Commit 5bfcbd22 authored by John Johansen's avatar John Johansen

apparmor: Enable tuning of policy paranoid load for embedded systems

AppArmor by default does an extensive check on loaded policy that
can take quite some time on limited resource systems. Allow
disabling this check for embedded systems where system images are
readonly and have checksumming making the need for the embedded
policy to be fully checked to be redundant.

Note: basic policy checks are still done.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent d61c57fd
...@@ -94,6 +94,17 @@ config SECURITY_APPARMOR_EXPORT_BINARY ...@@ -94,6 +94,17 @@ config SECURITY_APPARMOR_EXPORT_BINARY
also increases policy load time. This option is required for also increases policy load time. This option is required for
checkpoint and restore support, and debugging of loaded policy. checkpoint and restore support, and debugging of loaded policy.
config SECURITY_APPARMOR_PARANOID_LOAD
bool "Perform full verification of loaded policy"
depends on SECURITY_APPARMOR
default y
help
This options allows controlling whether apparmor does a full
verification of loaded policy. This should not be disabled
except for embedded systems where the image is read only,
includes policy, and has some form of integrity check.
Disabling the check will speed up policy loads.
config SECURITY_APPARMOR_KUNIT_TEST config SECURITY_APPARMOR_KUNIT_TEST
bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
depends on KUNIT=y && SECURITY_APPARMOR depends on KUNIT=y && SECURITY_APPARMOR
......
...@@ -1405,7 +1405,7 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); ...@@ -1405,7 +1405,7 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
* DEPRECATED: read only as strict checking of load is always done now * DEPRECATED: read only as strict checking of load is always done now
* that none root users (user namespaces) can load policy. * that none root users (user namespaces) can load policy.
*/ */
bool aa_g_paranoid_load = true; bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_PARANOID_LOAD);
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
static int param_get_aaintbool(char *buffer, const struct kernel_param *kp); static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
......
...@@ -457,7 +457,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e) ...@@ -457,7 +457,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e)
((e->pos - e->start) & 7); ((e->pos - e->start) & 7);
size_t pad = ALIGN(sz, 8) - sz; size_t pad = ALIGN(sz, 8) - sz;
int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES; TO_ACCEPT2_FLAG(YYTD_DATA32);
if (aa_g_paranoid_load)
flags |= DFA_FLAG_VERIFY_STATES;
dfa = aa_dfa_unpack(blob + pad, size - pad, flags); dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
if (IS_ERR(dfa)) if (IS_ERR(dfa))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment