From: Greg KH <gregkh@linuxfoundation.org>
To: Loic <hackurx@opensec.fr>
Cc: stable@vger.kernel.org, arnd@arndb.de,
john.johansen@canonical.com, james.l.morris@oracle.com
Subject: Re: [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
Date: Mon, 17 Sep 2018 23:15:42 +0200 [thread overview]
Message-ID: <20180917211542.GA17153@kroah.com> (raw)
In-Reply-To: <20180917214547.d9ba29425cf87881179c27ef@opensec.fr>
On Mon, Sep 17, 2018 at 09:45:47PM +0200, Loic wrote:
> On Mon, 17 Sep 2018 15:58:56 +0200
> Greg KH <gregkh@linuxfoundation.org> wrote:
>
> > On Sun, Sep 09, 2018 at 04:04:18PM +0200, Loic wrote:
> > > Hello,
> > >
> > > Tested without any problem so please picked up this for 4.4 to fix the
> > > problem.
> > > The patch below is slightly modified to adapt to this version.
> > >
> > > [ Upstream commit 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 ]
> > >
> > > The newly added Kconfig option could never work and just causes a build
> > > error
> > > when disabled:
> > >
> > > security/apparmor/lsm.c:675:25: error:
> > > 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
> > > bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
> > >
> > > The problem is that the macro undefined in this case, and we need to use the
> > > IS_ENABLED()
> > > helper to turn it into a boolean constant.
> > >
> > > Another minor problem with the original patch is that the option is even
> > > offered
> > > in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the
> > > option
> > > in that case.
> > >
> > > Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> > > Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy
> > > hashing is used")
> > > Signed-off-by: John Johansen <john.johansen@canonical.com>
> > > Signed-off-by: James Morris <james.l.morris@oracle.com>
> > > ---
> > > diff -Nurp a/security/apparmor/crypto.c b/security/apparmor/crypto.c
> > > --- a/security/apparmor/crypto.c
> > > +++ b/security/apparmor/crypto.c
> > > @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profi
> > > int error = -ENOMEM;
> > > u32 le32_version = cpu_to_le32(version);
> > >
> > > + if (!aa_g_hash_policy)
> > > + return 0;
> > > +
> > > if (!apparmor_tfm)
> > > return 0;
> > >
> > > diff -Nurp a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > > --- a/security/apparmor/lsm.c
> > > +++ b/security/apparmor/lsm.c
> > > @@ -692,6 +692,12 @@ enum profile_mode aa_g_profile_mode = AP
> > > module_param_call(mode, param_set_mode, param_get_mode,
> > > &aa_g_profile_mode, S_IRUSR | S_IWUSR);
> > >
> > > +#ifdef CONFIG_SECURITY_APPARMOR_HASH
> > > +/* whether policy verification hashing is enabled */
> > > +bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
> > > +module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR |
> > > S_IWUSR);
> > > +#endif
> > > +
> > > /* Debug mode */
> > > bool aa_g_debug;
> > > module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
> > > ---
> >
> > The patch is whitespace corrupted and can not be applied :(
>
> Sorry, I noticed the problem afterwards. I opened a bug report to try to fix my mail client:
> https://github.com/roundcube/roundcubemail/issues/6438
>
> >
> > Can you fix that up and resend it so that I can apply it?
>
> No problem. Thanks for all.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used")
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> Signed-off-by: James Morris <james.l.morris@oracle.com>
> ---
> diff -Nurp a/security/apparmor/crypto.c b/security/apparmor/crypto.c
> --- a/security/apparmor/crypto.c
> +++ b/security/apparmor/crypto.c
> @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profi
> int error = -ENOMEM;
> u32 le32_version = cpu_to_le32(version);
>
> + if (!aa_g_hash_policy)
> + return 0;
> +
> if (!apparmor_tfm)
> return 0;
>
> diff -Nurp a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -692,6 +694,12 @@ enum profile_mode aa_g_profile_mode = AP
> module_param_call(mode, param_set_mode, param_get_mode,
> &aa_g_profile_mode, S_IRUSR | S_IWUSR);
>
> +#ifdef CONFIG_SECURITY_APPARMOR_HASH
> +/* whether policy verification hashing is enabled */
> +bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
> +module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
> +#endif
> +
> /* Debug mode */
> bool aa_g_debug;
> module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
THanks, that worked, now queued up.
greg k-h
next prev parent reply other threads:[~2018-09-18 2:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-09 14:04 [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling Loic
2018-09-17 11:49 ` Greg KH
2018-09-17 13:40 ` John Johansen
2018-09-17 13:58 ` Greg KH
2018-09-17 13:58 ` Greg KH
2018-09-17 19:45 ` Loic
2018-09-17 21:15 ` Greg KH [this message]
2018-09-17 21:37 ` Greg KH
2018-09-17 21:56 ` Nathan Chancellor
2018-09-17 22:12 ` John Johansen
2018-09-21 5:40 ` Loic
-- strict thread matches above, loose matches on Subject: below --
2016-07-25 17:59 [Patch 0/1] apparmor: fix to 4.8 pull request John Johansen
2016-07-25 17:59 ` [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling John Johansen
2016-07-26 11:38 ` James Morris
2016-07-26 16:56 ` John Johansen
2016-07-13 20:50 Arnd Bergmann
2016-07-13 21:14 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180917211542.GA17153@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=hackurx@opensec.fr \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.