * capabilities PERFMON and BPF * rewrite aa-status in C * rewritten aa-notify * improved support for kernels that support LSM stacking * support profile modes enforce, kill and unconfined * reference policy updated for 3.0 feature abi * basic support for [systemd v246 early load of apparmor policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads). * aa-feature-abi tool		4\.13+
[4\.0 alpha1](../documentation/release-notes/Release_Notes_4.0-alpha1.md)	* unconfined and debug profile flags * fine grain posix mqueue mediation * user ns mediation * io_uring mediation (sqpoll and override_creds) * aa-status can filter output * aa-load loads binary policy without the parser * apparmor_parser no longer requires root (still needs privilege) * update abi references to 4.0		??