 Better? There we go. All right, so We're just gonna get going right away So one of the things we added this year was AppArm or E2E project Eric did the work for that and so that can improve our testing And along with that Mike's been working on using K unit to add unit testing for our kernel We've we found actually several bugs that aren't exposed Hopefully, you know, we won't find anything that are exposed, but we've been able to fix some things in the code because of this We had a whole bunch of releases this year a lot of stable work maintenance work Way too much time on that improvements So for the LSM stacking namespan spacing stuff, there's been some changes We're gonna we're landing Hopefully we'll land it for the next kernel the AppArm directory under proc to help with the name stacking more interface virtualization We have a user space FD API that's gonna land shortly That allows people to pass around the FD to that the Interfaces so that it can be used in containers Rework so we're reworking the buffers AppArm uses a whole bunch of Work buffers to do some of the stuff it does They were per CPU so on large systems. That's a lot of memory and And had preempt disable around some of this because you didn't want to have to loop back in on the per CPU buffers So removing this makes Real-time happy And there's a whole bunch of cleanups once we get rid of the preempt disable that we can do Checkpoint data compression so we have data in the kernel that we're bringing in for checkpoint restore support For containers and so since that's not that's part of the data That's not used hardly ever or policy pieces that aren't used live in the kernel Those get compressed so we're not using up so much kernel memory for those We've improved our attachment conflict resolution so in kernel there's improvements to to deal with this when there's an overlap on policy and Compiler also picked up some improvements on the hint that it can give to the kernel We have a whole bunch of state machine improvements We refactored the matching engine that hasn't quite landed yet, but it's landing soon We've improved verifier checks. There was a couple cases where we found a couple bugs So that our verifier is really important Especially well, we'll get to that in a minute with some stuff some stuff. We're gonna land We separated the permissions that we're doing and are accepting state handling from the state machine This is being done so that the the state machine can be more generic and be can be used by other people if they want We've improved the compiler performance a little bit and there's some work to improve it more And we've been working a little bit towards making it a generic library And we just very recently added out-of-band transitions and this is actually Comes back to Eric's talk and this is you're gonna be used to fix the issue. We have right now with the EVM Very matching We did some init cleanups in our net stuff We were hanging on to some code from 18 years ago That's not used anymore. So some of that got deleted out. We try really hard to maintain compatibility for a long time But that's just too old for us We've removed almost all the pearl. I think the last bit is a there's a little pearl script in our regression testing So and we're also Python 3 everywhere if we have Python a notify got rewritten Which is our user space if you want a desktop notification about app armor policy stuff There's been lots of cleanups and minor improvements and bugs bugs and bugs both creating and fixing So what are we working on that's gonna land soon Unprivileged policy I was hoping we'd actually have this landed already, but we don't We have the bits in place for this, but there's a few things that are still needed It needs to be safe. This is why the verifier is so important our State machine is more limited than BPF and it doesn't have the issues that BPF has But we still need to make sure that there can be nothing the unsafe policy can do to the kernel and User policy unsafe apology unprivileged policy it is composed with system policy. It's not replacing it Users will get to define their own profiles for their applications if they want And the system will still get to use it and applications This will actually pick up where tasks can instead of being a More global profile that can be applied over all kinds of things. This is actually per Task so once it sets it it's more like a sec comp filter in that sense Notification interface this is largely to really clean up some of the problems we have Really policy developments of real pain right now, especially if for the audit logs and stuff we need to get that out of there I'm not gonna go into all that and Unprivileged policy this goes back to the unprivileged policy. We can't have unprivileged policy logging to the system audit logs That's just a violation It can leak information, but it also can cause DOS's and stuff easily then so we don't want that There has been a major refactor of a porma FS that Mike's doing it's in the works To help improve it and make it better for containers We've got some audit improvements coming along The EVM based profile attachment without a ban transition stuff But also there's a few other fixes around that and so hopefully that'll fix all of Eric's problems with that No new period of improvements. So Eric again mentioned problems around that where you have some fixes that should land for that soon Sec mark is a little farther out, but it's coming Hopefully this year We got some work around system D and early policy load improvements in being able to specify global policy blacklisting Application white listing we can actually do that already But right now it's a real pain to set up and do and everybody asks about it And that's like well, this is too hard to set up and it really is right now So we have some work in there in progress there to make that easier and that's it