Allow capability to stack under AppArmor. This is a fake stacking

however in that the capability hooks never get called.  This shouldn't
be a big problem since AppArmor already composes capability through
use of common cap.

This just prevents the user from having to deal with/understand the
error message that occurs when the capability module fails to stack
with AppArmor.

module/apparmor/lsm.c

@@ -797,7 +797,13 @@ int apparmor_register_subsecurity(const char *name,
 	if (mutex_lock_interruptible(&aa_secondary_lock))
 		return -ERESTARTSYS;
 
-	if (strcmp(name, "dazuko") == 0 && !aa_secondary_ops) {
+	/* allow dazuko and capability to stack.  The stacking with
+	 * capability is fake however in that non of capabilities hooks
+	 * get called, since apparmor already composes capability using
+	 * common cap.
+	 */
+	if (!aa_secondary_ops && (strcmp(name, "dazuko") == 0 ||
+				  strcmp(name, "capability") == 0)){
 		/* The apparmor module needs to be pinned while a secondary is
 		 * registered
 		 */