On Thu, Jun 27, 2019 at 12:22:13PM +1000, James Morris wrote: > On Wed, 26 Jun 2019, Casey Schaufler wrote: > > > With the inclusion of the "display" process attribute > > mechanism AppArmor no longer needs to be treated as an > > "exclusive" security module. Remove the flag that indicates > > it is exclusive. Remove the stub getpeersec_dgram AppArmor > > hook as it has no effect in the single LSM case and > > interferes in the multiple LSM case. > > So now if I build a kernel with SELinux and AppArmor selected, with > SELinux registered first, I now need to use apparmor=0 at the kernel > command line to preserve existing behavior (just SELinux running). > > This should at least be documented. > > I wonder if this will break existing users, though. Who has both > currently selected and depends on only one of them being active? I don't think this will change a system using SELinux, right? There would be no policy loaded for AppArmor so its hooks would be no-op. But maybe I'm not thinking hard enough? -- Kees Cook
