From 15eaa848b9cfe105fb3cf9d0bba62a99b708a33f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 Sep 2018 23:15:26 +0200 Subject: [PATCH] 4.4-stable patches added patches: apparmor-fix-security_apparmor_hash_default-parameter-handling.patch --- ...rmor_hash_default-parameter-handling.patch | 63 +++++++++++++++++++ queue-4.4/series | 1 + 2 files changed, 64 insertions(+) create mode 100644 queue-4.4/apparmor-fix-security_apparmor_hash_default-parameter-handling.patch diff --git a/queue-4.4/apparmor-fix-security_apparmor_hash_default-parameter-handling.patch b/queue-4.4/apparmor-fix-security_apparmor_hash_default-parameter-handling.patch new file mode 100644 index 00000000000..549c84373d4 --- /dev/null +++ b/queue-4.4/apparmor-fix-security_apparmor_hash_default-parameter-handling.patch @@ -0,0 +1,63 @@ +From 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 25 Jul 2016 10:59:07 -0700 +Subject: apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling + +From: Arnd Bergmann + +commit 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 upstream. + +The newly added Kconfig option could never work and just causes a build error +when disabled: + +security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function) + bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; + +The problem is that the macro undefined in this case, and we need to use the IS_ENABLED() +helper to turn it into a boolean constant. + +Another minor problem with the original patch is that the option is even offered +in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option +in that case. + +Signed-off-by: Arnd Bergmann +Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used") +Signed-off-by: John Johansen +Signed-off-by: James Morris +[backported to 4.4 by Loic] +Cc: Loic +Signed-off-by: Greg Kroah-Hartman + +--- +--- + security/apparmor/crypto.c | 3 +++ + security/apparmor/lsm.c | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/security/apparmor/crypto.c ++++ b/security/apparmor/crypto.c +@@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profi + int error = -ENOMEM; + u32 le32_version = cpu_to_le32(version); + ++ if (!aa_g_hash_policy) ++ return 0; ++ + if (!apparmor_tfm) + return 0; + +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -692,6 +692,12 @@ enum profile_mode aa_g_profile_mode = AP + module_param_call(mode, param_set_mode, param_get_mode, + &aa_g_profile_mode, S_IRUSR | S_IWUSR); + ++#ifdef CONFIG_SECURITY_APPARMOR_HASH ++/* whether policy verification hashing is enabled */ ++bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); ++module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); ++#endif ++ + /* Debug mode */ + bool aa_g_debug; + module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); diff --git a/queue-4.4/series b/queue-4.4/series index 6888714437c..17d56cdcbd9 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -54,3 +54,4 @@ mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch autofs-fix-autofs_sbi-does-not-check-super-block-type.patch x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch mm-get-rid-of-vmacache_flush_all-entirely.patch +apparmor-fix-security_apparmor_hash_default-parameter-handling.patch -- 2.47.3