diff options
| author | Arnd Bergmann <arnd@arndb.de> | 2016-07-25 13:59:07 -0400 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2016-07-27 03:39:26 -0400 |
| commit | 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 (patch) | |
| tree | 1a286fbe8627e9ab580d9bdb7d00833645cb6477 /security | |
| parent | 82cc1a49b6358394938e759dc4c22b2be773bbad (diff) | |
apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
The newly added Kconfig option could never work and just causes a build error
when disabled:
security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
The problem is that the macro undefined in this case, and we need to use the IS_ENABLED()
helper to turn it into a boolean constant.
Another minor problem with the original patch is that the option is even offered
in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option
in that case.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/crypto.c | 3 | ||||
| -rw-r--r-- | security/apparmor/lsm.c | 4 | ||||
| -rw-r--r-- | security/apparmor/policy_unpack.c | 3 |
3 files changed, 7 insertions, 3 deletions
diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c index 532471d0b3a0..b75dab0df1cb 100644 --- a/security/apparmor/crypto.c +++ b/security/apparmor/crypto.c | |||
| @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start, | |||
| 39 | int error = -ENOMEM; | 39 | int error = -ENOMEM; |
| 40 | u32 le32_version = cpu_to_le32(version); | 40 | u32 le32_version = cpu_to_le32(version); |
| 41 | 41 | ||
| 42 | if (!aa_g_hash_policy) | ||
| 43 | return 0; | ||
| 44 | |||
| 42 | if (!apparmor_tfm) | 45 | if (!apparmor_tfm) |
| 43 | return 0; | 46 | return 0; |
| 44 | 47 | ||
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 3be30c701bfa..41b8cb115801 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -671,9 +671,11 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; | |||
| 671 | module_param_call(mode, param_set_mode, param_get_mode, | 671 | module_param_call(mode, param_set_mode, param_get_mode, |
| 672 | &aa_g_profile_mode, S_IRUSR | S_IWUSR); | 672 | &aa_g_profile_mode, S_IRUSR | S_IWUSR); |
| 673 | 673 | ||
| 674 | #ifdef CONFIG_SECURITY_APPARMOR_HASH | ||
| 674 | /* whether policy verification hashing is enabled */ | 675 | /* whether policy verification hashing is enabled */ |
| 675 | bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; | 676 | bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); |
| 676 | module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); | 677 | module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); |
| 678 | #endif | ||
| 677 | 679 | ||
| 678 | /* Debug mode */ | 680 | /* Debug mode */ |
| 679 | bool aa_g_debug; | 681 | bool aa_g_debug; |
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index b9b1c66a32a5..138120698f83 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c | |||
| @@ -778,8 +778,7 @@ int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns) | |||
| 778 | if (error) | 778 | if (error) |
| 779 | goto fail_profile; | 779 | goto fail_profile; |
| 780 | 780 | ||
| 781 | if (aa_g_hash_policy) | 781 | error = aa_calc_profile_hash(profile, e.version, start, |
| 782 | error = aa_calc_profile_hash(profile, e.version, start, | ||
| 783 | e.pos - start); | 782 | e.pos - start); |
| 784 | if (error) | 783 | if (error) |
| 785 | goto fail_profile; | 784 | goto fail_profile; |