From: "Serge E. Hallyn" <serue@us.ibm.com>
To: john.johansen@canonical.com
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH 12/12] Kconfig and Makefiles to enable configuration and building of AppArmor.
Date: Mon, 22 Feb 2010 16:16:57 -0600 [thread overview]
Message-ID: <20100222221657.GB22194@us.ibm.com> (raw)
In-Reply-To: <1266572188-26529-13-git-send-email-john.johansen@canonical.com>
Quoting john.johansen@canonical.com (john.johansen@canonical.com):
> From: John Johansen <john.johansen@canonical.com>
>
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> ---
> security/Kconfig | 6 ++++
> security/Makefile | 2 +
> security/apparmor/.gitignore | 5 +++
> security/apparmor/Kconfig | 62 ++++++++++++++++++++++++++++++++++++++++++
> security/apparmor/Makefile | 25 +++++++++++++++++
> 5 files changed, 100 insertions(+), 0 deletions(-)
> create mode 100644 security/apparmor/.gitignore
> create mode 100644 security/apparmor/Kconfig
> create mode 100644 security/apparmor/Makefile
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 226b955..bd72ae6 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -140,6 +140,7 @@ config LSM_MMAP_MIN_ADDR
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
> +source security/apparmor/Kconfig
>
> source security/integrity/ima/Kconfig
>
> @@ -148,6 +149,7 @@ choice
> default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
> default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
> default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> + default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
> default DEFAULT_SECURITY_DAC
>
> help
> @@ -163,6 +165,9 @@ choice
> config DEFAULT_SECURITY_TOMOYO
> bool "TOMOYO" if SECURITY_TOMOYO=y
>
> + config DEFAULT_SECURITY_APPARMOR
> + bool "AppArmor" if SECURITY_APPARMOR=y
> +
> config DEFAULT_SECURITY_DAC
> bool "Unix Discretionary Access Controls"
>
> @@ -173,6 +178,7 @@ config DEFAULT_SECURITY
> default "selinux" if DEFAULT_SECURITY_SELINUX
> default "smack" if DEFAULT_SECURITY_SMACK
> default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> + default "apparmor" if DEFAULT_SECURITY_APPARMOR
> default "" if DEFAULT_SECURITY_DAC
>
> endmenu
> diff --git a/security/Makefile b/security/Makefile
> index da20a19..8bb0fe9 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -6,6 +6,7 @@ obj-$(CONFIG_KEYS) += keys/
> subdir-$(CONFIG_SECURITY_SELINUX) += selinux
> subdir-$(CONFIG_SECURITY_SMACK) += smack
> subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
> +subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
>
> # always enable default capabilities
> obj-y += commoncap.o
> @@ -19,6 +20,7 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
> obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
> obj-$(CONFIG_AUDIT) += lsm_audit.o
> obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
> +obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o
> obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
>
> # Object integrity file lists
> diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
> new file mode 100644
> index 0000000..0a0a99f
> --- /dev/null
> +++ b/security/apparmor/.gitignore
> @@ -0,0 +1,5 @@
> +#
> +# Generated include files
> +#
> +af_names.h
> +capability_names.h
> diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
> new file mode 100644
> index 0000000..01c8754
> --- /dev/null
> +++ b/security/apparmor/Kconfig
> @@ -0,0 +1,62 @@
> +config SECURITY_APPARMOR
> + bool "AppArmor support"
> + depends on SECURITY && SECURITY_NETWORK && NET && INET
> + select AUDIT
> + select SECURITY_PATH
> + select SECURITYFS
> + default n
> + help
> + This enables the AppArmor security module.
> + Required userspace tools (if they are not included in your
> + distribution) and further information may be found at
> + <http://forge.novell.com/modules/xfmod/project/?apparmor>
> +
> + If you are unsure how to answer this question, answer N.
> +
> +config SECURITY_APPARMOR_NETWORK
> + bool "AppArmor network support"
> + depends on SECURITY_APPARMOR
> + default n
> + help
> + This enables AppArmor to mediate applications network use.
> + This will enable the SECURITY_NETWORK hooks.
Is there a compelling reason to have SECURITY_APPARMOR_NETWORK? Does
it impact performance? Is there older userspace that will just break?
-serge
next prev parent reply other threads:[~2010-02-22 22:17 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-19 9:36 [AppArmor #4 0/12] AppArmor security module john.johansen
2010-02-19 9:36 ` [PATCH 01/12] Miscellaneous functions and defines needed by AppArmor, including the base path resolution routines john.johansen
2010-02-19 11:03 ` Al Viro
2010-02-20 12:17 ` John Johansen
2010-02-20 17:25 ` John Johansen
2010-02-20 19:10 ` John Johansen
2010-02-20 12:24 ` John Johansen
2010-02-19 9:36 ` [PATCH 02/12] Update kenel audit range comments to show AppArmor's registered range of 1500-1599. This range used to be reserved for LSPP but LSPP uses the SELinux range and the range was given to AppArmor. Patch is not in mainline -- pending AppArmor code submission to lkml john.johansen
2010-02-19 9:36 ` [PATCH 03/12] AppArmor contexts attach profiles and state to tasks, files, etc. when a direct profile reference is not sufficient john.johansen
2010-02-19 9:36 ` [PATCH 04/12] The basic routines and defines for AppArmor policy. AppArmor policy is defined by a few basic components. profiles - the basic unit of confinement contain all the information to enforce policy on a task john.johansen
2010-02-19 9:36 ` [PATCH 05/12] A basic dfa matching engine based off the dfa engine in the Dragon Book. It uses simple row comb compression with a check field john.johansen
2010-02-19 9:36 ` [PATCH 06/12] AppArmor policy is loaded in a platform independent flattened binary stream. Verify and unpack the data converting it to the internal format needed for enforcement john.johansen
2010-02-19 9:36 ` [PATCH 07/12] AppArmor /proc/<pid>/attr/* and apparmorfs interfaces to userspace john.johansen
2010-02-19 9:36 ` [PATCH 08/12] AppArmor: file enforcement routines john.johansen
2010-02-19 9:36 ` [PATCH 09/12] AppArmor ipc, rlimit, network and capability routines john.johansen
2010-02-19 9:36 ` [PATCH 10/12] AppArmor routines for controlling domain transitions john.johansen
2010-02-19 9:36 ` [PATCH 11/12] AppArmor hooks to interface with the LSM, module parameters and initialization john.johansen
2010-02-22 22:14 ` Serge E. Hallyn
2010-02-23 7:58 ` John Johansen
2010-02-19 9:36 ` [PATCH 12/12] Kconfig and Makefiles to enable configuration and building of AppArmor john.johansen
2010-02-22 22:16 ` Serge E. Hallyn [this message]
2010-02-23 7:45 ` John Johansen
2010-03-03 7:50 ` Kees Cook
2010-02-23 1:59 ` [AppArmor #4 0/12] AppArmor security module Tetsuo Handa
2010-02-23 8:38 ` John Johansen
2010-02-23 8:31 ` Tetsuo Handa
2010-02-23 9:17 ` John Johansen
2010-02-26 3:22 ` Tetsuo Handa
2010-02-26 6:31 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100222221657.GB22194@us.ibm.com \
--to=serue@us.ibm.com \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.