From patchwork Wed Jul 13 20:50:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 102023 Delivered-To: patch@linaro.org Received: by 10.140.29.52 with SMTP id a49csp1193677qga; Wed, 13 Jul 2016 13:52:01 -0700 (PDT) X-Received: by 10.98.75.219 with SMTP id d88mr6796963pfj.91.1468443121116; Wed, 13 Jul 2016 13:52:01 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gk9si963044pac.182.2016.07.13.13.52.00; Wed, 13 Jul 2016 13:52:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751284AbcGMUv5 (ORCPT + 30 others); Wed, 13 Jul 2016 16:51:57 -0400 Received: from mout.kundenserver.de ([212.227.17.13]:56757 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750883AbcGMUvr (ORCPT ); Wed, 13 Jul 2016 16:51:47 -0400 Received: from wuerfel.lan. ([78.42.132.4]) by mrelayeu.kundenserver.de (mreue102) with ESMTPA (Nemesis) id 0Lk8eg-1apkCo34Ac-00cCDC; Wed, 13 Jul 2016 22:51:28 +0200 From: Arnd Bergmann To: John Johansen Cc: Arnd Bergmann , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling Date: Wed, 13 Jul 2016 22:50:25 +0200 Message-Id: <20160713205122.1383314-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:VXt+A70cPvLQ0sPz4mNFrz4NDLmKM5LrQi+hxkxRzJIrQOAdEh8 ROLdty+X0ANarej+a0Ott/aZL2hXaO9pwrRbRmLcLqS+J0E2u1/Uatk+sOvEzoOh5cmOdZF c0xBZJ+ogwWS3/q/JABZ0qx8rqn+SCHuCcx3b+6tHlj5DCKba9uEFqz+rPp4CmlfOobeUI9 5A7rDkHhGeeXCZavlQ3nw== X-UI-Out-Filterresults: notjunk:1; V01:K0:68Bski7mMr8=:JXolUqG73XIYe3XrHGORvY sjBu4Uh3gLaErYf9fIo7r9seCChp7Tp0y85uA/r6cPprC1DNvlvQYaKB05LUHnwhYCPzbOyJ6 4eTeAwwcFUbDKLW1YfuOz+2pYWAl6fjIHCZjN3Swoi8evHsiJ11PTFtFWytnhBBqdXXHjI506 3K1nUsZKNQNIJ9rURmAX2oZBD4Nz8aEkjYxgsdKdqZb+k36IC3z/U3snMcxhFBO0gWvM5SA5d 0vFdiOXnhLB54IGeFIne6N1HWC8xP5vVblDdE6Nv6/DK2WOF8mUyXRfWN1V2a3v6kX2SND/mb 4k1BXWaImRWZ5lKhb8siarEGAEjmmWWXuCOAXjUDofS82E8wUhufrmR7Ph2xXAe4tGGA8iWCQ NEhU4l3ndHmREHNjyygjqIsmgiEjLDyzsfLIQZtQqmjRbHJVImpY+6TEl6kjq2pkFghHS092v cmjK0SNGSESf6ycu6YQuZYD+eyUV6un7WO5f6uVMsD1wP6aS0KpAZTlUTvNHi9gAmNvPVQgCp K9jfyHoUID6WHEDVD1T8SGTv9zUvXMEjhF+kCkvHM2LtPqLbifHKMgf2jepVv3ObOIbO/xaZp u5PADkrh05R0tndBD5w8e7M65Zh/A+Bzw3ZuHejjteLIaRf85CX6SuQJ/u7vJi0bntnoKZ1KL k0ma9Gu0F3Q2XZpzDbcsGeWnyRSEM1vorrWfrOrz/9+E/MO1UEazm7UzSscdcLkFuUhg= Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The newly added Kconfig option could never work and just causes a build error when disabled: security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function) bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; The problem is that the macro undefined in this case, and we need to use the IS_ENABLED() helper to turn it into a boolean constant. Another minor problem with the original patch is that the option is even offered in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option in that case. Signed-off-by: Arnd Bergmann Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used") --- security/apparmor/crypto.c | 3 +++ security/apparmor/lsm.c | 4 +++- security/apparmor/policy_unpack.c | 3 +-- 3 files changed, 7 insertions(+), 3 deletions(-) -- 2.9.0 diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c index 532471d0b3a0..b75dab0df1cb 100644 --- a/security/apparmor/crypto.c +++ b/security/apparmor/crypto.c @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start, int error = -ENOMEM; u32 le32_version = cpu_to_le32(version); + if (!aa_g_hash_policy) + return 0; + if (!apparmor_tfm) return 0; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 3be30c701bfa..41b8cb115801 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -671,9 +671,11 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; module_param_call(mode, param_set_mode, param_get_mode, &aa_g_profile_mode, S_IRUSR | S_IWUSR); +#ifdef CONFIG_SECURITY_APPARMOR_HASH /* whether policy verification hashing is enabled */ -bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; +bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); +#endif /* Debug mode */ bool aa_g_debug; diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index b9b1c66a32a5..138120698f83 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -778,8 +778,7 @@ int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns) if (error) goto fail_profile; - if (aa_g_hash_policy) - error = aa_calc_profile_hash(profile, e.version, start, + error = aa_calc_profile_hash(profile, e.version, start, e.pos - start); if (error) goto fail_profile;