Commit abbf8734 authored by John Johansen's avatar John Johansen

apparmor: remove paranoid load switch

Policy should always under go a full paranoid verification.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 181f7c97
...@@ -714,10 +714,11 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); ...@@ -714,10 +714,11 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
/* Determines how paranoid loading of policy is and how much verification /* Determines how paranoid loading of policy is and how much verification
* on the loaded policy is done. * on the loaded policy is done.
* DEPRECATED: read only as strict checking of load is always done now
* that none root users (user namespaces) can load policy.
*/ */
bool aa_g_paranoid_load = 1; bool aa_g_paranoid_load = 1;
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
S_IRUSR | S_IWUSR);
/* Boot time disable flag */ /* Boot time disable flag */
static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
......
...@@ -340,12 +340,7 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e) ...@@ -340,12 +340,7 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e)
((e->pos - e->start) & 7); ((e->pos - e->start) & 7);
size_t pad = ALIGN(sz, 8) - sz; size_t pad = ALIGN(sz, 8) - sz;
int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
TO_ACCEPT2_FLAG(YYTD_DATA32); TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES;
if (aa_g_paranoid_load)
flags |= DFA_FLAG_VERIFY_STATES;
dfa = aa_dfa_unpack(blob + pad, size - pad, flags); dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
if (IS_ERR(dfa)) if (IS_ERR(dfa))
...@@ -705,14 +700,12 @@ static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) ...@@ -705,14 +700,12 @@ static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
*/ */
static int verify_profile(struct aa_profile *profile) static int verify_profile(struct aa_profile *profile)
{ {
if (aa_g_paranoid_load) { if (profile->file.dfa &&
if (profile->file.dfa && !verify_dfa_xindex(profile->file.dfa,
!verify_dfa_xindex(profile->file.dfa, profile->file.trans.size)) {
profile->file.trans.size)) { audit_iface(profile, NULL, "Invalid named transition",
audit_iface(profile, NULL, "Invalid named transition", NULL, -EPROTO);
NULL, -EPROTO); return -EPROTO;
return -EPROTO;
}
} }
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment