AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-11-24 20:30:53 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity

apparmor: add parameter to control whether policy hashing is used

Browse Source 
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
John Johansen 2014-10-24 09:16:14 -07:00
parent bd35db8b8c
commit 6059f71f1e
4 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
security/apparmor/Kconfig
View File

@ -31,13 +31,26 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
If you are unsure how to answer this question, answer 1. If you are unsure how to answer this question, answer 1.
config SECURITY_APPARMOR_HASH config SECURITY_APPARMOR_HASH
bool "SHA1 hash of loaded profiles" bool "Enable introspection of sha1 hashes for loaded profiles"
depends on SECURITY_APPARMOR depends on SECURITY_APPARMOR
select CRYPTO select CRYPTO
select CRYPTO_SHA1 select CRYPTO_SHA1
default y default y
help help
This option selects whether sha1 hashing is done against loaded This option selects whether introspection of loaded policy
profiles and exported for inspection to user space via the apparmor is available to userspace via the apparmor filesystem.
filesystem.
config SECURITY_APPARMOR_HASH_DEFAULT
bool "Enable policy hash introspection by default"
depends on SECURITY_APPARMOR_HASH
default y
help
This option selects whether sha1 hashing of loaded policy
is enabled by default. The generation of sha1 hashes for
loaded policy provide system administrators a quick way
to verify that policy in the kernel matches what is expected,
however it can slow down policy load on some devices. In
these cases policy hashing can be disabled by default and
enabled only if needed.

1
security/apparmor/include/apparmor.h
View File

@ -37,6 +37,7 @@
extern enum audit_mode aa_g_audit; extern enum audit_mode aa_g_audit;
extern bool aa_g_audit_header; extern bool aa_g_audit_header;
extern bool aa_g_debug; extern bool aa_g_debug;
extern bool aa_g_hash_policy;
extern bool aa_g_lock_policy; extern bool aa_g_lock_policy;
extern bool aa_g_logsyscall; extern bool aa_g_logsyscall;
extern bool aa_g_paranoid_load; extern bool aa_g_paranoid_load;

4
security/apparmor/lsm.c
View File

@ -669,6 +669,10 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
module_param_call(mode, param_set_mode, param_get_mode, module_param_call(mode, param_set_mode, param_get_mode,
&aa_g_profile_mode, S_IRUSR | S_IWUSR); &aa_g_profile_mode, S_IRUSR | S_IWUSR);
/* whether policy verification hashing is enabled */
bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
/* Debug mode */ /* Debug mode */
bool aa_g_debug; bool aa_g_debug;
module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);

5
security/apparmor/policy_unpack.c
View File

@ -775,8 +775,9 @@ int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns)
if (error) if (error)
goto fail_profile; goto fail_profile;
error = aa_calc_profile_hash(profile, e.version, start, if (aa_g_hash_policy)
e.pos - start); error = aa_calc_profile_hash(profile, e.version, start,
e.pos - start);
if (error) if (error)
goto fail_profile; goto fail_profile;