]>
Commit | Line | Data |
---|---|---|
4d1e5b62 AF |
1 | From: John Johansen <jjohansen@suse.de> |
2 | Subject: fix recognition of security= boot parameter | |
3 | Patch-mainline: no | |
4 | References: bnc#442668 | |
5 | ||
6 | Fix AppArmor to respect the kernel boot parameter security=, so that if a | |
7 | different lsm is choosen apparmor does not try to register its lsm hooks. | |
8 | ||
9 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
10 | ||
11 | --- | |
12 | security/Kconfig | 9 +++++++++ | |
13 | security/apparmor/lsm.c | 5 +++-- | |
14 | security/security.c | 2 +- | |
15 | 3 files changed, 13 insertions(+), 3 deletions(-) | |
16 | ||
17 | --- a/security/Kconfig | |
18 | +++ b/security/Kconfig | |
19 | @@ -51,6 +51,15 @@ config SECURITY | |
20 | ||
21 | If you are unsure how to answer this question, answer N. | |
22 | ||
23 | +config SECURITY_DEFAULT | |
24 | + string "Default security module" | |
25 | + depends on SECURITY | |
26 | + default "" | |
27 | + help | |
28 | + This determines the security module used if the security= | |
29 | + boot parmater is not provided. If a security module is not | |
30 | + specified the first module to register will be used. | |
31 | + | |
32 | config SECURITY_NETWORK | |
33 | bool "Socket and Networking Security Hooks" | |
34 | depends on SECURITY | |
35 | --- a/security/apparmor/lsm.c | |
36 | +++ b/security/apparmor/lsm.c | |
37 | @@ -911,6 +911,7 @@ static int apparmor_task_setrlimit(unsig | |
38 | } | |
39 | ||
40 | struct security_operations apparmor_ops = { | |
41 | + .name = "apparmor", | |
42 | .ptrace_may_access = apparmor_ptrace_may_access, | |
43 | .ptrace_traceme = apparmor_ptrace_traceme, | |
44 | .capget = cap_capget, | |
45 | @@ -989,8 +990,8 @@ static int __init apparmor_init(void) | |
46 | { | |
47 | int error; | |
48 | ||
49 | - if (!apparmor_enabled) { | |
50 | - info_message("AppArmor disabled by boottime parameter\n"); | |
51 | + if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) { | |
52 | + info_message("AppArmor disabled by boot time parameter\n"); | |
53 | return 0; | |
54 | } | |
55 | ||
56 | --- a/security/security.c | |
57 | +++ b/security/security.c | |
58 | @@ -18,7 +18,7 @@ | |
59 | #include <linux/security.h> | |
60 | ||
61 | /* Boot-time LSM user choice */ | |
62 | -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; | |
63 | +static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_SECURITY_DEFAULT; | |
64 | ||
65 | /* things that live in capability.c */ | |
66 | extern struct security_operations default_security_ops; |