[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.31 / patches.apparmor / fix-security-param.diff

From: John Johansen <jjohansen@suse.de>
Subject: fix recognition of security= boot parameter
Patch-mainline: no
References: bnc#442668

Fix AppArmor to respect the kernel boot parameter security=, so that if a
different lsm is choosen apparmor does not try to register its lsm hooks.

Signed-off-by: John Johansen <jjohansen@suse.de>

---
 security/Kconfig        |    9 +++++++++
 security/apparmor/lsm.c |    5 +++--
 security/security.c     |    2 +-
 3 files changed, 13 insertions(+), 3 deletions(-)

--- a/security/Kconfig
+++ b/security/Kconfig
@@ -51,6 +51,15 @@ config SECURITY
 
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_DEFAULT
+	string "Default security module"
+	depends on SECURITY
+	default ""
+	help
+          This determines the security module used if the security=
+          boot parmater is not provided.  If a security module is not
+          specified the first module to register will be used.
+
 config SECURITY_NETWORK
 	bool "Socket and Networking Security Hooks"
 	depends on SECURITY
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -911,6 +911,7 @@ static int apparmor_task_setrlimit(unsig
 }
 
 struct security_operations apparmor_ops = {
+	.name =				"apparmor",
 	.ptrace_may_access =		apparmor_ptrace_may_access,
 	.ptrace_traceme =		apparmor_ptrace_traceme,
 	.capget =			cap_capget,
@@ -989,8 +990,8 @@ static int __init apparmor_init(void)
 {
 	int error;
 
-	if (!apparmor_enabled) {
-		info_message("AppArmor disabled by boottime parameter\n");
+	if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) {
+		info_message("AppArmor disabled by boot time parameter\n");
 		return 0;
 	}
 
--- a/security/security.c
+++ b/security/security.c
@@ -18,7 +18,7 @@
 #include <linux/security.h>
 
 /* Boot-time LSM user choice */
-static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
+static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_SECURITY_DEFAULT;
 
 /* things that live in capability.c */
 extern struct security_operations default_security_ops;
Commit	Line	Data
6a930a95 BS	1	From: John Johansen <jjohansen@suse.de>
	2	Subject: fix recognition of security= boot parameter
	3	Patch-mainline: no
	4	References: bnc#442668
	5
	6	Fix AppArmor to respect the kernel boot parameter security=, so that if a
	7	different lsm is choosen apparmor does not try to register its lsm hooks.
	8
	9	Signed-off-by: John Johansen <jjohansen@suse.de>
	10
	11	---
	12	security/Kconfig \| 9 +++++++++
	13	security/apparmor/lsm.c \| 5 +++--
	14	security/security.c \| 2 +-
	15	3 files changed, 13 insertions(+), 3 deletions(-)
	16
	17	--- a/security/Kconfig
	18	+++ b/security/Kconfig
	19	@@ -51,6 +51,15 @@ config SECURITY
	20
	21	If you are unsure how to answer this question, answer N.
	22
	23	+config SECURITY_DEFAULT
	24	+ string "Default security module"
	25	+ depends on SECURITY
	26	+ default ""
	27	+ help
	28	+ This determines the security module used if the security=
	29	+ boot parmater is not provided. If a security module is not
	30	+ specified the first module to register will be used.
	31	+
	32	config SECURITY_NETWORK
	33	bool "Socket and Networking Security Hooks"
	34	depends on SECURITY
	35	--- a/security/apparmor/lsm.c
	36	+++ b/security/apparmor/lsm.c
	37	@@ -911,6 +911,7 @@ static int apparmor_task_setrlimit(unsig
	38	}
	39
	40	struct security_operations apparmor_ops = {
	41	+ .name = "apparmor",
	42	.ptrace_may_access = apparmor_ptrace_may_access,
	43	.ptrace_traceme = apparmor_ptrace_traceme,
	44	.capget = cap_capget,
	45	@@ -989,8 +990,8 @@ static int __init apparmor_init(void)
	46	{
	47	int error;
	48
	49	- if (!apparmor_enabled) {
	50	- info_message("AppArmor disabled by boottime parameter\n");
	51	+ if (!apparmor_enabled \|\| !security_module_enable(&apparmor_ops)) {
	52	+ info_message("AppArmor disabled by boot time parameter\n");
	53	return 0;
	54	}
	55
	56	--- a/security/security.c
	57	+++ b/security/security.c
	58	@@ -18,7 +18,7 @@
	59	#include <linux/security.h>
	60
	61	/* Boot-time LSM user choice */
	62	-static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
	63	+static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_SECURITY_DEFAULT;
	64
65	/* things that live in capability.c */
66	extern struct security_operations default_security_ops;