src/patches/suse-2.6.27.25/patches.apparmor/fix-security-param.diff

   1 From: John Johansen <jjohansen@suse.de>
   2 Subject: fix recognition of security= boot parameter
   3 Patch-mainline: no
   4 References: bnc#442668
   5
   6 Fix AppArmor to respect the kernel boot parameter security=, so that if a
   7 different lsm is choosen apparmor does not try to register its lsm hooks.
   8
   9 Signed-off-by: John Johansen <jjohansen@suse.de>
  10
  11 ---
  12  security/Kconfig        |    9 +++++++++
  13  security/apparmor/lsm.c |    5 +++--
  14  security/security.c     |    2 +-
  15  3 files changed, 13 insertions(+), 3 deletions(-)
  16
  17 --- a/security/Kconfig
  18 +++ b/security/Kconfig
  19 @@ -51,6 +51,15 @@ config SECURITY
  20
  21           If you are unsure how to answer this question, answer N.
  22
  23 +config SECURITY_DEFAULT
  24 +       string "Default security module"
  25 +       depends on SECURITY
  26 +       default ""
  27 +       help
  28 +          This determines the security module used if the security=
  29 +          boot parmater is not provided.  If a security module is not
  30 +          specified the first module to register will be used.
  31 +
  32  config SECURITY_NETWORK
  33         bool "Socket and Networking Security Hooks"
  34         depends on SECURITY
  35 --- a/security/apparmor/lsm.c
  36 +++ b/security/apparmor/lsm.c
  37 @@ -911,6 +911,7 @@ static int apparmor_task_setrlimit(unsig
  38  }
  39
  40  struct security_operations apparmor_ops = {
  41 +       .name =                         "apparmor",
  42         .ptrace_may_access =            apparmor_ptrace_may_access,
  43         .ptrace_traceme =               apparmor_ptrace_traceme,
  44         .capget =                       cap_capget,
  45 @@ -989,8 +990,8 @@ static int __init apparmor_init(void)
  46  {
  47         int error;
  48
  49 -       if (!apparmor_enabled) {
  50 -               info_message("AppArmor disabled by boottime parameter\n");
  51 +       if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) {
  52 +               info_message("AppArmor disabled by boot time parameter\n");
  53                 return 0;
  54         }
  55
  56 --- a/security/security.c
  57 +++ b/security/security.c
  58 @@ -18,7 +18,7 @@
  59  #include <linux/security.h>
  60
  61  /* Boot-time LSM user choice */
  62 -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
  63 +static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_SECURITY_DEFAULT;
  64
  65  /* things that live in capability.c */
  66  extern struct security_operations default_security_ops;