From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF1D3C43460 for ; Thu, 13 May 2021 20:35:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C2354611BF for ; Thu, 13 May 2021 20:35:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233101AbhEMUhI (ORCPT ); Thu, 13 May 2021 16:37:08 -0400 Received: from sonic317-38.consmr.mail.ne1.yahoo.com ([66.163.184.49]:41131 "EHLO sonic317-38.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233056AbhEMUhH (ORCPT ); Thu, 13 May 2021 16:37:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1620938157; bh=r5+vPGElNosZcu2Wj41BSjkDKQjGL3hvS42vlbA9dA4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=WTPkNoqeHGcgn3Brgav/A97e7YWtKoxNJ6tgmLJGGnyLh3KoISd3V4zi/wwcO4Ab6/Hf7oiwK8Kuc+e9Mt+/L63rcKsnObLuLWFpbfIJ0jTC+ZEVqgiWSzYEw0u0XlCsBfUH72SkMgLzk+I0yoZ+L6iXiX6mH65q0F7GOoAhn63LRwXsMGD2OzESoP70mAhPmtzdLEC3JmQsoa+TlztcJ2GOCfIdOqIHxJmm8aIGCp8W3u+xeoz2xh8Bi1mWWoHZ44I/sZUgfn78z+7KvTvd2BaiJXXE32f3HlsmB8zpE44kbsA8ocT8nYZWQIFXqyWcnA+miV3Rkkq/gkyuNqhlVg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1620938157; bh=rmGTEneUopIyDsPIvHKa8z2R2pWr8setArob4+5hoBp=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=eo07+xaO0rExrLLUBdQicVWQEQDdxKuBgJ6Z9pFMtsXISC0glL2pFhs+QSz+AusGsoOFyXiulJywjbY6uPq5/HnG9W32xdO6ZiPvfyIH9GTa2NdQVSVtDlfmbhkZJE9ne57y+8D+xJydR55mJtYrBoBy952z01d8Ipf/YBkZt8TnkSvzcbd6YBgF0SHIpS8OcwcpKok/wF4P4W6A2/47M83ThT8iFIdOsYAPaxrDganY9NK985aQo5S6BValySzHeOcWxmJJ5eTgcQOsacm5nLjAtNfGZsZur0LB6qdVEl5d4FRjdgAcSCNyRI11AdOQbU6xsEW8qVLPNyCDG+T0PQ== X-YMail-OSG: gnJjLPsVM1mzdmNomaw5Hs2mbX96jw3uChFTVZYhVp.QCTOtKK.h_FJlQxBbEIz qlJyZBwN5hp_cImGuHymhf7d8OLa1hqIFBlc8nKX7BVaGIjvNe6P8xJOW4v23QyKdkxEn_fEv8.m YCCWkKjbyAZXaHK3iqshftfzWTY4.vYR0gjK_DTtTgbcnwLsLjKB7xW3Ny7_SKw649Q3rLr9TZyL nhxfEos58V7raWmOF7o0r7dWwaO0mWL55J.bWaVMjK.Viy3PgWR7PnLzLEAwH1fhZ4dAYImrXw04 HQs3r12sn6g1Q4S5J1HhC85JII5c7siqyrEz_AADtPF33Rc5eRkq.Jgpq59VDT3GvaajQ0gaUQW4 8uRjAvy3cNWMVOgYP.n9ptyCazBMR5NdtqVgSfCnoJvyVRBsZMogSSvTE7u4LvHP44uGtjMw4Fm2 6whASp8K3XFmafkHkPFsj7ET.jC_sxXCePoY2pnZQvg4xqPSz2itWYcMtUt77vccFowCpqqxODia 9cf6xEpi8CPOJweuiGJnzUScpxFCdfj0XCiXLuYHbgNjleRr8yuu7SXwyeY0t.VbpCK9JjFKMYKT 4SiwmhKpiIA7P0ohgdAnlZp8Y9K4pUzh90S3ayimdS8xYSsOncyzYpgPX0beFbhovU22DlC4j1MJ JnFP2RusET2MrTPR6kk7kmh2xqBdYnHVSFxTY9M5EBdthuhds0ECKdkJqhKlFK9Zq_xdHRSOQPYL 1SAp5RMs1XE3HIQX3K6A.Jd2eMZwAHu9ccIk3dqB704_U09U7w4lyYjAtwQGTI0WKML7xnh6Yo5Z CDHnAJELcn6bdB.TXkhhKLSSBxLfIl_L484ZN9qEUR1ZJxJWxNMSlut4k3fS2.87DaEmBNzxnxJU 4GsJUgG.cYk1SwyyrBPRGwZZpwFUBc5R1S3s3Gz.RQtY4EgmOH90QR1QrtkCZuGmntYih1_G6nV2 vBLVqmrXw7mn_1nnJOw0erdIM_zO1hMCe8ZbtHErv.6EY2Hd6NQArjzu9enOiOE7dnTUu8R9p0kJ vvn35Fjv9VdFQcpXYFlLBdnnw66kw__t39onX1x9AOT44p_VSkxXtbHH6LKJFhuQ0o.b2VS8EAx7 dl45KK9oM3JjNrvfDsHHhcVfAjXRCAwmJT6zdMrq4URjJXYymSh226LK3rj9P_P37nF0uGerWh5b rohQSAcxg49mA_FxxCjQybziOVqVY2PvgDe_CX0l5j.ff9PSiNV3YtgHb4BsZh_E6xgyuw8mxbME YP2K6QDteP4wDYNx_WJ4pFZJkS_NrHGdhgZsnU7_fAtkZKuYf8hvLQTIMlTULT5O0mh2GEPdbRcN 1vr7YiArP2pA1gg7b_dD6EjKaqj2YS14NqnxyF5N7TvpaAHKiDK7pS0dIZXDtOYoRko1Bi2EigsF nKVEsMBC152E_o4z06h6KgGiIqkGrY_UsXSy0PTrM.ojM5MACMjwFVUiAHiuCSzEGx0..U0cvYwT tNFoZO4FjSG1QszQlauJ53I4d65L_iy2kE7asuxqlH0JfpkxYevE9oGjoPI_IZD2N4AHhwUx9oJu KgZTLz_R9WK4hQ8bhv3WVkjfwKzIbTsfGw3m1H7Mf.HKleMR7j9XxFq5nBMX9h9EjESRPylc68Pt OKeP8b3.uJpKlhnJQeJHxjyZCtXI73WYGRrDEWbjXAdIPrwjwx7Zi1sHUi.P0yYZDb85NXfEpZkI TJsemluvMREqwLh_8q9jHRqMS6a.5LCkQVJlNokyXL9c3V0TXtV1OlB6q6V4we4nDF9AVFyr6iUa 1_gv5aOSCceWqCdrgCdztIkCy71EALuVbVVzIRFR5dFWZ4iQ5N0cBcnG.79v2gn_OPdpb00zFsZj DOrQCnv6plSyzSDFOhIL2zSPRFfxtTVUwWmBovGRN1DoE2VUOpnUdBldNXuTCuj.Em7jR1D2ACZA UjdTGtvhe3PEnvZ6U1sssgguDWM5UMU6N7JbofAxQthU7Cba914yGWwR8sOPCMF.Co5e.31vFUap TJmjhKuus2Y5x2OsIX2wXckGuaf_MLDlXFn7xd2TwGbpl3Tj2N7zMMmxEd5Zx26ZdqPhvUeb6Xqr hiezlD6925pVtKtrqDhv.o7Y.C5kCiSfRi2ISws4kKx9ZJ6G.SU1qx7Htr4SuQt.Ox2hf4r3BgUA i4Zf6NnrK4BNKQYKXtrO6ToZ9itwv4gE0cVgeuHgvjrywofybaphW2BJImnsRN_nYn0HTIVgv_mt owrFmb7cK.pXEL2kayou_QuJ6lHlq_14W3NAVpyfguXZWqxsF4j7EP38CtmHTq2ePt2F4rv5Gs2j 889aNFHjbtQ6CAN5BbyaPmjuQ_q4LWwYgDzFmDitHwzDE_RE5gtNvblI_0AH5vQYUvqclqGFYwC_ _KhIev2tgbsE2n0YFimpb4DE6Q1UZJz7J8b8jEcRWcgD.lv5IqctMOi7BrjbM_._qNOBhDSd4tXg 1IfBZv7QIEdBqbD7IzbveAGV9EixbKJFjMCqAz6udURfqicbhzyMMvWO8b39ZeRSLvtmYDQtiiOh dY6RE4COtR5c7MWgMo2QvM5HbqfhAzzxqGiK5GUJDeNdTM9dFNvuU1qEqMfaXhHbrOkm23AsoXk7 keNasqcqVFRSiy_FjNR9VYGn8eOhBVE4Wgy8BlKBUda_Hz63ZRDAo9K0fUmu89YJGcqhU90Mtvn6 5RrrJHyR1UUKHISYuCzE69x7WNLgVdqepF_SfJ_vcxzwJRQkeUITmSflC.HWGJ7P7PEsW4q2lqKz 7xG5nNobMaCh6IMHLY9bPI3zT.0py3iwBmoR98DcPD5.mDRiyir0NaRdyGsP_h3TUDoZumtJYnN9 WXMZB5XKVDasu3fXH3Gc2Km6mddQiv0_IV4XvMhXydFWJlnkMh4My.5Fb9VB3LOZSV1TsqGgC2Jp AkGi77XxT2JDSLIE9qipSjpNZ9NX0d6AYkfoCt8YR4WiUcuX0W_097Q9jeZR2abaZFS0cuZBLAo6 V4B4qlog0PQGGxnk1Ff_GPR4Z7tirm8GEfEiqaA4QAdO.FexyPIdrgy5TXZeoAqx6z2J9aWaP.fT 2.i_mpSiOaFuGiXgnWEpFIp2z5z1rlCb.2JG_pK1szNliS.Ue9Hl9Eu2ipJChJxFerppbTg3M8lt 5L6LgRmH_WTA0CCwoOLLE.cKgXM1O X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Thu, 13 May 2021 20:35:57 +0000 Received: by kubenode502.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 82ee62b5c0a8268c1df3e319376022b6; Thu, 13 May 2021 20:35:52 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org Subject: [PATCH v26 25/25] AppArmor: Remove the exclusive flag Date: Thu, 13 May 2021 13:08:07 -0700 Message-Id: <20210513200807.15910-26-casey@schaufler-ca.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210513200807.15910-1-casey@schaufler-ca.com> References: <20210513200807.15910-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org With the inclusion of the interface LSM process attribute mechanism AppArmor no longer needs to be treated as an "exclusive" security module. Remove the flag that indicates it is exclusive. Remove the stub getpeersec_dgram AppArmor hook as it has no effect in the single LSM case and interferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 65a004597e53..15af5a5cb0c0 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1138,22 +1138,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, return error; } -/** - * apparmor_socket_getpeersec_dgram - get security label of packet - * @sock: the peer socket - * @skb: packet data - * @secid: pointer to where to put the secid of the packet - * - * Sets the netlabel socket state on sk from parent - */ -static int apparmor_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) - -{ - /* TODO: requires secid support */ - return -ENOPROTOOPT; -} - /** * apparmor_sock_graft - Initialize newly created socket * @sk: child sock @@ -1257,8 +1241,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { #endif LSM_HOOK_INIT(socket_getpeersec_stream, apparmor_socket_getpeersec_stream), - LSM_HOOK_INIT(socket_getpeersec_dgram, - apparmor_socket_getpeersec_dgram), LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), #ifdef CONFIG_NETWORK_SECMARK LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), @@ -1928,7 +1910,7 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags = LSM_FLAG_LEGACY_MAJOR, .enabled = &apparmor_enabled, .blobs = &apparmor_blob_sizes, .init = apparmor_init, -- 2.29.2 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A6C1C433ED for ; Thu, 13 May 2021 20:36:14 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 969E26143E for ; Thu, 13 May 2021 20:36:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 969E26143E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-182-hNIdmU5iMh6_GOoUfaYiHw-1; Thu, 13 May 2021 16:36:08 -0400 X-MC-Unique: hNIdmU5iMh6_GOoUfaYiHw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C0266107ACE3; Thu, 13 May 2021 20:36:05 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A57665C8AA; Thu, 13 May 2021 20:36:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 65453EDDA; Thu, 13 May 2021 20:36:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14DKa3O0024863 for ; Thu, 13 May 2021 16:36:03 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8D2582172F14; Thu, 13 May 2021 20:36:03 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 884B1215ADFF for ; Thu, 13 May 2021 20:36:00 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 32585857D08 for ; Thu, 13 May 2021 20:36:00 +0000 (UTC) Received: from sonic317-38.consmr.mail.ne1.yahoo.com (sonic317-38.consmr.mail.ne1.yahoo.com [66.163.184.49]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-200-qcU1jSHZOq6pPEQmaozCbw-1; Thu, 13 May 2021 16:35:57 -0400 X-MC-Unique: qcU1jSHZOq6pPEQmaozCbw-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1620938157; bh=rmGTEneUopIyDsPIvHKa8z2R2pWr8setArob4+5hoBp=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=eo07+xaO0rExrLLUBdQicVWQEQDdxKuBgJ6Z9pFMtsXISC0glL2pFhs+QSz+AusGsoOFyXiulJywjbY6uPq5/HnG9W32xdO6ZiPvfyIH9GTa2NdQVSVtDlfmbhkZJE9ne57y+8D+xJydR55mJtYrBoBy952z01d8Ipf/YBkZt8TnkSvzcbd6YBgF0SHIpS8OcwcpKok/wF4P4W6A2/47M83ThT8iFIdOsYAPaxrDganY9NK985aQo5S6BValySzHeOcWxmJJ5eTgcQOsacm5nLjAtNfGZsZur0LB6qdVEl5d4FRjdgAcSCNyRI11AdOQbU6xsEW8qVLPNyCDG+T0PQ== X-YMail-OSG: gnJjLPsVM1mzdmNomaw5Hs2mbX96jw3uChFTVZYhVp.QCTOtKK.h_FJlQxBbEIz qlJyZBwN5hp_cImGuHymhf7d8OLa1hqIFBlc8nKX7BVaGIjvNe6P8xJOW4v23QyKdkxEn_fEv8.m YCCWkKjbyAZXaHK3iqshftfzWTY4.vYR0gjK_DTtTgbcnwLsLjKB7xW3Ny7_SKw649Q3rLr9TZyL nhxfEos58V7raWmOF7o0r7dWwaO0mWL55J.bWaVMjK.Viy3PgWR7PnLzLEAwH1fhZ4dAYImrXw04 HQs3r12sn6g1Q4S5J1HhC85JII5c7siqyrEz_AADtPF33Rc5eRkq.Jgpq59VDT3GvaajQ0gaUQW4 8uRjAvy3cNWMVOgYP.n9ptyCazBMR5NdtqVgSfCnoJvyVRBsZMogSSvTE7u4LvHP44uGtjMw4Fm2 6whASp8K3XFmafkHkPFsj7ET.jC_sxXCePoY2pnZQvg4xqPSz2itWYcMtUt77vccFowCpqqxODia 9cf6xEpi8CPOJweuiGJnzUScpxFCdfj0XCiXLuYHbgNjleRr8yuu7SXwyeY0t.VbpCK9JjFKMYKT 4SiwmhKpiIA7P0ohgdAnlZp8Y9K4pUzh90S3ayimdS8xYSsOncyzYpgPX0beFbhovU22DlC4j1MJ JnFP2RusET2MrTPR6kk7kmh2xqBdYnHVSFxTY9M5EBdthuhds0ECKdkJqhKlFK9Zq_xdHRSOQPYL 1SAp5RMs1XE3HIQX3K6A.Jd2eMZwAHu9ccIk3dqB704_U09U7w4lyYjAtwQGTI0WKML7xnh6Yo5Z CDHnAJELcn6bdB.TXkhhKLSSBxLfIl_L484ZN9qEUR1ZJxJWxNMSlut4k3fS2.87DaEmBNzxnxJU 4GsJUgG.cYk1SwyyrBPRGwZZpwFUBc5R1S3s3Gz.RQtY4EgmOH90QR1QrtkCZuGmntYih1_G6nV2 vBLVqmrXw7mn_1nnJOw0erdIM_zO1hMCe8ZbtHErv.6EY2Hd6NQArjzu9enOiOE7dnTUu8R9p0kJ vvn35Fjv9VdFQcpXYFlLBdnnw66kw__t39onX1x9AOT44p_VSkxXtbHH6LKJFhuQ0o.b2VS8EAx7 dl45KK9oM3JjNrvfDsHHhcVfAjXRCAwmJT6zdMrq4URjJXYymSh226LK3rj9P_P37nF0uGerWh5b rohQSAcxg49mA_FxxCjQybziOVqVY2PvgDe_CX0l5j.ff9PSiNV3YtgHb4BsZh_E6xgyuw8mxbME YP2K6QDteP4wDYNx_WJ4pFZJkS_NrHGdhgZsnU7_fAtkZKuYf8hvLQTIMlTULT5O0mh2GEPdbRcN 1vr7YiArP2pA1gg7b_dD6EjKaqj2YS14NqnxyF5N7TvpaAHKiDK7pS0dIZXDtOYoRko1Bi2EigsF nKVEsMBC152E_o4z06h6KgGiIqkGrY_UsXSy0PTrM.ojM5MACMjwFVUiAHiuCSzEGx0..U0cvYwT tNFoZO4FjSG1QszQlauJ53I4d65L_iy2kE7asuxqlH0JfpkxYevE9oGjoPI_IZD2N4AHhwUx9oJu KgZTLz_R9WK4hQ8bhv3WVkjfwKzIbTsfGw3m1H7Mf.HKleMR7j9XxFq5nBMX9h9EjESRPylc68Pt OKeP8b3.uJpKlhnJQeJHxjyZCtXI73WYGRrDEWbjXAdIPrwjwx7Zi1sHUi.P0yYZDb85NXfEpZkI TJsemluvMREqwLh_8q9jHRqMS6a.5LCkQVJlNokyXL9c3V0TXtV1OlB6q6V4we4nDF9AVFyr6iUa 1_gv5aOSCceWqCdrgCdztIkCy71EALuVbVVzIRFR5dFWZ4iQ5N0cBcnG.79v2gn_OPdpb00zFsZj DOrQCnv6plSyzSDFOhIL2zSPRFfxtTVUwWmBovGRN1DoE2VUOpnUdBldNXuTCuj.Em7jR1D2ACZA UjdTGtvhe3PEnvZ6U1sssgguDWM5UMU6N7JbofAxQthU7Cba914yGWwR8sOPCMF.Co5e.31vFUap TJmjhKuus2Y5x2OsIX2wXckGuaf_MLDlXFn7xd2TwGbpl3Tj2N7zMMmxEd5Zx26ZdqPhvUeb6Xqr hiezlD6925pVtKtrqDhv.o7Y.C5kCiSfRi2ISws4kKx9ZJ6G.SU1qx7Htr4SuQt.Ox2hf4r3BgUA i4Zf6NnrK4BNKQYKXtrO6ToZ9itwv4gE0cVgeuHgvjrywofybaphW2BJImnsRN_nYn0HTIVgv_mt owrFmb7cK.pXEL2kayou_QuJ6lHlq_14W3NAVpyfguXZWqxsF4j7EP38CtmHTq2ePt2F4rv5Gs2j 889aNFHjbtQ6CAN5BbyaPmjuQ_q4LWwYgDzFmDitHwzDE_RE5gtNvblI_0AH5vQYUvqclqGFYwC_ _KhIev2tgbsE2n0YFimpb4DE6Q1UZJz7J8b8jEcRWcgD.lv5IqctMOi7BrjbM_._qNOBhDSd4tXg 1IfBZv7QIEdBqbD7IzbveAGV9EixbKJFjMCqAz6udURfqicbhzyMMvWO8b39ZeRSLvtmYDQtiiOh dY6RE4COtR5c7MWgMo2QvM5HbqfhAzzxqGiK5GUJDeNdTM9dFNvuU1qEqMfaXhHbrOkm23AsoXk7 keNasqcqVFRSiy_FjNR9VYGn8eOhBVE4Wgy8BlKBUda_Hz63ZRDAo9K0fUmu89YJGcqhU90Mtvn6 5RrrJHyR1UUKHISYuCzE69x7WNLgVdqepF_SfJ_vcxzwJRQkeUITmSflC.HWGJ7P7PEsW4q2lqKz 7xG5nNobMaCh6IMHLY9bPI3zT.0py3iwBmoR98DcPD5.mDRiyir0NaRdyGsP_h3TUDoZumtJYnN9 WXMZB5XKVDasu3fXH3Gc2Km6mddQiv0_IV4XvMhXydFWJlnkMh4My.5Fb9VB3LOZSV1TsqGgC2Jp AkGi77XxT2JDSLIE9qipSjpNZ9NX0d6AYkfoCt8YR4WiUcuX0W_097Q9jeZR2abaZFS0cuZBLAo6 V4B4qlog0PQGGxnk1Ff_GPR4Z7tirm8GEfEiqaA4QAdO.FexyPIdrgy5TXZeoAqx6z2J9aWaP.fT 2.i_mpSiOaFuGiXgnWEpFIp2z5z1rlCb.2JG_pK1szNliS.Ue9Hl9Eu2ipJChJxFerppbTg3M8lt 5L6LgRmH_WTA0CCwoOLLE.cKgXM1O X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Thu, 13 May 2021 20:35:57 +0000 Received: by kubenode502.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 82ee62b5c0a8268c1df3e319376022b6; Thu, 13 May 2021 20:35:52 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v26 25/25] AppArmor: Remove the exclusive flag Date: Thu, 13 May 2021 13:08:07 -0700 Message-Id: <20210513200807.15910-26-casey@schaufler-ca.com> In-Reply-To: <20210513200807.15910-1-casey@schaufler-ca.com> References: <20210513200807.15910-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org, linux-audit@redhat.com, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit With the inclusion of the interface LSM process attribute mechanism AppArmor no longer needs to be treated as an "exclusive" security module. Remove the flag that indicates it is exclusive. Remove the stub getpeersec_dgram AppArmor hook as it has no effect in the single LSM case and interferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 65a004597e53..15af5a5cb0c0 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1138,22 +1138,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, return error; } -/** - * apparmor_socket_getpeersec_dgram - get security label of packet - * @sock: the peer socket - * @skb: packet data - * @secid: pointer to where to put the secid of the packet - * - * Sets the netlabel socket state on sk from parent - */ -static int apparmor_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) - -{ - /* TODO: requires secid support */ - return -ENOPROTOOPT; -} - /** * apparmor_sock_graft - Initialize newly created socket * @sk: child sock @@ -1257,8 +1241,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { #endif LSM_HOOK_INIT(socket_getpeersec_stream, apparmor_socket_getpeersec_stream), - LSM_HOOK_INIT(socket_getpeersec_dgram, - apparmor_socket_getpeersec_dgram), LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), #ifdef CONFIG_NETWORK_SECMARK LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), @@ -1928,7 +1910,7 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags = LSM_FLAG_LEGACY_MAJOR, .enabled = &apparmor_enabled, .blobs = &apparmor_blob_sizes, .init = apparmor_init, -- 2.29.2 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit