libapparmor: interface check is broken
AppArmor 3.0 added support to use the new LSM interfaces. Unfortunately this check is not working correctly. It should check for the new interface is available and use that, and if not it should fallback to the old interface if possible.
There are two issues
- The new interface requires different permissions when processes are confined.
- if access to the new interface fails the fallback check may fail.
this results in apparmor api failures like aa_getcon() returning Invalid argument