On 7/24/20 1:32 PM, Casey Schaufler wrote: > With the inclusion of the "display" process attribute > mechanism AppArmor no longer needs to be treated as an > "exclusive" security module. Remove the flag that indicates > it is exclusive. Remove the stub getpeersec_dgram AppArmor > hook as it has no effect in the single LSM case and > interferes in the multiple LSM case. > probably should change this to Acked-by: John Johansen <john.johansen@xxxxxxxxxxxxx> > Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> > Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx> > Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > --- > security/apparmor/lsm.c | 20 +------------------- > 1 file changed, 1 insertion(+), 19 deletions(-) > > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > index 7ce570b0f491..4b7cbe9bb1be 100644 > --- a/security/apparmor/lsm.c > +++ b/security/apparmor/lsm.c > @@ -1129,22 +1129,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock, > return error; > } > > -/** > - * apparmor_socket_getpeersec_dgram - get security label of packet > - * @sock: the peer socket > - * @skb: packet data > - * @secid: pointer to where to put the secid of the packet > - * > - * Sets the netlabel socket state on sk from parent > - */ > -static int apparmor_socket_getpeersec_dgram(struct socket *sock, > - struct sk_buff *skb, u32 *secid) > - > -{ > - /* TODO: requires secid support */ > - return -ENOPROTOOPT; > -} > - > /** > * apparmor_sock_graft - Initialize newly created socket > * @sk: child sock > @@ -1248,8 +1232,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { > #endif > LSM_HOOK_INIT(socket_getpeersec_stream, > apparmor_socket_getpeersec_stream), > - LSM_HOOK_INIT(socket_getpeersec_dgram, > - apparmor_socket_getpeersec_dgram), > LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), > #ifdef CONFIG_NETWORK_SECMARK > LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), > @@ -1918,7 +1900,7 @@ static int __init apparmor_init(void) > > DEFINE_LSM(apparmor) = { > .name = "apparmor", > - .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, > + .flags = LSM_FLAG_LEGACY_MAJOR, > .enabled = &apparmor_enabled, > .blobs = &apparmor_blob_sizes, > .init = apparmor_init, >