LSM stacking (again)

LSM stacking (again)

A safer variation on the same theme would be to write the stacking such that each LSM only gets to check accesses that other loaded LSMs have permitted; for example "check everything with AppArmor. If AppArmor permits it, fall through to SELinux. If SELinux permits it, fall through to Yama."

If you then want to have AppArmor handle all the filesystem stuff, while SELinux only deals with networking, you have to design your AppArmor and SELinux policies to do this, and you've hopefully thought about the failure modes of doing so. If Clueless CrazyAdmin uses off-the-shelf SELinux and AppArmor policies, they get only the accesses that both LSMs believe are safe.

In practice, such a stacking method makes stacking full-fledged security modules like SELinux and Smack together rather pointless; where you benefit is with "boutique" LSMs like Yama, which aim to prevent a limited set of security flaws - you can stack Yama and SELinux, and get Yama covering everything, while SELinux only protects that part of the system that you've written policy for.