[apparmor] [patch] apparmor: add parameter to control whether policy hashing is used

Thu Oct 23 16:35:29 UTC 2014

>From e81978b2341136b8abdd3669f011c053309a5129 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
Date: Thu, 23 Oct 2014 12:33:08 -0400
Subject: [PATCH] apparmor: add parameter to control whether policy hashing is
 used

v2. Add kconfig option to set default parameter value

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/Kconfig            | 21 +++++++++++++++++----
 security/apparmor/include/apparmor.h |  1 +
 security/apparmor/lsm.c              |  4 ++++
 security/apparmor/policy_unpack.c    |  5 +++--
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
index a738fee..2cdcda6 100644
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -66,13 +66,26 @@ config SECURITY_APPARMOR_UNCONFINED_INIT
 	  If you are unsure how to answer this question, answer Y.
 
 config SECURITY_APPARMOR_HASH
-	bool "SHA1 hash of loaded profiles"
+	bool "enable introspection of sha1 hashes for loaded profiles"
 	depends on SECURITY_APPARMOR
 	depends on CRYPTO
 	select CRYPTO_SHA1
 	default y
 
 	help
-	  This option selects whether sha1 hashing is done against loaded
-          profiles and exported for inspection to user space via the apparmor
-          filesystem.
+	  This option selects whether introspection of load policy
+	  is available to userspace via the apparmor filesystem.
+
+config SECURITY_APPARMOR_HASH_DEFAULT
+	bool "Enable policy hash introspection by default"
+	depends on SECURITY_APPARMOR_HASH
+	default y
+
+	help
+	  This option selects whether sha1 hashing of loaded policy
+	  is enabled by default. The generation of sha1 hashes for
+	  loaded policy provide system administrators a quick way
+	  to verify that policy in the kernel matches what is expected,
+	  however it can slow down policy load on some devices. In
+	  these cases policy hashing can be disabled by default and
+	  enabled only if needed.
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index a59a330..7d2f457 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -52,6 +52,7 @@
 extern enum audit_mode aa_g_audit;
 extern bool aa_g_audit_header;
 extern bool aa_g_debug;
+extern bool aa_g_hash_policy;
 extern bool aa_g_lock_policy;
 extern bool aa_g_logsyscall;
 extern bool aa_g_paranoid_load;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index cd2b4f4..4fa9573 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1248,6 +1248,10 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
 module_param_call(mode, param_set_mode, param_get_mode,
 		  &aa_g_profile_mode, S_IRUSR | S_IWUSR);
 
+/* whether policy verification hashing is enabled */
+bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
+module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
+
 /* Debug mode */
 bool aa_g_debug;
 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 188d36e..7f63b67 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -832,8 +832,9 @@ int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns)
 		if (error)
 			goto fail_profile;
 
-		error = aa_calc_profile_hash(profile, e.version, start,
-					     e.pos - start);
+		if (aa_g_hash_policy)
+			error = aa_calc_profile_hash(profile, e.version, start,
+						     e.pos - start);
 		if (error)
 			goto fail_profile;
 
-- 
2.1.0



