diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/Kconfig | 11 | ||||
| -rw-r--r-- | security/apparmor/lsm.c | 2 | ||||
| -rw-r--r-- | security/apparmor/policy_unpack.c | 4 |
3 files changed, 15 insertions, 2 deletions
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index 4c34a28a2ddf..cb3496e00d8a 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -94,6 +94,17 @@ config SECURITY_APPARMOR_EXPORT_BINARY also increases policy load time. This option is required for checkpoint and restore support, and debugging of loaded policy. +config SECURITY_APPARMOR_PARANOID_LOAD + bool "Perform full verification of loaded policy" + depends on SECURITY_APPARMOR + default y + help + This options allows controlling whether apparmor does a full + verification of loaded policy. This should not be disabled + except for embedded systems where the image is read only, + includes policy, and has some form of integrity check. + Disabling the check will speed up policy loads. + config SECURITY_APPARMOR_KUNIT_TEST bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS depends on KUNIT=y && SECURITY_APPARMOR diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 84a4e63d922d..301c2bba4867 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1405,7 +1405,7 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); * DEPRECATED: read only as strict checking of load is always done now * that none root users (user namespaces) can load policy. */ -bool aa_g_paranoid_load = true; +bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_PARANOID_LOAD); module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); static int param_get_aaintbool(char *buffer, const struct kernel_param *kp); diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 31d2c2626ea5..55dca9e3af50 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -457,7 +457,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e) ((e->pos - e->start) & 7); size_t pad = ALIGN(sz, 8) - sz; int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | - TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES; + TO_ACCEPT2_FLAG(YYTD_DATA32); + if (aa_g_paranoid_load) + flags |= DFA_FLAG_VERIFY_STATES; dfa = aa_dfa_unpack(blob + pad, size - pad, flags); if (IS_ERR(dfa)) |