[apparmor] [PATCH] apparmor: hide aa_unprivileged_uring_restricted from userspace when io_uring is disabled

[Ryan Lee]

The variable aa_unprivileged_uring_restricted is still exposed to
userspace even when CONFIG_IO_URING is disabled and the variable would
do nothing. This patch hides both the apparmorfs entry and the sysctl
when CONFIG_IO_URING is disabled.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
 security/apparmor/apparmorfs.c | 2 ++
 security/apparmor/lsm.c        | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index be6c3293c9e0..d1ea78c9122f 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -2587,8 +2587,10 @@ static struct aa_sfs_entry aa_sfs_entry_domain[] = {
 static struct aa_sfs_entry aa_sfs_entry_unconfined[] = {
 	AA_SFS_FILE_BOOLEAN("change_profile", 1),
 	AA_SFS_FILE_INTPTR("userns",		aa_unprivileged_userns_restricted),
+#ifdef CONFIG_IO_URING
 	AA_SFS_FILE_INTPTR("io_uring",
 			    aa_unprivileged_uring_restricted),
+#endif
 	{ }
 };
 
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 9b086451f6e3..245207b005e7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2462,6 +2462,7 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.mode           = 0644,
 		.proc_handler   = userns_restrict_dointvec,
 	},
+#ifdef CONFIG_IO_URING
 	{
 		.procname       = "apparmor_restrict_unprivileged_io_uring",
 		.data           = &aa_unprivileged_uring_restricted,
@@ -2469,6 +2470,7 @@ static struct ctl_table apparmor_sysctl_table[] = {
 		.mode           = 0600,
 		.proc_handler   = apparmor_dointvec,
 	},
+#endif
 	{ }
 };
 
-- 
2.43.0