>> Ben Caradoc-Davies wrote:
>>> And what I would like to know is how the fscking apparmor module got
>>> loaded in the first place, given that I have the apparmor service
>>> # ls -al /etc/systemd/system/apparmor.service
>>> lrwxrwxrwx 1 root root 9 Dec 8 11:24
>>> /etc/systemd/system/apparmor.service -> /dev/null
>>> # aa-status
>>> apparmor module is loaded.
>> You've masked a systemd service. But "module" probably refers to some
>> kernel module here, which is enabled by default since a while in
>> Debian Unstable.
More precisely "module" in this context is to be understood as in
Linux Security Module (LSM). To fully disable the AppArmor LSM, pass
apparmor=0 on the kernel command line (security= might be needed on
top of that, didn't check recently, sorry). Marking/disabling
apparmor.service merely prevents policy loading on boot and might not
be what you want.