AppArmor 4.0 was released 2024-04-12.

Note: 4.0.0 was never released, and is superseded by 4.0.1

Introduction

AppArmor 4.0 is a major new release of the AppArmor user space that makes several important changes to policy development and support. Its focus is transitioning policy to the new policy features.

Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied). And supports features released in the 4.20 kernel.

Note: that while older kernels are supported, not all features available in AppArmor 4.0 policy can be enforced on older kernels.

The kernel portion of the project is maintained and pushed separately.

Highlighted new features

• profile flags
• prompt
• kill.signal
• attach_disconnected.path
• fine grained mediation
• ipv4
• ipv6
• mqueue
• aa_load

Important Notes

• gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:
• libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
• the docs for everything but libapparmor have already been built
• Potentially breaking changes:

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad. Important note: the gitlab release tarballs: Differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

• libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
• the docs for everything but libapparmor have already been built

gitlab release

• https://gitlab.com/apparmor/apparmor/-/releases/v4.0.1

Launchpad Tarball

• https://launchpad.net/apparmor/4.0/4.0/+download/apparmor-4.0.0.tar.gz
• sha256sum: 2216f4928d4b9fa3a3ff545d19b86ac53c90c58cc0c468b19dc678f6246ad1aa
• signature: https://launchpad.net/apparmor/4.0/4.0/+download/apparmor-4.0.0.tar.gz.asc

Changes since AppArmor 4.0-beta4

policy compiler (aka apparmor_parser)

• inet conditionals should only generate rules for inet family (MR:1210, AABUG:384)

Policy

profiles

• chromium_browser profile (MR:1208)
• new Transmission family of Bittorrent clients (MR:1190)

unconfined profiles

• new
• foliate profile (MR:1209, HUB:1271, LP:2060767)
• wike profile (MR:1212, LP:2060810)

Documentation

• add network inet mediation documentation to apparmor.d (MR:1213)

Regression Tests

• add mount test for CVE-2016-1585 (MR:1054, MR:1211, BOO:1211989, LP:1597017, LP:2023814)

Changes in this Release

These release notes cover all changes between 3.1 ( 7c7224004c31389229877634a217fcc0c8e8567d) and 4.0.1 ( b0eb95457bc2de401920308869d016e696c73664) apparmor-4.0 branch.

Includes all the bug fixes and improvements in

• 3.1.1
• 3.1.2
• 3.1.3
• 3.1.4
• 3.1.5
• 3.1.6
• 3.1.7

And the following improvements

General improvements

New Profile Flags

• kill.signal
• interruptible
• default_allow
• unconfined
• debug
• attach_disconnected.path=
• prompt

New Mediation rules

• fine grain posix mqueue mediation
• user ns mediation
• io_uring mediation
• sqpoll and override_creds (cmd is still a wip)

unprivileged_userns: Special profile transitioned to by unconfined when creating an unprivileged user namespace.

Policy Compiler (a.k.a apparmor_parser)

• no longer require root permissions. Will still require privilege to load policy
• improved rule merging before expr-simplification
• Experimental
• Fine grained IPv4 and IPv6 network mediation (MR:1160)
  • Requires use of experimental kernel.
  • Unsupported and evolving experimental features exist in the release to help with broader testing. They should not affect regular operation/policy unless the feature is explicitly enabled.
• fix policy generation for non-af_inet rules (MR:1175)
• Fix network test regression on kernels that support af_unix (MR:1183,AABUG:374)
• fix coverity static analysis failure (MR:1188)
• fix getattr and setattr perm mapping on mqueue rules (MR:1197, AABUG:377, AABUG:378)
• add ability to specify where a disconnected path is attached (attach_disconnected.path) (MR:661)
• make attach_disconnected.path enable attach_disconnected by default (MR:1084)
• fix encoding of unix permissions for setopt and getopt (MR:1079)
• add support for prompt profile mode (MR:1062)

Library

• check if AX_CHECK_COMPILE_FLAG is available (MR:1174)
• fix syntax in configure (MR:1184)
• fix dynamic linkage since lto1 does not support -dynamic (MR:1071)

Utils

• apparmor development utilities (aa-logprof, ...)
• support all rule
• exec events in hats are no longer skipped
• Adding support for mount rules in aa-genprof/aa-logprof (MR:1153)
• fix coding style in mount rules (MR:1173)
• change string to r-string to avoid warning (MR:1172)
• Remove unnecessary variable source_is_path in mount rules (MR:1172)
• check for unknown fstype and options keywords, and fix issues uncovered by that (MR:1169)
• Fix writing 'mount {options,fstype} in ...' rules and make error check more readable (MR:1168)
• Add useful error message in test-mount.py (MR:1166)
• Fix typo in 'btrfs', and add '9p' filesystem (MR:1164)
• mount rules Fix _is_covered_localvars (MR:1182)
• MountRule to fix make check failure (MR:1176,AABUG:370)
• add option to log aa-logprof json input and output (MR:1078)
• allow mount destination globbing (MR:1195, AABUG:381)
• aa-notify
• new add notification filtering (MR:1154)
• fix aa-notify last login test (MR:1152,LP:1939022)
• Fix test-aa-notify on openSUSE Tumbleweed (new 'last') (MR:1180"))
• aa-unconfined
• Fix race when reading proc files (AABUG:355, MR:1157)
• aa-cleanprof
• fix to work with named profiles
• aa-status
• fix json output
• separate error messages from regular output
• add ability to filter output
• new aa-load
• utility for loading binary (cache) policy without the parser, can be used by non-systemd systems to do cache loads.

Policy

• update abi references to 4.0

abstractions

• authentication
• Allow pam_unix to execute unix_chkpwd (MR:1181,BOO:1219139)
• audio
• crypto (MR:1178,LP:2056747,LP:2056739)
• allow read of openssl config
• allow read of gnutls config
• kde-open5
• Clean superfluous openssl abstraction includes (MR:1179)
• openssl
• allow version specific engdef & engines paths (MR:1147, BOO:1219571)
• Move pam-related permissions to abstractions/authentication (MR:1191, BOO:1220032)
• nameservice
• snap_browsers
• ubuntu-browsers.d/kde
• wutmp
• add "include if exists" to all tunables files to allow for customization (MR:1077, AABUG:347)

profiles

• new bwrap (MR:1204,MR:1206, AABUG:382, LP:2046844)
• new unshare (MR:1204,MR:1206, AABUG:382, LP:2046844)
• firefox
• allow locking of *.sqlite-shm files in user cache area (MR:1193, AABUG:380)
• allow matching /usr/lib/firefox-esr/firefox-esr and change DBus access (MR:1076)
• samba
• allow /etc/gnutls/config & @{HOMEDIRS} (MR:1200, AABUG:379)
• sshd
• Add new permissions needed on Ubuntu 24.04 (MR:1196, LP:2060100)
• new unix_chkpwd - required by authentication (MR:1181,BOO:1219139)
• smbd
• honouring pam restrictions (MR:1159,BOO:1220032)
• php-fpm
• Clean superfluous openssl abstraction includes (MR:1179)
• samba-bgqd
• Clean superfluous openssl abstraction includes (MR:1179)
• sbin.syslog-ng
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.sbin.ntpd
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.sbin.smbd
• Clean superfluous openssl abstraction includes (MR:1179)
• postfix-proxymap
• Clean superfluous openssl abstraction includes (MR:1179)
• postfix-smtp
• Clean superfluous openssl abstraction includes (MR:1179)
• postfix-smtpd
• Clean superfluous openssl abstraction includes (MR:1179)
• postfix-tlsmgr
• Clean superfluous openssl abstraction includes (MR:1179)
• sbin.dhclient
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.bin.freshclam
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.sbin.clamd
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.sbin.haproxy
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.sbin.httpd2-prefork
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.sbin.imapd
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.sbin.ipop2d
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.sbin.ipop3d
• Clean superfluous openssl abstraction includes (MR:1179)
• usr.lib.dovecot.auth
• Clean superfluous openssl abstraction includes (MR:1179)
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.dict
• Clean superfluous openssl abstraction includes (MR:1179)
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.imap-login
• Clean superfluous openssl abstraction includes (MR:1179)
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.lmtp
• Clean superfluous openssl abstraction includes (MR:1179)
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.managesieve-login
• Clean superfluous openssl abstraction includes (MR:1179)
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.pop3-login
• Clean superfluous openssl abstraction includes (MR:1179)
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.anvil
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.config
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.deliver
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.director
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.doveadm-server
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.dovecot-auth
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.dovecot-lda
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.imap
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.log
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.managesieve
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.pop3
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.replicator
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.script-login
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.ssl-params
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.lib.dovecot.stats
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• usr.sbin.dovecot
• Allow for the default libexec subdir /usr/libexec/dovecot (MR:1080)
• chromium profile
• add crashpad_handler subprofile to factor out some permissions that the browser proper does not need (MR:1208)
• new transmission - includes abstractions/transmission-common (MR:1190)

unconfined profiles

• 1password
• Discord
• MongoDB_Compass
• QtWebEngineProcess
• brave
• buildah
• busybox
• cam
• ch-checkns
• ch-run
• chrome
• code
• crun
• firefox
• flatpak
• github-desktop
• ipa_verify
• lc-compliance
• libcamirify
• linux-sandbox
• lxc-attach
• lxc-create
• lxc-destroy
• lxc-execute
• lxc-stop
• lxc-unshare
• lxc-usernsexec
• mmdebstrap
• msedge
• obsidian
• opera
• plasmashell
• podman
• polypane
• qcam
• rootlesskit
• rpm
• runc
• sbuild
• sbuild-abort
• sbuild-adduser
• sbuild-apt
• sbuild-checkpackages
• sbuild-clean
• sbuild-createchroot
• sbuild-destroychroot
• sbuild-distupgrade
• sbuild-hold
• sbuild-shell
• sbuild-unhold
• sbuild-update
• sbuild-upgrade
• signal-desktop
• slack
• slirp4netns
• steam
• stress-ng
• surfshark
• systemd-coredump
• thunderbird
• toybox
• trinity
• tup
• userbindmount
• uwsgi-core
• vdens
• virtiofsd
• vivaldi-bin
• vpnns
• wpcom
• firefox (MR:1185,LP:2046844)
• mscode
• rename from code to mscode
• allow running from gnome (MR:1156,AABUG:368)
• nautilis (MR:1161,LP:2047256)
• devhelp (MR:1149)
• element-desktop (MR:1150)
• epiphany (MR:1149)
• evolution (MR:1149)
• keybase (MR:1145)
• opam (MR:1149)
• goldendict (MR:1186,LP2046844)
• kchmviewer (MR:1186,LP2046844)
• notepadqq (MR:1186,LP2046844)
• pageedit (MR:1186,LP2046844)
• privacybrowser (MR:1186,LP2046844)
• qmapshack (MR:1186,LP2046844)
• qutebrowser (MR:1186,LP2046844)
• rssguard (MR:1186,LP2046844)
• scide (MR:1186,LP2046844)
• geary (MR:1185,LP:2046844)
• loupe (MR:1185,LP:2046844)
• tuxedo-control-center (MR:1187, LP:2046844)
• wike (MR:1212, LP:2060810)
• foliate (MR:1209, HUB:1271, LP:2060767)

Documentation

• apparmor.d
• Update ancient paths in apparmor and apparmor.d manpage to correct paths (MR:1171)
• Update mailinglist and homepage to correct addresses in changehat READMEs (MR:1170)
• Document that attach_disconnected.path expects =PATH (MR:1083)
• aa-status
• document filters

Translations

• sync translation from launchpad

Infrastructure

• makefiles
• test for support of flto-partition flag (MR:1155,AABUG:310)
• don't ship /var in downstream packages (MR:1167)

Tests

regression tests

• dbus-broker integration
• handle unprivileged_userns transition in userns tests (MR:1146)
• fix usr-merge failures on exec and regex tests (MR:1146)
• fix inet tests (MR:1192, AABUG:376)
• fix checking if a feature exists in the test by ignoring if feature file is actually a directory (MR:1074)

tools tests

• add aa-logprof test framework (MR:1082)

parser tests

• improve parser test coverage by checking for non-existent profiles, convert to unittest.main (MR:1070)

Feature Matrix

The feature matrix provides an overview of which features/changes are supported on which release and or kernel.

Feature	policy extension	breaks 3.x	supported by utils	requires 4.x libapparmor	requires kernel support
unconfined flag	Y	Y 1	N	N	Y 2
debug flag	Y	Y 1	N	N	Y 2
prompt flag	Y	Y 1	N	N	Y 2
audit.mode flag	Y	Y 1	N	N	Y 2
kill.signal flag	Y	Y 1	N	N	Y 2
attach_disconnected.path flag	Y	Y 1	N	N	Y 2
default_allow	Y	Y 1	N	N	N
all rule	Y	Y 1	N	N	N
userns	Y	Y 1	N	N	Y 2
rootless apparmor_parser	N	N	n/a	N	N
improved -O rule-merge	N	N	n/a	N	N
aa-status filters	N	N	n/a	N	N
aa-load	N	N	n/a	Y	N
io_uring	Y	Y 1	N	N	Y 2
port level network 12	Y	Y 1	N	N	Y 2
unconfined ns restriction	N	Y 8	n/a	N	Y
unconfined change_profile stacking	N	Y 8	n/a	N	Y
unconfined io_uring restriction	N	Y 8	n/a	N	Y

1. If present in policy will cause previous versions of AppArmor to fail
2. Requires kernel support, policy can be downgraded to work on kernels that do not support.
3. Previous versions of AppArmor may not fail but will not behave correctly
4. Feature can be functionally provided by may not be exactly the same
5. If more than 12 transitions are used in a profile, AppArmor 3.x will fail
6. Will break older policy if variable is not defined. Variable can be manually defined in older parser.
7. AppArmor 3.x will not break but will use declared abi, instead of extending abi when a rule not in the abi is declared in policy.
8. These features if enabled will change unconfined's behavior but can be disabled with either a grub kernel boot parameter or sysctl depending on the kernel.
9. Does not allow any new rules but allows overlapping exec rules that would have been previously rejected.
10. If overlapping rules not supported by 3.x are used policy will break on 3.x and older environments
11. Tools will work but may not deal with overlapping rules correctly in some cases
12. Experimental