From: Greg KH <gregkh@linuxfoundation.org>
To: Loic <hackurx@opensec.fr>
Cc: stable@vger.kernel.org, arnd@arndb.de,
john.johansen@canonical.com, james.l.morris@oracle.com
Subject: Re: [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
Date: Mon, 17 Sep 2018 23:15:42 +0200 [thread overview]
Message-ID: <20180917211542.GA17153@kroah.com> (raw)
In-Reply-To: <20180917214547.d9ba29425cf87881179c27ef@opensec.fr>
On Mon, Sep 17, 2018 at 09:45:47PM +0200, Loic wrote:
> On Mon, 17 Sep 2018 15:58:56 +0200
> Greg KH <gregkh@linuxfoundation.org> wrote:
>
> > On Sun, Sep 09, 2018 at 04:04:18PM +0200, Loic wrote:
> > > Hello,
> > >
> > > Tested without any problem so please picked up this for 4.4 to fix the
> > > problem.
> > > The patch below is slightly modified to adapt to this version.
> > >
> > > [ Upstream commit 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 ]
> > >
> > > The newly added Kconfig option could never work and just causes a build
> > > error
> > > when disabled:
> > >
> > > security/apparmor/lsm.c:675:25: error:
> > > 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
> > > bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
> > >
> > > The problem is that the macro undefined in this case, and we need to use the
> > > IS_ENABLED()
> > > helper to turn it into a boolean constant.
> > >
> > > Another minor problem with the original patch is that the option is even
> > > offered
> > > in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the
> > > option
> > > in that case.
> > >
> > > Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> > > Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy
> > > hashing is used")
> > > Signed-off-by: John Johansen <john.johansen@canonical.com>
> > > Signed-off-by: James Morris <james.l.morris@oracle.com>
> > > ---
> > > diff -Nurp a/security/apparmor/crypto.c b/security/apparmor/crypto.c
> > > --- a/security/apparmor/crypto.c
> > > +++ b/security/apparmor/crypto.c
> > > @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profi
> > > int error = -ENOMEM;
> > > u32 le32_version = cpu_to_le32(version);
> > >
> > > + if (!aa_g_hash_policy)
> > > + return 0;
> > > +
> > > if (!apparmor_tfm)
> > > return 0;
> > >
> > > diff -Nurp a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > > --- a/security/apparmor/lsm.c
> > > +++ b/security/apparmor/lsm.c
> > > @@ -692,6 +692,12 @@ enum profile_mode aa_g_profile_mode = AP
> > > module_param_call(mode, param_set_mode, param_get_mode,
> > > &aa_g_profile_mode, S_IRUSR | S_IWUSR);
> > >
> > > +#ifdef CONFIG_SECURITY_APPARMOR_HASH
> > > +/* whether policy verification hashing is enabled */
> > > +bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
> > > +module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR |
> > > S_IWUSR);
> > > +#endif
> > > +
> > > /* Debug mode */
> > > bool aa_g_debug;
> > > module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
> > > ---
> >
> > The patch is whitespace corrupted and can not be applied :(
>
> Sorry, I noticed the problem afterwards. I opened a bug report to try to fix my mail client:
> https://github.com/roundcube/roundcubemail/issues/6438
>
> >
> > Can you fix that up and resend it so that I can apply it?
>
> No problem. Thanks for all.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used")
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> Signed-off-by: James Morris <james.l.morris@oracle.com>
> ---
> diff -Nurp a/security/apparmor/crypto.c b/security/apparmor/crypto.c
> --- a/security/apparmor/crypto.c
> +++ b/security/apparmor/crypto.c
> @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profi
> int error = -ENOMEM;
> u32 le32_version = cpu_to_le32(version);
>
> + if (!aa_g_hash_policy)
> + return 0;
> +
> if (!apparmor_tfm)
> return 0;
>
> diff -Nurp a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -692,6 +694,12 @@ enum profile_mode aa_g_profile_mode = AP
> module_param_call(mode, param_set_mode, param_get_mode,
> &aa_g_profile_mode, S_IRUSR | S_IWUSR);
>
> +#ifdef CONFIG_SECURITY_APPARMOR_HASH
> +/* whether policy verification hashing is enabled */
> +bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
> +module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
> +#endif
> +
> /* Debug mode */
> bool aa_g_debug;
> module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
THanks, that worked, now queued up.
greg k-h
next prev parent reply other threads:[~2018-09-18 2:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-09 14:04 [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling Loic
2018-09-17 11:49 ` Greg KH
2018-09-17 13:40 ` John Johansen
2018-09-17 13:58 ` Greg KH
2018-09-17 13:58 ` Greg KH
2018-09-17 19:45 ` Loic
2018-09-17 21:15 ` Greg KH [this message]
2018-09-17 21:37 ` Greg KH
2018-09-17 21:56 ` Nathan Chancellor
2018-09-17 22:12 ` John Johansen
2018-09-21 5:40 ` Loic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180917211542.GA17153@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=hackurx@opensec.fr \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox