[PATCH v4 23/23] AppArmor: Remove the exclusive flag

Kees Cook keescook at chromium.org
Thu Jun 27 03:28:19 UTC 2019


On Thu, Jun 27, 2019 at 12:22:13PM +1000, James Morris wrote:
> On Wed, 26 Jun 2019, Casey Schaufler wrote:
> 
> > With the inclusion of the "display" process attribute
> > mechanism AppArmor no longer needs to be treated as an
> > "exclusive" security module. Remove the flag that indicates
> > it is exclusive. Remove the stub getpeersec_dgram AppArmor
> > hook as it has no effect in the single LSM case and
> > interferes in the multiple LSM case.
> 
> So now if I build a kernel with SELinux and AppArmor selected, with 
> SELinux registered first, I now need to use apparmor=0 at the kernel 
> command line to preserve existing behavior (just SELinux running).
> 
> This should at least be documented.
> 
> I wonder if this will break existing users, though.  Who has both 
> currently selected and depends on only one of them being active?

I don't think this will change a system using SELinux, right? There
would be no policy loaded for AppArmor so its hooks would be no-op.

But maybe I'm not thinking hard enough?

-- 
Kees Cook



More information about the Linux-security-module-archive mailing list