Re: [PATCH v19 23/23] AppArmor: Remove the exclusive flag

Thu, 30 Jul 2020 06:26:26 -0700 

On 7/24/20 1:32 PM, Casey Schaufler wrote:
> With the inclusion of the "display" process attribute
> mechanism AppArmor no longer needs to be treated as an
> "exclusive" security module. Remove the flag that indicates
> it is exclusive. Remove the stub getpeersec_dgram AppArmor
> hook as it has no effect in the single LSM case and
> interferes in the multiple LSM case.
> 
probably should change this to

Acked-by: John Johansen <[email protected]>

> Acked-by: Stephen Smalley <[email protected]>
> Reviewed-by: Kees Cook <[email protected]>
> Reviewed-by: John Johansen <[email protected]>
> Signed-off-by: Casey Schaufler <[email protected]>
> ---
>  security/apparmor/lsm.c | 20 +-------------------
>  1 file changed, 1 insertion(+), 19 deletions(-)
> 
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 7ce570b0f491..4b7cbe9bb1be 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -1129,22 +1129,6 @@ static int apparmor_socket_getpeersec_stream(struct 
> socket *sock,
>       return error;
>  }
>  
> -/**
> - * apparmor_socket_getpeersec_dgram - get security label of packet
> - * @sock: the peer socket
> - * @skb: packet data
> - * @secid: pointer to where to put the secid of the packet
> - *
> - * Sets the netlabel socket state on sk from parent
> - */
> -static int apparmor_socket_getpeersec_dgram(struct socket *sock,
> -                                         struct sk_buff *skb, u32 *secid)
> -
> -{
> -     /* TODO: requires secid support */
> -     return -ENOPROTOOPT;
> -}
> -
>  /**
>   * apparmor_sock_graft - Initialize newly created socket
>   * @sk: child sock
> @@ -1248,8 +1232,6 @@ static struct security_hook_list apparmor_hooks[] 
> __lsm_ro_after_init = {
>  #endif
>       LSM_HOOK_INIT(socket_getpeersec_stream,
>                     apparmor_socket_getpeersec_stream),
> -     LSM_HOOK_INIT(socket_getpeersec_dgram,
> -                   apparmor_socket_getpeersec_dgram),
>       LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
>  #ifdef CONFIG_NETWORK_SECMARK
>       LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
> @@ -1918,7 +1900,7 @@ static int __init apparmor_init(void)
>  
>  DEFINE_LSM(apparmor) = {
>       .name = "apparmor",
> -     .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
> +     .flags = LSM_FLAG_LEGACY_MAJOR,
>       .enabled = &apparmor_enabled,
>       .blobs = &apparmor_blob_sizes,
>       .init = apparmor_init,
> 

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to