[apparmor] [patch] apparmor: add parameter to control whether policy hashing is used

Seth Arnold seth.arnold at canonical.com
Thu Oct 23 17:44:05 UTC 2014 

On Thu, Oct 23, 2014 at 12:35:29PM -0400, John Johansen wrote:
> From e81978b2341136b8abdd3669f011c053309a5129 Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Thu, 23 Oct 2014 12:33:08 -0400
> Subject: [PATCH] apparmor: add parameter to control whether policy hashing is
>  used
> 
> v2. Add kconfig option to set default parameter value
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  security/apparmor/Kconfig            | 21 +++++++++++++++++----
>  security/apparmor/include/apparmor.h |  1 +
>  security/apparmor/lsm.c              |  4 ++++
>  security/apparmor/policy_unpack.c    |  5 +++--
>  4 files changed, 25 insertions(+), 6 deletions(-)
> 
> diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
> index a738fee..2cdcda6 100644
> --- a/security/apparmor/Kconfig
> +++ b/security/apparmor/Kconfig
> @@ -66,13 +66,26 @@ config SECURITY_APPARMOR_UNCONFINED_INIT
>  	  If you are unsure how to answer this question, answer Y.
>  
>  config SECURITY_APPARMOR_HASH
> -	bool "SHA1 hash of loaded profiles"
> +	bool "enable introspection of sha1 hashes for loaded profiles"
>  	depends on SECURITY_APPARMOR
>  	depends on CRYPTO
>  	select CRYPTO_SHA1
>  	default y
>  
>  	help
> -	  This option selects whether sha1 hashing is done against loaded
> -          profiles and exported for inspection to user space via the apparmor
> -          filesystem.
> +	  This option selects whether introspection of load policy
> +	  is available to userspace via the apparmor filesystem.
> +

This sentence reads oddly; I suggest either "instrospection of policy" or
"introspection of loaded policy".

Thanks


> +config SECURITY_APPARMOR_HASH_DEFAULT
> +	bool "Enable policy hash introspection by default"
> +	depends on SECURITY_APPARMOR_HASH
> +	default y
> +
> +	help
> +	  This option selects whether sha1 hashing of loaded policy
> +	  is enabled by default. The generation of sha1 hashes for
> +	  loaded policy provide system administrators a quick way
> +	  to verify that policy in the kernel matches what is expected,
> +	  however it can slow down policy load on some devices. In
> +	  these cases policy hashing can be disabled by default and
> +	  enabled only if needed.
> diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
> index a59a330..7d2f457 100644
> --- a/security/apparmor/include/apparmor.h
> +++ b/security/apparmor/include/apparmor.h
> @@ -52,6 +52,7 @@
>  extern enum audit_mode aa_g_audit;
>  extern bool aa_g_audit_header;
>  extern bool aa_g_debug;
> +extern bool aa_g_hash_policy;
>  extern bool aa_g_lock_policy;
>  extern bool aa_g_logsyscall;
>  extern bool aa_g_paranoid_load;
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index cd2b4f4..4fa9573 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -1248,6 +1248,10 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
>  module_param_call(mode, param_set_mode, param_get_mode,
>  		  &aa_g_profile_mode, S_IRUSR | S_IWUSR);
>  
> +/* whether policy verification hashing is enabled */
> +bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
> +module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
> +
>  /* Debug mode */
>  bool aa_g_debug;
>  module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> index 188d36e..7f63b67 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -832,8 +832,9 @@ int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns)
>  		if (error)
>  			goto fail_profile;
>  
> -		error = aa_calc_profile_hash(profile, e.version, start,
> -					     e.pos - start);
> +		if (aa_g_hash_policy)
> +			error = aa_calc_profile_hash(profile, e.version, start,
> +						     e.pos - start);
>  		if (error)
>  			goto fail_profile;
>  
> -- 
> 2.1.0
> 
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141023/958fc477/attachment.pgp>

More information about the AppArmor mailing list