Comment 5 for bug 1844186

The LSMs respecting the nnp flag was actually mandated by Linus. So yes it breaks apparmor.

Kernel 3.5: Tasks that have nnp block apparmor policy transitions except for unconfined, as transitions in that case always result in reduced permissions.

Kernel 4.13: Loosened these restrictions around stacking. That is a transition adding a new element to a stack was allowed as that is guarenteed to always reduce permissions. Ubuntu had this in Xenial (4.4) kernels.

Kernel 4.17: AppArmor began tracking under what label nnp was set and using that for profile transition tests. This improved the 4.13 stacking test making containers capable of transitioning policy in the container as long as the host policy wasn't transitioned.

To do more apparmor has to be able to override nnp. Selinux has managed to add an nnp override permission and get it upstream, we are looking to do the same with apparmor but I have no time line as to when it will land.