Comment 8 for bug 1317545

Right, the add option will return EEXIST if any profile exists, and fails the load. This is why --replace is used it will load or replace.

In upstream kernel 3.12 is the first to support loading multiple profiles, in a single load.

Ubuntu has been carrying (and testing the patch) since Saucy (3.11 based kernel).

When the kernel supports loading multiple profiles it exports the file (assuming securityfs is mounted at /sys/kernel/security)
   /sys/kernel/security/apparmor/features/policy/set_load

Previous kernels will just ignore extra data after the first profile (multiple profile load was always planned).

Concatenating profile cache files into a single file should work, as long as each file is a valid cache file, and the load is a single atomic write. This can be done by writing the file to the raw interface directly or via the parser using the -B option. The parser has the logic to break apart the large file if the kernel doesn't support multiple profile loads, so I would recommend using it, but it isn't required.

I'm still looking into what exactly is causing the kernel oops.