Comment 0 for bug 2056496

AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze.

Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months.

Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version

Beta1 added three additional features that were not present in alpha4 (current Noble).
• support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking).
• aa-notify support message filters to reduce notifications
• aa-logprof/genprof support for mount rules

None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below.

I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2

• new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam
• fix policy generation for non-af_inet rules (MR:1175)
• Fix race when reading proc files (AABUG:355, MR:1157)
• handle unprivileged_userns transition in userns tests (MR:1146)
• fix usr-merge failures on exec and regex tests (MR:1146)

This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression-testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d

The output of a test run is in the attached qrt.output file. Of which the summary is below
    Ran 62 tests in 811.542s

    OK (skipped=3)

The changelog is available here
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes

The prepared package is available via the ppa
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe