From: Loic <hackurx@opensec.fr>
To: stable@vger.kernel.org, arnd@arndb.de,
john.johansen@canonical.com, james.l.morris@oracle.com
Subject: [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
Date: Sun, 09 Sep 2018 16:04:18 +0200 [thread overview]
Message-ID: <77adc4c42d68501927b5a9150f9f0d62@search.opensec.fr> (raw)
Hello,
Tested without any problem so please picked up this for 4.4 to fix the
problem.
The patch below is slightly modified to adapt to this version.
[ Upstream commit 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 ]
The newly added Kconfig option could never work and just causes a build
error
when disabled:
security/apparmor/lsm.c:675:25: error:
'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a
function)
bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
The problem is that the macro undefined in this case, and we need to use
the IS_ENABLED()
helper to turn it into a boolean constant.
Another minor problem with the original patch is that the option is even
offered
in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides
the option
in that case.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy
hashing is used")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
---
diff -Nurp a/security/apparmor/crypto.c b/security/apparmor/crypto.c
--- a/security/apparmor/crypto.c
+++ b/security/apparmor/crypto.c
@@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profi
int error = -ENOMEM;
u32 le32_version = cpu_to_le32(version);
+ if (!aa_g_hash_policy)
+ return 0;
+
if (!apparmor_tfm)
return 0;
diff -Nurp a/security/apparmor/lsm.c b/security/apparmor/lsm.c
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -692,6 +692,12 @@ enum profile_mode aa_g_profile_mode = AP
module_param_call(mode, param_set_mode, param_get_mode,
&aa_g_profile_mode, S_IRUSR | S_IWUSR);
+#ifdef CONFIG_SECURITY_APPARMOR_HASH
+/* whether policy verification hashing is enabled */
+bool aa_g_hash_policy =
IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
+module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR |
S_IWUSR);
+#endif
+
/* Debug mode */
bool aa_g_debug;
module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
---
next reply other threads:[~2018-09-09 18:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-09 14:04 Loic [this message]
2018-09-17 11:49 ` [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling Greg KH
2018-09-17 13:40 ` John Johansen
2018-09-17 13:58 ` Greg KH
2018-09-17 13:58 ` Greg KH
2018-09-17 19:45 ` Loic
2018-09-17 21:15 ` Greg KH
2018-09-17 21:37 ` Greg KH
2018-09-17 21:56 ` Nathan Chancellor
2018-09-17 22:12 ` John Johansen
2018-09-21 5:40 ` Loic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77adc4c42d68501927b5a9150f9f0d62@search.opensec.fr \
--to=hackurx@opensec.fr \
--cc=arnd@arndb.de \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).