[PATCH v4 23/23] AppArmor: Remove the exclusive flag
Kees Cook
keescook at chromium.org
Thu Jun 27 03:28:19 UTC 2019
On Thu, Jun 27, 2019 at 12:22:13PM +1000, James Morris wrote:
> On Wed, 26 Jun 2019, Casey Schaufler wrote:
>
> > With the inclusion of the "display" process attribute
> > mechanism AppArmor no longer needs to be treated as an
> > "exclusive" security module. Remove the flag that indicates
> > it is exclusive. Remove the stub getpeersec_dgram AppArmor
> > hook as it has no effect in the single LSM case and
> > interferes in the multiple LSM case.
>
> So now if I build a kernel with SELinux and AppArmor selected, with
> SELinux registered first, I now need to use apparmor=0 at the kernel
> command line to preserve existing behavior (just SELinux running).
>
> This should at least be documented.
>
> I wonder if this will break existing users, though. Who has both
> currently selected and depends on only one of them being active?
I don't think this will change a system using SELinux, right? There
would be no policy loaded for AppArmor so its hooks would be no-op.
But maybe I'm not thinking hard enough?
--
Kees Cook
More information about the Linux-security-module-archive
mailing list