--- v5
+++ v8
@@ -1,62 +1,71 @@
-With the inclusion of the "display" process attribute
-mechanism AppArmor no longer needs to be treated as an
-"exclusive" security module. Remove the flag that indicates
-it is exclusive. Remove the stub getpeersec_dgram AppArmor
-hook as it has no effect in the single LSM case and
-interferes in the multiple LSM case.
+Add an entry /proc/.../attr/context which displays the full
+process security "context" in compound format:'
+ lsm1\0value\0lsm2\0value\0...
+This entry is not writable.
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
- security/apparmor/lsm.c | 20 +-------------------
- 1 file changed, 1 insertion(+), 19 deletions(-)
+ fs/proc/base.c | 1 +
+ security/security.c | 27 +++++++++++++++++++++++++++
+ 2 files changed, 28 insertions(+)
-diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 5d25959610f9..fb5d5af426c6 100644
---- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -1071,22 +1071,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, char **optval,
- return error;
- }
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 7bf70e041315..79600df5f7a2 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2619,6 +2619,7 @@ static const struct pid_entry attr_dir_stuff[] = {
+ ATTR(NULL, "keycreate", 0666),
+ ATTR(NULL, "sockcreate", 0666),
+ ATTR(NULL, "display", 0666),
++ ATTR(NULL, "context", 0666),
+ #ifdef CONFIG_SECURITY_SMACK
+ DIR("smack", 0555,
+ proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
+diff --git a/security/security.c b/security/security.c
+index 8cb91f33c166..d151ac4a398b 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -2082,6 +2082,10 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ char **value)
+ {
+ struct security_hook_list *hp;
++ char *final = NULL;
++ char *cp;
++ int rc = 0;
++ int finallen = 0;
+ int display = lsm_task_display(current);
+ int slot = 0;
--/**
-- * apparmor_socket_getpeersec_dgram - get security label of packet
-- * @sock: the peer socket
-- * @skb: packet data
-- * @secid: pointer to where to put the secid of the packet
-- *
-- * Sets the netlabel socket state on sk from parent
-- */
--static int apparmor_socket_getpeersec_dgram(struct socket *sock,
-- struct sk_buff *skb, u32 *secid)
--
--{
-- /* TODO: requires secid support */
-- return -ENOPROTOOPT;
--}
--
- /**
- * apparmor_sock_graft - Initialize newly created socket
- * @sk: child sock
-@@ -1190,8 +1174,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
- #endif
- LSM_HOOK_INIT(socket_getpeersec_stream,
- apparmor_socket_getpeersec_stream),
-- LSM_HOOK_INIT(socket_getpeersec_dgram,
-- apparmor_socket_getpeersec_dgram),
- LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
- #ifdef CONFIG_NETWORK_SECMARK
- LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
-@@ -1702,7 +1684,7 @@ static int __init apparmor_init(void)
+@@ -2099,6 +2103,29 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ return -ENOMEM;
+ }
- DEFINE_LSM(apparmor) = {
- .name = "apparmor",
-- .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
-+ .flags = LSM_FLAG_LEGACY_MAJOR,
- .enabled = &apparmor_enabled,
- .blobs = &apparmor_blob_sizes,
- .init = apparmor_init,
++ if (!strcmp(name, "context")) {
++ hlist_for_each_entry(hp, &security_hook_heads.getprocattr,
++ list) {
++ rc = hp->hook.getprocattr(p, "current", &cp);
++ if (rc == -EINVAL || rc == -ENOPROTOOPT)
++ continue;
++ if (rc < 0) {
++ kfree(final);
++ return rc;
++ }
++ rc = append_ctx(&final, &finallen, hp->lsmid->lsm,
++ cp, rc);
++ if (rc < 0) {
++ kfree(final);
++ return rc;
++ }
++ }
++ if (final == NULL)
++ return -EINVAL;
++ *value = final;
++ return finallen;
++ }
++
+ hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
+ continue;
--
2.20.1