[apparmor] [patch] apparmor: add parameter to control whether policy hashing is used
Seth Arnold
seth.arnold at canonical.com
Thu Oct 23 17:44:05 UTC 2014
On Thu, Oct 23, 2014 at 12:35:29PM -0400, John Johansen wrote:
> From e81978b2341136b8abdd3669f011c053309a5129 Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Thu, 23 Oct 2014 12:33:08 -0400
> Subject: [PATCH] apparmor: add parameter to control whether policy hashing is
> used
>
> v2. Add kconfig option to set default parameter value
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
> security/apparmor/Kconfig | 21 +++++++++++++++++----
> security/apparmor/include/apparmor.h | 1 +
> security/apparmor/lsm.c | 4 ++++
> security/apparmor/policy_unpack.c | 5 +++--
> 4 files changed, 25 insertions(+), 6 deletions(-)
>
> diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
> index a738fee..2cdcda6 100644
> --- a/security/apparmor/Kconfig
> +++ b/security/apparmor/Kconfig
> @@ -66,13 +66,26 @@ config SECURITY_APPARMOR_UNCONFINED_INIT
> If you are unsure how to answer this question, answer Y.
>
> config SECURITY_APPARMOR_HASH
> - bool "SHA1 hash of loaded profiles"
> + bool "enable introspection of sha1 hashes for loaded profiles"
> depends on SECURITY_APPARMOR
> depends on CRYPTO
> select CRYPTO_SHA1
> default y
>
> help
> - This option selects whether sha1 hashing is done against loaded
> - profiles and exported for inspection to user space via the apparmor
> - filesystem.
> + This option selects whether introspection of load policy
> + is available to userspace via the apparmor filesystem.
> +
This sentence reads oddly; I suggest either "instrospection of policy" or
"introspection of loaded policy".
Thanks
> +config SECURITY_APPARMOR_HASH_DEFAULT
> + bool "Enable policy hash introspection by default"
> + depends on SECURITY_APPARMOR_HASH
> + default y
> +
> + help
> + This option selects whether sha1 hashing of loaded policy
> + is enabled by default. The generation of sha1 hashes for
> + loaded policy provide system administrators a quick way
> + to verify that policy in the kernel matches what is expected,
> + however it can slow down policy load on some devices. In
> + these cases policy hashing can be disabled by default and
> + enabled only if needed.
> diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
> index a59a330..7d2f457 100644
> --- a/security/apparmor/include/apparmor.h
> +++ b/security/apparmor/include/apparmor.h
> @@ -52,6 +52,7 @@
> extern enum audit_mode aa_g_audit;
> extern bool aa_g_audit_header;
> extern bool aa_g_debug;
> +extern bool aa_g_hash_policy;
> extern bool aa_g_lock_policy;
> extern bool aa_g_logsyscall;
> extern bool aa_g_paranoid_load;
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index cd2b4f4..4fa9573 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -1248,6 +1248,10 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
> module_param_call(mode, param_set_mode, param_get_mode,
> &aa_g_profile_mode, S_IRUSR | S_IWUSR);
>
> +/* whether policy verification hashing is enabled */
> +bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
> +module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
> +
> /* Debug mode */
> bool aa_g_debug;
> module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> index 188d36e..7f63b67 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -832,8 +832,9 @@ int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns)
> if (error)
> goto fail_profile;
>
> - error = aa_calc_profile_hash(profile, e.version, start,
> - e.pos - start);
> + if (aa_g_hash_policy)
> + error = aa_calc_profile_hash(profile, e.version, start,
> + e.pos - start);
> if (error)
> goto fail_profile;
>
> --
> 2.1.0
>
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141023/958fc477/attachment.pgp>
More information about the AppArmor
mailing list