diff options
| author | Kees Cook <keescook@chromium.org> | 2018-10-01 20:08:57 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2019-01-08 16:18:43 -0500 |
| commit | 0102fb83f90050b86ce37aec810ea17bb4448e0c (patch) | |
| tree | 358b34fa8f9ece6d7880aae1b233a802d7462e03 | |
| parent | 14bd99c821f7ace0e8110a1bfdfaa27e1788e20f (diff) | |
apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE
In preparation for removing CONFIG_DEFAULT_SECURITY, this removes the
soon-to-be redundant SECURITY_APPARMOR_BOOTPARAM_VALUE. Since explicit
ordering via CONFIG_LSM or "lsm=" will define whether an LSM is enabled or
not, this CONFIG will become effectively ignored, so remove it. However,
in order to stay backward-compatible with "security=apparmor", the enable
variable defaults to true.
Signed-off-by: Kees Cook <keescook@chromium.org>
| -rw-r--r-- | security/apparmor/Kconfig | 16 | ||||
| -rw-r--r-- | security/apparmor/lsm.c | 2 |
2 files changed, 1 insertions, 17 deletions
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index b6b68a7750ce..3de21f46c82a 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig | |||
| @@ -14,22 +14,6 @@ config SECURITY_APPARMOR | |||
| 14 | 14 | ||
| 15 | If you are unsure how to answer this question, answer N. | 15 | If you are unsure how to answer this question, answer N. |
| 16 | 16 | ||
| 17 | config SECURITY_APPARMOR_BOOTPARAM_VALUE | ||
| 18 | int "AppArmor boot parameter default value" | ||
| 19 | depends on SECURITY_APPARMOR | ||
| 20 | range 0 1 | ||
| 21 | default 1 | ||
| 22 | help | ||
| 23 | This option sets the default value for the kernel parameter | ||
| 24 | 'apparmor', which allows AppArmor to be enabled or disabled | ||
| 25 | at boot. If this option is set to 0 (zero), the AppArmor | ||
| 26 | kernel parameter will default to 0, disabling AppArmor at | ||
| 27 | boot. If this option is set to 1 (one), the AppArmor | ||
| 28 | kernel parameter will default to 1, enabling AppArmor at | ||
| 29 | boot. | ||
| 30 | |||
| 31 | If you are unsure how to answer this question, answer 1. | ||
| 32 | |||
| 33 | config SECURITY_APPARMOR_HASH | 17 | config SECURITY_APPARMOR_HASH |
| 34 | bool "Enable introspection of sha1 hashes for loaded profiles" | 18 | bool "Enable introspection of sha1 hashes for loaded profiles" |
| 35 | depends on SECURITY_APPARMOR | 19 | depends on SECURITY_APPARMOR |
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 149a3e16b5da..cda345767cfc 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -1333,7 +1333,7 @@ bool aa_g_paranoid_load = true; | |||
| 1333 | module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); | 1333 | module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); |
| 1334 | 1334 | ||
| 1335 | /* Boot time disable flag */ | 1335 | /* Boot time disable flag */ |
| 1336 | static int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; | 1336 | static int apparmor_enabled __lsm_ro_after_init = 1; |
| 1337 | module_param_named(enabled, apparmor_enabled, int, 0444); | 1337 | module_param_named(enabled, apparmor_enabled, int, 0444); |
| 1338 | 1338 | ||
| 1339 | static int __init apparmor_enabled_setup(char *str) | 1339 | static int __init apparmor_enabled_setup(char *str) |