Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit abbf8734 authored by John Johansen's avatar John Johansen
Browse files

apparmor: remove paranoid load switch 



Policy should always under go a full paranoid verification.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 181f7c97

security/apparmor/lsm.c

+3 −2
Original line number Diff line number Diff line
@@ -714,10 +714,11 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); 


/* Determines how paranoid loading of policy is and how much verification

 * on the loaded policy is done.

 * DEPRECATED: read only as strict checking of load is always done now

 * that none root users (user namespaces) can load policy.

 */

bool aa_g_paranoid_load = 1;

module_param_named(paranoid_load, aa_g_paranoid_load, aabool,

		   S_IRUSR | S_IWUSR);

module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);



/* Boot time disable flag */

static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;

security/apparmor/policy_unpack.c

+7 −14
Original line number Diff line number Diff line
@@ -340,12 +340,7 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e) 
			((e->pos - e->start) & 7);

		size_t pad = ALIGN(sz, 8) - sz;

		int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |

			TO_ACCEPT2_FLAG(YYTD_DATA32);





		if (aa_g_paranoid_load)

			flags |= DFA_FLAG_VERIFY_STATES;



			TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES;

		dfa = aa_dfa_unpack(blob + pad, size - pad, flags);



		if (IS_ERR(dfa))
@@ -705,7 +700,6 @@ static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) 
 */

static int verify_profile(struct aa_profile *profile)

{

	if (aa_g_paranoid_load) {

	if (profile->file.dfa &&

	    !verify_dfa_xindex(profile->file.dfa,

			       profile->file.trans.size)) {
@@ -713,7 +707,6 @@ static int verify_profile(struct aa_profile *profile) 
			    NULL, -EPROTO);

		return -EPROTO;

	}

	}



	return 0;

}