From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=YWAm=OO=redhat.com=linux-audit-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 52835C433F5
	for <linux-audit@archiver.kernel.org>; Fri, 24 Sep 2021 18:26:22 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id D5B8261241
	for <linux-audit@archiver.kernel.org>; Fri, 24 Sep 2021 18:26:21 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D5B8261241
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=redhat.com
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-455-KIB5iuYONSiOnlJEycBE4g-1; Fri, 24 Sep 2021 14:26:19 -0400
X-MC-Unique: KIB5iuYONSiOnlJEycBE4g-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7EB6318125C0;
	Fri, 24 Sep 2021 18:26:11 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 63EED5F707;
	Fri, 24 Sep 2021 18:26:11 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id EA16C1803B30;
	Fri, 24 Sep 2021 18:26:09 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 18OIQ7vM013100 for <linux-audit@listman.util.phx.redhat.com>;
	Fri, 24 Sep 2021 14:26:07 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id B2022202B191; Fri, 24 Sep 2021 18:26:07 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id AC8B2209D01A
	for <linux-audit@redhat.com>; Fri, 24 Sep 2021 18:25:56 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4FCC1811E80
	for <linux-audit@redhat.com>; Fri, 24 Sep 2021 18:25:56 +0000 (UTC)
Received: from sonic317-38.consmr.mail.ne1.yahoo.com
	(sonic317-38.consmr.mail.ne1.yahoo.com [66.163.184.49]) (Using TLS) by
	relay.mimecast.com with ESMTP id us-mta-517-iT8r3nF-OA2T6N49IFInnQ-1;
	Fri, 24 Sep 2021 14:25:53 -0400
X-MC-Unique: iT8r3nF-OA2T6N49IFInnQ-1
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
	t=1632507953; bh=kih1ySoltZnQb4ThilzzaB7gNc9uQxoYSEPtgjSlhMp=;
	h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
	b=H5CiVMRrpavM1aluAZyEEuaql//eoFkqC+q0Cpkt3Lj+SwSFqjGfuRdqwf/vzHutO29NNJ+26t7kQPQg0lIEkQkDi2u4q0iVSfPvaACiXHNG1vaoYnslPXQ38Sh/AViXrq76v0DaDBPJcLb9PM9V37ChgWrbdpViXt8twSJnKpCUviYeUstpKxcrvF70BnTV5Vy+48Cm5lEz6/akwVRY067Cswq1uNqlb8JvoWbO5bsfdhvmXaai61V+gS162WMRLXeBWTidZzff8UszdnOaJW7/j1iVk7CnKQlnDhZWyig+NbfXVw6Adv+dZ3tc4cZ4R+0Z/JweOrO2GvP7lVDXOQ==
X-YMail-OSG: 8h3pjeEVM1k2s3NQ7s63V1ou1T7.6v6x.F94.xNfpz4WxQGZn4vK5qwaHPxrpT.
	WV9NIifwlL5DQA5woLlC4zEL4o90yxJKNcqPMwaF1W2c7OJarJun0QYu6l_CDbgLgWAke1AzWjPI
	EgdDajcZBCP91vI_jyKYige9Ae5ZnUX1WbODiCvP5R03CbeKAYzW_bMq4nhkq8iVufprjPsV5tbx
	wKrfU5WCJEyyDfq_jgUD845ZRWN3gsF.P9QQYLY5tkabtjRn1yWQ.7vr2UtmQmxeDZWdlOw0PEN0
	RoaLyiPhZNZmnz9UibqcdXAGbAfsAn5myzSTyeSs.s92Dj4c84HQWhyiSQc.ZcZZH7zODRx7inAJ
	P8TVROhOP4QILdJF7DFufNXpTRFy2JUFovYjG_Hk5S.NMAPH1EdQV8WrlBFvtFFfYBaUaBLsqjKk
	yxyS1m5IqAuDwVvNDP8a2XXEYgRHQRmaXEo4lihpRJGJRiMce_Rba_.tZYJTMkVCqQwtPPwY7.GA
	moowpyVZ94NMDwiQI3ocYyHc9kAG9IsYTqbQ7dRazkXiTvnj0W_Pu44f_.W6R1FI3VZOH1nXnx7R
	IFVqBmco0O422IwdE3jPxhKtrAA2aSXOzjZQC4YoGCUkUCalKQYcTayTetMgptnnbh_omaChFvJN
	Sdb4qjdQqTNnHWYDGnZN.K2_qaHom2vl5ysJiiOPkS8aUOPSHhwOIK2wtNmMDtoEf1MiYNINTym8
	6C5O7FEd8oadcl0escxvFIGhrEiiqjYBIvclf8J2hdBaeCfBdHdMCpVFGAGQOYrSlj3PVYZe85cr
	IIGapj_I535KjUQj5Zs.sKICsoJPMgrlXlfs1xiLVtcT6KXBuVcVo6fRIcGgtQwW_hoA2HflO2PK
	UgP8h462dOniNBdAAtBu3hmXvB_whDbx88EFQ2zXbxns8MG2hb9pxsCr94m03.UOe0tl5QMguw51
	4bY8KcdN1AqKNVdK3ojkskW2GaGSbomqc9VLmQicOmSJl7_MdA7Ojr_1r63EtqvyTfh1tzye2Fe8
	UVN6rYsvdCR71WIYBa5YgEQjU4GMHsjbJ2zg6zzX_YuAuDGK5iaFT0uFB5xxsRvxnvqHb0Ea0CXd
	Lfx4BP6P7KhzcdEp3H8fDAstCbypMymMYxPrPqgx8HTSyDf89nNtWwxQzWf4jEUAGHjZjHqTuCto
	fCqSVW9RjH2.2hZFD_upLirjzheZhXKntGo1IRpnFTrw3KbU9QTdjC.OXoay7OZqv9DE5ANzLebx
	DA35lqKrs6s4ZuGq3sRUI3m.hZqnMZ4H4nl55_GXRT42t2lOizJkzWmsRUSdTywonCs3hTAajo2B
	lVmF5rDpm7XrA7aauuPP7zQxaM7scy6alZ.bvlID57wgOiNCX3419hC0nx.x7_.1.QxD32Z5CSW4
	3cmGp.BCzh2pDIHe5.QYdg9MrxbiG2V_hefwjIHYgFbkH2YLCI1xKG_e8J966F1vlIW5YHg7cT4t
	9dX.mJDNlwuN9i.0ODNnmwGNaSU8_fB.Katr39RtXlkH857.pSd7_PogIzZPSL6bMcw1Mx50ySMM
	IX2EcQ8gAiSXvv75RgAghSlRPkTj9tq0Q2yYz91pKlLlbPqOGqPCRFis5E0ay79z0lgfUq0duK95
	HKWf5tgdrS5WmuQipMV3BPA55wpYU7fJ8RPYLLgh..saDv2_46.tmjdQHWQh2dbNFKQr8fW.95mg
	HhjDsBvUtZTpY5UnFDRzTGlZzr0ydIMwPAYCm.CK6LMImvWIkfopAbb8Na17cMGxgeyncCHu7gL1
	NTBa95RXbjIXZw_aMrTqtP99EFRscKuKN2gY63SwSrYptEEE3bt2pLaJad4XORID7xUKzQQr52ie
	26cpwWixFnx7CPzwPQnG1mhwlcRfDyM0I8J9cjcS1q6ttzDy0CIbVfGaNZZ_79tjGK7YAZ64dUOl
	En02WCvmq0jBS991lnDRywqDUhtZSJuc.6sldo2AhUkRRE6jVJUqva.OptC1PcicUBseQvbW6_r2
	plpewOE_ZKm.xImD7EY00O4XUutCoYxdXFYC9FWFziDbfx0tX2na.Twjf9_1KnxXfDiHoCRRTXC3
	KxG.2gpaMUJ0tVgi.I6NW1snAJP4vkvSUsy6MEdxzr4SpZZ6w6RniPSpIfwozdMo7Ugz0C4Mv.GU
	cIa4NzpYLvIhQFZcqla8f8RUEkR.sROogz3pPsNIawXdRNJFTkU7EKpZzyspkqyemgqLJgtLVzAm
	IhhxhEElw5f73VuWjZllRJoe4fTAfoHvsXnygUyuqc8JF_5jSiJ9PZcrAkm9QUfbC3BoZHHxUIo4
	Sfg0pD4W2IoYDRlX5vATQvdfYfikN8FNHW_e.ekT0UHSL1LNb2ZCM4GaDWaUfIzs6Y6zGh_5dBjh
	4xBAYM3CmKJo-
X-Sonic-MF: <casey@schaufler-ca.com>
Received: from sonic.gate.mail.ne1.yahoo.com by
	sonic317.consmr.mail.ne1.yahoo.com with HTTP;
	Fri, 24 Sep 2021 18:25:53 +0000
Received: by kubenode537.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP
	Server) with ESMTPA ID 5d70ca904e6a12349fcb9a9773299445; 
	Fri, 24 Sep 2021 18:25:48 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: [PATCH v29 28/28] AppArmor: Remove the exclusive flag
Date: Fri, 24 Sep 2021 10:54:41 -0700
Message-Id: <20210924175441.7943-29-casey@schaufler-ca.com>
In-Reply-To: <20210924175441.7943-1-casey@schaufler-ca.com>
References: <20210924175441.7943-1-casey@schaufler-ca.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-loop: linux-audit@redhat.com
Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org,
	linux-audit@redhat.com, sds@tycho.nsa.gov
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

With the inclusion of the interface LSM process attribute
mechanism AppArmor no longer needs to be treated as an
"exclusive" security module. Remove the flag that indicates
it is exclusive. Remove the stub getpeersec_dgram AppArmor
hook as it has no effect in the single LSM case and
interferes in the multiple LSM case.

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/apparmor/lsm.c | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 65a004597e53..15af5a5cb0c0 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1138,22 +1138,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
 	return error;
 }
 
-/**
- * apparmor_socket_getpeersec_dgram - get security label of packet
- * @sock: the peer socket
- * @skb: packet data
- * @secid: pointer to where to put the secid of the packet
- *
- * Sets the netlabel socket state on sk from parent
- */
-static int apparmor_socket_getpeersec_dgram(struct socket *sock,
-					    struct sk_buff *skb, u32 *secid)
-
-{
-	/* TODO: requires secid support */
-	return -ENOPROTOOPT;
-}
-
 /**
  * apparmor_sock_graft - Initialize newly created socket
  * @sk: child sock
@@ -1257,8 +1241,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
 #endif
 	LSM_HOOK_INIT(socket_getpeersec_stream,
 		      apparmor_socket_getpeersec_stream),
-	LSM_HOOK_INIT(socket_getpeersec_dgram,
-		      apparmor_socket_getpeersec_dgram),
 	LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
 #ifdef CONFIG_NETWORK_SECMARK
 	LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
@@ -1928,7 +1910,7 @@ static int __init apparmor_init(void)
 
 DEFINE_LSM(apparmor) = {
 	.name = "apparmor",
-	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
+	.flags = LSM_FLAG_LEGACY_MAJOR,
 	.enabled = &apparmor_enabled,
 	.blobs = &apparmor_blob_sizes,
 	.init = apparmor_init,
-- 
2.31.1

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit