On 6/27/2019 2:52 PM, John Johansen wrote: > On 6/26/19 12:22 PM, Casey Schaufler wrote: >> This patchset provides the changes required for >> the AppArmor security module to stack safely with any other. >> > I have been doing some testing of this with Casey's suggested > fix of clearing the lsmcontext in security_secid_to_secctx(). There are still cases where the lsmcontext needs local initialization. If security_<fillscontext> isn't called, and code later looks for context.context == NULL you can get bitten. I am combing for those cases and will include initializing them in v5. > > So far things are looking good. I have done smoke testing > on booting with the following combinations under an ubuntu > image. For the combinations that have apparmor I ran the > apparmor regression tests, where noted the display LSM > was set for the apparmor regression tests because they > are currently only testing the shared interface. > > capability > yama > capability,yama > capability,yama,apparmor > capability,yama,selinux (no selinux policy) > capability,yama,apparmor,selinux (no selinux policy) > capability,yama,selinux,apparmor (no selinux policy) (tests that use shared interfaces fail without display LSM set, pass with it set to apparmor) > capability,yama,smack (no smack policy) > capability,yama,apparmor,smack (no smack policy) > capability,yama,smack,apparmor (no smack policy) (tests that use shared interfaces fail without display LSM set, pass with it set to apparmor) > > > I have more test combinations churning but figure I could report what I have so far > >
