Kees is right, AppArmor composes capabilities, so as long as AppArmor is loaded capabilities are being enforced, whether or not applications are confined or unconfined. AppArmor's additional capability mediation that is specified in profiles is applied after standard capability mediation is applied.
The stacking of the capability module is fake in that AppArmor will never call into it. Allowing capability to stack was done because suse had many customers trying to load the capability module and having it fail resulted in bug/support requests. It also has the benefit that enabling/disabling AppArmor doesn't have to change the initscripts to load capability. -- apparmor reinitializes caps late in boot https://bugs.launchpad.net/bugs/136637 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
