From: Greg KH <gregkh@linuxfoundation.org>
To: Loic <hackurx@opensec.fr>
Cc: stable@vger.kernel.org, arnd@arndb.de,
john.johansen@canonical.com, james.l.morris@oracle.com
Subject: Re: [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
Date: Mon, 17 Sep 2018 15:58:56 +0200 [thread overview]
Message-ID: <20180917135856.GB28797@kroah.com> (raw)
In-Reply-To: <77adc4c42d68501927b5a9150f9f0d62@search.opensec.fr>
On Sun, Sep 09, 2018 at 04:04:18PM +0200, Loic wrote:
> Hello,
>
> Tested without any problem so please picked up this for 4.4 to fix the
> problem.
> The patch below is slightly modified to adapt to this version.
>
> [ Upstream commit 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 ]
>
> The newly added Kconfig option could never work and just causes a build
> error
> when disabled:
>
> security/apparmor/lsm.c:675:25: error:
> 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
> bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
>
> The problem is that the macro undefined in this case, and we need to use the
> IS_ENABLED()
> helper to turn it into a boolean constant.
>
> Another minor problem with the original patch is that the option is even
> offered
> in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the
> option
> in that case.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy
> hashing is used")
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> Signed-off-by: James Morris <james.l.morris@oracle.com>
> ---
> diff -Nurp a/security/apparmor/crypto.c b/security/apparmor/crypto.c
> --- a/security/apparmor/crypto.c
> +++ b/security/apparmor/crypto.c
> @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profi
> int error = -ENOMEM;
> u32 le32_version = cpu_to_le32(version);
>
> + if (!aa_g_hash_policy)
> + return 0;
> +
> if (!apparmor_tfm)
> return 0;
>
> diff -Nurp a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -692,6 +692,12 @@ enum profile_mode aa_g_profile_mode = AP
> module_param_call(mode, param_set_mode, param_get_mode,
> &aa_g_profile_mode, S_IRUSR | S_IWUSR);
>
> +#ifdef CONFIG_SECURITY_APPARMOR_HASH
> +/* whether policy verification hashing is enabled */
> +bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
> +module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR |
> S_IWUSR);
> +#endif
> +
> /* Debug mode */
> bool aa_g_debug;
> module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
> ---
The patch is whitespace corrupted and can not be applied :(
Can you fix that up and resend it so that I can apply it?
thanks,
greg k-h
next prev parent reply other threads:[~2018-09-17 19:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-09 14:04 [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling Loic
2018-09-17 11:49 ` Greg KH
2018-09-17 13:40 ` John Johansen
2018-09-17 13:58 ` Greg KH
2018-09-17 13:58 ` Greg KH [this message]
2018-09-17 19:45 ` Loic
2018-09-17 21:15 ` Greg KH
2018-09-17 21:37 ` Greg KH
2018-09-17 21:56 ` Nathan Chancellor
2018-09-17 22:12 ` John Johansen
2018-09-21 5:40 ` Loic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180917135856.GB28797@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=hackurx@opensec.fr \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox