| Message ID | 20200724203226.16374-24-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | LSM: Module stacking for AppArmor | expand |
On 7/24/20 1:32 PM, Casey Schaufler wrote: > With the inclusion of the "display" process attribute > mechanism AppArmor no longer needs to be treated as an > "exclusive" security module. Remove the flag that indicates > it is exclusive. Remove the stub getpeersec_dgram AppArmor > hook as it has no effect in the single LSM case and > interferes in the multiple LSM case. > probably should change this to Acked-by: John Johansen <john.johansen@canonical.com> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > Reviewed-by: Kees Cook <keescook@chromium.org> > Reviewed-by: John Johansen <john.johansen@canonical.com> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > security/apparmor/lsm.c | 20 +------------------- > 1 file changed, 1 insertion(+), 19 deletions(-) > > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > index 7ce570b0f491..4b7cbe9bb1be 100644 > --- a/security/apparmor/lsm.c > +++ b/security/apparmor/lsm.c > @@ -1129,22 +1129,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, > return error; > } > > -/** > - * apparmor_socket_getpeersec_dgram - get security label of packet > - * @sock: the peer socket > - * @skb: packet data > - * @secid: pointer to where to put the secid of the packet > - * > - * Sets the netlabel socket state on sk from parent > - */ > -static int apparmor_socket_getpeersec_dgram(struct socket *sock, > - struct sk_buff *skb, u32 *secid) > - > -{ > - /* TODO: requires secid support */ > - return -ENOPROTOOPT; > -} > - > /** > * apparmor_sock_graft - Initialize newly created socket > * @sk: child sock > @@ -1248,8 +1232,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { > #endif > LSM_HOOK_INIT(socket_getpeersec_stream, > apparmor_socket_getpeersec_stream), > - LSM_HOOK_INIT(socket_getpeersec_dgram, > - apparmor_socket_getpeersec_dgram), > LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), > #ifdef CONFIG_NETWORK_SECMARK > LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), > @@ -1918,7 +1900,7 @@ static int __init apparmor_init(void) > > DEFINE_LSM(apparmor) = { > .name = "apparmor", > - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, > + .flags = LSM_FLAG_LEGACY_MAJOR, > .enabled = &apparmor_enabled, > .blobs = &apparmor_blob_sizes, > .init = apparmor_init, >
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 7ce570b0f491..4b7cbe9bb1be 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1129,22 +1129,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, return error; } -/** - * apparmor_socket_getpeersec_dgram - get security label of packet - * @sock: the peer socket - * @skb: packet data - * @secid: pointer to where to put the secid of the packet - * - * Sets the netlabel socket state on sk from parent - */ -static int apparmor_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) - -{ - /* TODO: requires secid support */ - return -ENOPROTOOPT; -} - /** * apparmor_sock_graft - Initialize newly created socket * @sk: child sock @@ -1248,8 +1232,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { #endif LSM_HOOK_INIT(socket_getpeersec_stream, apparmor_socket_getpeersec_stream), - LSM_HOOK_INIT(socket_getpeersec_dgram, - apparmor_socket_getpeersec_dgram), LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), #ifdef CONFIG_NETWORK_SECMARK LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), @@ -1918,7 +1900,7 @@ static int __init apparmor_init(void) DEFINE_LSM(apparmor) = { .name = "apparmor", - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags = LSM_FLAG_LEGACY_MAJOR, .enabled = &apparmor_enabled, .blobs = &apparmor_blob_sizes, .init = apparmor_init,