Release 0.2.7

CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## [0.2.7] - 2025-06-xx
+
+### Added
+- Linux kernels older than 5.9 are now supported.
+- Support for `Defaults noexec`/`NOEXEC:` on Linux systems based on seccomp
+  filtering to prevent shell escapes in wide range of cases. This should also
+  work on programs not written in C and statically linked executables.
+- Support for `umask` and `umask_override`
+- `--preserve_env=VAR` is now supported to preserve selected environment
+  variables in a more convenient way
+
+### Changed
+- sudo-rs now uses CLOEXEC to close open file descriptors in the child process
+- Relative paths like `./` in `secure_path`/`PATH` are now ignored.
+- `apparmor.so` is dynamically loaded by sudo itself, as-needed
+
+### Fixed
+- Usernames that start with `_` or have non-western characters were not supported
+  as a valid username in /etc/sudoers (#1149)
+- Other usability improvements in /etc/sudoers (#1117, #1126, #1134, #1157)
+
 ## [0.2.6] - 2025-05-06
 
 ### Added

Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "sudo-rs"
 description = "A memory safe implementation of sudo and su."
-version = "0.2.6"
+version = "0.2.7-dev"
 license = "Apache-2.0 OR MIT"
 edition = "2021"
 repository = "https://github.com/trifectatechfoundation/sudo-rs"

util/build-release.sh

@@ -14,7 +14,7 @@ DATE=$(grep -m1 '^##' "$PROJECT_DIR"/CHANGELOG.md | grep -o '[0-9]\{4\}-[0-9]\{2
 # Build binaries
 docker build --pull --tag "$BUILDER_IMAGE_TAG" --file "$SCRIPT_DIR/Dockerfile-release" "$SCRIPT_DIR"
 docker run --rm --user "$(id -u):$(id -g)" -v "$PROJECT_DIR:/build" -w "/build" "$BUILDER_IMAGE_TAG" cargo clean
-docker run --rm --user "$(id -u):$(id -g)" -v "$PROJECT_DIR:/build" -w "/build" "$BUILDER_IMAGE_TAG" cargo build --release --features pam-login
+docker run --rm --user "$(id -u):$(id -g)" -v "$PROJECT_DIR:/build" -w "/build" "$BUILDER_IMAGE_TAG" cargo build --release --features pam-login,apparmor
 
 # Generate man pages
 "$PROJECT_DIR/util/generate-docs.sh"