On Thu, Oct 23, 2014 at 12:35:29PM -0400, John Johansen wrote: > From e81978b2341136b8abdd3669f011c053309a5129 Mon Sep 17 00:00:00 2001 > From: John Johansen <john.johan...@canonical.com> > Date: Thu, 23 Oct 2014 12:33:08 -0400 > Subject: [PATCH] apparmor: add parameter to control whether policy hashing is > used > > v2. Add kconfig option to set default parameter value > > Signed-off-by: John Johansen <john.johan...@canonical.com> > --- > security/apparmor/Kconfig | 21 +++++++++++++++++---- > security/apparmor/include/apparmor.h | 1 + > security/apparmor/lsm.c | 4 ++++ > security/apparmor/policy_unpack.c | 5 +++-- > 4 files changed, 25 insertions(+), 6 deletions(-) > > diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig > index a738fee..2cdcda6 100644 > --- a/security/apparmor/Kconfig > +++ b/security/apparmor/Kconfig > @@ -66,13 +66,26 @@ config SECURITY_APPARMOR_UNCONFINED_INIT > If you are unsure how to answer this question, answer Y. > > config SECURITY_APPARMOR_HASH > - bool "SHA1 hash of loaded profiles" > + bool "enable introspection of sha1 hashes for loaded profiles" > depends on SECURITY_APPARMOR > depends on CRYPTO > select CRYPTO_SHA1 > default y > > help > - This option selects whether sha1 hashing is done against loaded > - profiles and exported for inspection to user space via the apparmor > - filesystem. > + This option selects whether introspection of load policy > + is available to userspace via the apparmor filesystem. > +
This sentence reads oddly; I suggest either "instrospection of policy" or "introspection of loaded policy". Thanks > +config SECURITY_APPARMOR_HASH_DEFAULT > + bool "Enable policy hash introspection by default" > + depends on SECURITY_APPARMOR_HASH > + default y > + > + help > + This option selects whether sha1 hashing of loaded policy > + is enabled by default. The generation of sha1 hashes for > + loaded policy provide system administrators a quick way > + to verify that policy in the kernel matches what is expected, > + however it can slow down policy load on some devices. In > + these cases policy hashing can be disabled by default and > + enabled only if needed. > diff --git a/security/apparmor/include/apparmor.h > b/security/apparmor/include/apparmor.h > index a59a330..7d2f457 100644 > --- a/security/apparmor/include/apparmor.h > +++ b/security/apparmor/include/apparmor.h > @@ -52,6 +52,7 @@ > extern enum audit_mode aa_g_audit; > extern bool aa_g_audit_header; > extern bool aa_g_debug; > +extern bool aa_g_hash_policy; > extern bool aa_g_lock_policy; > extern bool aa_g_logsyscall; > extern bool aa_g_paranoid_load; > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > index cd2b4f4..4fa9573 100644 > --- a/security/apparmor/lsm.c > +++ b/security/apparmor/lsm.c > @@ -1248,6 +1248,10 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; > module_param_call(mode, param_set_mode, param_get_mode, > &aa_g_profile_mode, S_IRUSR | S_IWUSR); > > +/* whether policy verification hashing is enabled */ > +bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; > +module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); > + > /* Debug mode */ > bool aa_g_debug; > module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); > diff --git a/security/apparmor/policy_unpack.c > b/security/apparmor/policy_unpack.c > index 188d36e..7f63b67 100644 > --- a/security/apparmor/policy_unpack.c > +++ b/security/apparmor/policy_unpack.c > @@ -832,8 +832,9 @@ int aa_unpack(void *udata, size_t size, struct list_head > *lh, const char **ns) > if (error) > goto fail_profile; > > - error = aa_calc_profile_hash(profile, e.version, start, > - e.pos - start); > + if (aa_g_hash_policy) > + error = aa_calc_profile_hash(profile, e.version, start, > + e.pos - start); > if (error) > goto fail_profile; > > -- > 2.1.0 > > > > -- > AppArmor mailing list > AppArmor@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor >
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
