1 From: John Johansen <jjohansen@suse.de>
2 Subject: fix recognition of security= boot parameter
6 Fix AppArmor to respect the kernel boot parameter security=, so that if a
7 different lsm is choosen apparmor does not try to register its lsm hooks.
9 Signed-off-by: John Johansen <jjohansen@suse.de>
12 security/Kconfig | 9 +++++++++
13 security/apparmor/lsm.c | 5 +++--
14 security/security.c | 2 +-
15 3 files changed, 13 insertions(+), 3 deletions(-)
17 --- a/security/Kconfig
18 +++ b/security/Kconfig
19 @@ -51,6 +51,15 @@ config SECURITY
21 If you are unsure how to answer this question, answer N.
23 +config SECURITY_DEFAULT
24 + string "Default security module"
28 + This determines the security module used if the security=
29 + boot parmater is not provided. If a security module is not
30 + specified the first module to register will be used.
32 config SECURITY_NETWORK
33 bool "Socket and Networking Security Hooks"
35 --- a/security/apparmor/lsm.c
36 +++ b/security/apparmor/lsm.c
37 @@ -911,6 +911,7 @@ static int apparmor_task_setrlimit(unsig
40 struct security_operations apparmor_ops = {
42 .ptrace_may_access = apparmor_ptrace_may_access,
43 .ptrace_traceme = apparmor_ptrace_traceme,
45 @@ -989,8 +990,8 @@ static int __init apparmor_init(void)
49 - if (!apparmor_enabled) {
50 - info_message("AppArmor disabled by boottime parameter\n");
51 + if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) {
52 + info_message("AppArmor disabled by boot time parameter\n");
56 --- a/security/security.c
57 +++ b/security/security.c
59 #include <linux/security.h>
61 /* Boot-time LSM user choice */
62 -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
63 +static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_SECURITY_DEFAULT;
65 /* things that live in capability.c */
66 extern struct security_operations default_security_ops;