From patchwork Mon Jul 25 18:00:40 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 9246277 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C0B586077C for ; Mon, 25 Jul 2016 18:00:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B69B2252D2 for ; Mon, 25 Jul 2016 18:00:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A9E012705B; Mon, 25 Jul 2016 18:00:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B287252D2 for ; Mon, 25 Jul 2016 18:00:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753174AbcGYSAr (ORCPT ); Mon, 25 Jul 2016 14:00:47 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:54019 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752821AbcGYSAq (ORCPT ); Mon, 25 Jul 2016 14:00:46 -0400 Received: from static-50-53-49-26.bvtn.or.frontiernet.net ([50.53.49.26] helo=[192.168.192.153]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1bRkBH-0002zt-Hr; Mon, 25 Jul 2016 18:00:43 +0000 Subject: Re: linux-next: Tree for Jul 24 (apparmor) To: Randy Dunlap , Stephen Rothwell , linux-next@vger.kernel.org References: <20160724182040.1e49e90f@canb.auug.org.au> <7a66a4c7-60cb-166d-2518-b7ba8de0033b@infradead.org> Cc: linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org From: John Johansen Organization: Canonical Message-ID: Date: Mon, 25 Jul 2016 11:00:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <7a66a4c7-60cb-166d-2518-b7ba8de0033b@infradead.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP On 07/24/2016 04:26 PM, Randy Dunlap wrote: > On 07/24/16 01:20, Stephen Rothwell wrote: >> Hi all, >> >> Changes since 20160722: >> > > on x86_64: > > CONFIG_SECURITY_APPARMOR=y > CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 > # CONFIG_SECURITY_APPARMOR_HASH is not set > > ../security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function) > bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; > ^ > > yep thanks, its fixed by the following patch, and I have requested James pull it The newly added Kconfig option could never work and just causes a build error when disabled: security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function) bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; The problem is that the macro undefined in this case, and we need to use the IS_ENABLED() helper to turn it into a boolean constant. Another minor problem with the original patch is that the option is even offered in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option in that case. Signed-off-by: Arnd Bergmann Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used") --- security/apparmor/crypto.c | 3 +++ security/apparmor/lsm.c | 4 +++- security/apparmor/policy_unpack.c | 3 +-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c index 532471d0b3a0..b75dab0df1cb 100644 --- a/security/apparmor/crypto.c +++ b/security/apparmor/crypto.c @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start, int error = -ENOMEM; u32 le32_version = cpu_to_le32(version); + if (!aa_g_hash_policy) + return 0; + if (!apparmor_tfm) return 0; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 3be30c701bfa..41b8cb115801 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -671,9 +671,11 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; module_param_call(mode, param_set_mode, param_get_mode, &aa_g_profile_mode, S_IRUSR | S_IWUSR); +#ifdef CONFIG_SECURITY_APPARMOR_HASH /* whether policy verification hashing is enabled */ -bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; +bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); +#endif /* Debug mode */ bool aa_g_debug; diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index b9b1c66a32a5..138120698f83 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -778,8 +778,7 @@ int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns) if (error) goto fail_profile; - if (aa_g_hash_policy) - error = aa_calc_profile_hash(profile, e.version, start, + error = aa_calc_profile_hash(profile, e.version, start, e.pos - start); if (error) goto fail_profile;