--- v7
+++ v26
@@ -1,52 +1,63 @@
-Create /sys/kernel/security/lsm_display_default which contains
-the name of the security module used when no display value
-has been set.
+With the inclusion of the interface LSM process attribute
+mechanism AppArmor no longer needs to be treated as an
+"exclusive" security module. Remove the flag that indicates
+it is exclusive. Remove the stub getpeersec_dgram AppArmor
+hook as it has no effect in the single LSM case and
+interferes in the multiple LSM case.
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Acked-by: John Johansen <john.johansen@canonical.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
- security/inode.c | 22 ++++++++++++++++++++--
- 1 file changed, 20 insertions(+), 2 deletions(-)
+ security/apparmor/lsm.c | 20 +-------------------
+ 1 file changed, 1 insertion(+), 19 deletions(-)
-diff --git a/security/inode.c b/security/inode.c
-index b7772a9b315e..538a4d6796da 100644
---- a/security/inode.c
-+++ b/security/inode.c
-@@ -321,6 +321,22 @@ static const struct file_operations lsm_ops = {
- .read = lsm_read,
- .llseek = generic_file_llseek,
- };
-+
-+static struct dentry *lsm_display_default_dentry;
-+static ssize_t lsm_display_default_read(struct file *filp, char __user *buf,
-+ size_t count, loff_t *ppos)
-+{
-+ const char *name = security_lsm_slot_name(0);
-+
-+ if (name == NULL)
-+ return 0;
-+ return simple_read_from_buffer(buf, count, ppos, name, strlen(name));
-+}
-+
-+static const struct file_operations lsm_display_default_ops = {
-+ .read = lsm_display_default_read,
-+ .llseek = generic_file_llseek,
-+};
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 65a004597e53..15af5a5cb0c0 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -1138,22 +1138,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
+ return error;
+ }
+
+-/**
+- * apparmor_socket_getpeersec_dgram - get security label of packet
+- * @sock: the peer socket
+- * @skb: packet data
+- * @secid: pointer to where to put the secid of the packet
+- *
+- * Sets the netlabel socket state on sk from parent
+- */
+-static int apparmor_socket_getpeersec_dgram(struct socket *sock,
+- struct sk_buff *skb, u32 *secid)
+-
+-{
+- /* TODO: requires secid support */
+- return -ENOPROTOOPT;
+-}
+-
+ /**
+ * apparmor_sock_graft - Initialize newly created socket
+ * @sk: child sock
+@@ -1257,8 +1241,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
#endif
+ LSM_HOOK_INIT(socket_getpeersec_stream,
+ apparmor_socket_getpeersec_stream),
+- LSM_HOOK_INIT(socket_getpeersec_dgram,
+- apparmor_socket_getpeersec_dgram),
+ LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
+ #ifdef CONFIG_NETWORK_SECMARK
+ LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
+@@ -1928,7 +1910,7 @@ static int __init apparmor_init(void)
- static int __init securityfs_init(void)
-@@ -337,8 +353,10 @@ static int __init securityfs_init(void)
- return retval;
- }
- #ifdef CONFIG_SECURITY
-- lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
-- &lsm_ops);
-+ lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL, &lsm_ops);
-+ lsm_display_default_dentry = securityfs_create_file(
-+ "lsm_display_default", 0444, NULL,
-+ NULL, &lsm_display_default_ops);
- #endif
- return 0;
- }
+ DEFINE_LSM(apparmor) = {
+ .name = "apparmor",
+- .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
++ .flags = LSM_FLAG_LEGACY_MAJOR,
+ .enabled = &apparmor_enabled,
+ .blobs = &apparmor_blob_sizes,
+ .init = apparmor_init,
--
-2.20.1
+2.29.2