mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-08-22 17:01:14 +00:00
93761c93e9
- switch to zstd compression for profile raw data
+ Cleanups
- Simplify obtain the newest label on a cred
- remove useless static inline functions
- compute permission conversion on policy unpack
- refactor code to share common permissins
- refactor unpack to group policy backwards compatiblity code
- add __init annotation to aa_{setup/teardown}_dfa_engine()
+ Bug Fixes
- fix a memleak in
- multi_transaction_new()
- free_ruleset()
- unpack_profile()
- alloc_ns()
- fix lockdep warning when removing a namespace
- fix regression in stacking due to label flags
- fix loading of child before parent
- fix kernel-doc comments that differ from fns
- fix spelling errors in comments
- store return value of unpack_perms_table() to signed variable
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAmOZwywACgkQBS82cBjV
w9jBjRAAmj4gyK0L3eGY4IV2BpvnkHwHY4lOObJulTwILOOj0Pz8CJqRCa/HDCGj
aOlnwqksPsAjadzzfi58D6TnT+3fOuskbcMgTyvX5jraTXPrUl90+hXorbXKuLrw
iaX6QxW8soNW/s3oJhrC2HxbIhGA9VpVnmQpVZpJMmz5bU2xmzL62FCN8x88kytr
9CygaudPrvwYJf5pPd62p7ltj2S6lFwZ6dVCyiDQGTc+Gyng4G8p4MCfI1CwMMyo
mAUeeRnoeeBwH3tSy/Wsr72jPKjsMASpcMHo3ns/dVSw/ug2FYYToZbfxT/uAa6O
WVHfS1Kv/5afG9xxyfocWecd+Yp3lsXq9F+q36uOT9NeJmlej9aJr5sWMcvV3sru
QVNN7tFZbHqCnLhpl6RDH/NiguweNYQXrl2lukXZe/FKu/KDasFIOzL+IAt2TqZE
3mWrha7Q7j/gdBw8+fHHGtXCx0NSQlz1oFLo/y/mI7ztwUPJsBYbH5+108iP0ys/
7Kd+jkYRucJB4upGH4meQbN6f/rrs3+m/b/j0Q8RCFHAs2f+mYZeN/JOHCo0T4YH
KO1W60846fPs+7yZTVxWYFpR/kIuXksyxMWpEEZFFtF4MNoaeM1uypBWqm/JmKYr
8oDtEyiOd/qmZnWRcuO3/bmdoJUZY1zTXWA0dlScYc8vR4KC+EE=
=6GKy
-----END PGP SIGNATURE-----
Merge tag 'apparmor-pr-2022-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
Pull apparmor updates from John Johansen:
"Features:
- switch to zstd compression for profile raw data
Cleanups:
- simplify obtaining the newest label on a cred
- remove useless static inline functions
- compute permission conversion on policy unpack
- refactor code to share common permissins
- refactor unpack to group policy backwards compatiblity code
- add __init annotation to aa_{setup/teardown}_dfa_engine()
Bug Fixes:
- fix a memleak in
- multi_transaction_new()
- free_ruleset()
- unpack_profile()
- alloc_ns()
- fix lockdep warning when removing a namespace
- fix regression in stacking due to label flags
- fix loading of child before parent
- fix kernel-doc comments that differ from fns
- fix spelling errors in comments
- store return value of unpack_perms_table() to signed variable"
* tag 'apparmor-pr-2022-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (64 commits)
apparmor: Fix uninitialized symbol 'array_size' in policy_unpack_test.c
apparmor: Add __init annotation to aa_{setup/teardown}_dfa_engine()
apparmor: Fix memleak in alloc_ns()
apparmor: Fix memleak issue in unpack_profile()
apparmor: fix a memleak in free_ruleset()
apparmor: Fix spelling of function name in comment block
apparmor: Use pointer to struct aa_label for lbs_cred
AppArmor: Fix kernel-doc
LSM: Fix kernel-doc
AppArmor: Fix kernel-doc
apparmor: Fix loading of child before parent
apparmor: refactor code that alloc null profiles
apparmor: fix obsoleted comments for aa_getprocattr() and audit_resource()
apparmor: remove useless static inline functions
apparmor: Fix unpack_profile() warn: passing zero to 'ERR_PTR'
apparmor: fix uninitialize table variable in error in unpack_trans_table
apparmor: store return value of unpack_perms_table() to signed variable
apparmor: Fix kunit test for out of bounds array
apparmor: Fix decompression of rawdata for read back to userspace
apparmor: Fix undefined references to zstd_ symbols
...
123 lines
4.3 KiB
Text
123 lines
4.3 KiB
Text
# SPDX-License-Identifier: GPL-2.0-only
|
|
config SECURITY_APPARMOR
|
|
bool "AppArmor support"
|
|
depends on SECURITY && NET
|
|
select AUDIT
|
|
select SECURITY_PATH
|
|
select SECURITYFS
|
|
select SECURITY_NETWORK
|
|
default n
|
|
help
|
|
This enables the AppArmor security module.
|
|
Required userspace tools (if they are not included in your
|
|
distribution) and further information may be found at
|
|
http://apparmor.wiki.kernel.org
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_APPARMOR_DEBUG
|
|
bool "Build AppArmor with debug code"
|
|
depends on SECURITY_APPARMOR
|
|
default n
|
|
help
|
|
Build apparmor with debugging logic in apparmor. Not all
|
|
debugging logic will necessarily be enabled. A submenu will
|
|
provide fine grained control of the debug options that are
|
|
available.
|
|
|
|
config SECURITY_APPARMOR_DEBUG_ASSERTS
|
|
bool "Build AppArmor with debugging asserts"
|
|
depends on SECURITY_APPARMOR_DEBUG
|
|
default y
|
|
help
|
|
Enable code assertions made with AA_BUG. These are primarily
|
|
function entry preconditions but also exist at other key
|
|
points. If the assert is triggered it will trigger a WARN
|
|
message.
|
|
|
|
config SECURITY_APPARMOR_DEBUG_MESSAGES
|
|
bool "Debug messages enabled by default"
|
|
depends on SECURITY_APPARMOR_DEBUG
|
|
default n
|
|
help
|
|
Set the default value of the apparmor.debug kernel parameter.
|
|
When enabled, various debug messages will be logged to
|
|
the kernel message buffer.
|
|
|
|
config SECURITY_APPARMOR_INTROSPECT_POLICY
|
|
bool "Allow loaded policy to be introspected"
|
|
depends on SECURITY_APPARMOR
|
|
default y
|
|
help
|
|
This option selects whether introspection of loaded policy
|
|
is available to userspace via the apparmor filesystem. This
|
|
adds to kernel memory usage. It is required for introspection
|
|
of loaded policy, and check point and restore support. It
|
|
can be disabled for embedded systems where reducing memory and
|
|
cpu is paramount.
|
|
|
|
config SECURITY_APPARMOR_HASH
|
|
bool "Enable introspection of sha1 hashes for loaded profiles"
|
|
depends on SECURITY_APPARMOR_INTROSPECT_POLICY
|
|
select CRYPTO
|
|
select CRYPTO_SHA1
|
|
default y
|
|
help
|
|
This option selects whether introspection of loaded policy
|
|
hashes is available to userspace via the apparmor
|
|
filesystem. This option provides a light weight means of
|
|
checking loaded policy. This option adds to policy load
|
|
time and can be disabled for small embedded systems.
|
|
|
|
config SECURITY_APPARMOR_HASH_DEFAULT
|
|
bool "Enable policy hash introspection by default"
|
|
depends on SECURITY_APPARMOR_HASH
|
|
default y
|
|
help
|
|
This option selects whether sha1 hashing of loaded policy
|
|
is enabled by default. The generation of sha1 hashes for
|
|
loaded policy provide system administrators a quick way
|
|
to verify that policy in the kernel matches what is expected,
|
|
however it can slow down policy load on some devices. In
|
|
these cases policy hashing can be disabled by default and
|
|
enabled only if needed.
|
|
|
|
config SECURITY_APPARMOR_EXPORT_BINARY
|
|
bool "Allow exporting the raw binary policy"
|
|
depends on SECURITY_APPARMOR_INTROSPECT_POLICY
|
|
select ZSTD_COMPRESS
|
|
select ZSTD_DECOMPRESS
|
|
default y
|
|
help
|
|
This option allows reading back binary policy as it was loaded.
|
|
It increases the amount of kernel memory needed by policy and
|
|
also increases policy load time. This option is required for
|
|
checkpoint and restore support, and debugging of loaded policy.
|
|
|
|
config SECURITY_APPARMOR_PARANOID_LOAD
|
|
bool "Perform full verification of loaded policy"
|
|
depends on SECURITY_APPARMOR
|
|
default y
|
|
help
|
|
This options allows controlling whether apparmor does a full
|
|
verification of loaded policy. This should not be disabled
|
|
except for embedded systems where the image is read only,
|
|
includes policy, and has some form of integrity check.
|
|
Disabling the check will speed up policy loads.
|
|
|
|
config SECURITY_APPARMOR_KUNIT_TEST
|
|
tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
|
|
depends on KUNIT && SECURITY_APPARMOR
|
|
default KUNIT_ALL_TESTS
|
|
help
|
|
This builds the AppArmor KUnit tests.
|
|
|
|
KUnit tests run during boot and output the results to the debug log
|
|
in TAP format (https://testanything.org/). Only useful for kernel devs
|
|
running KUnit test harness and are not for inclusion into a
|
|
production build.
|
|
|
|
For more information on KUnit and unit tests in general please refer
|
|
to the KUnit documentation in Documentation/dev-tools/kunit/.
|
|
|
|
If unsure, say N.
|