apparmor: Enable tuning of policy paranoid load for embedded systems
AppArmor by default does an extensive check on loaded policy that can take quite some time on limited resource systems. Allow disabling this check for embedded systems where system images are readonly and have checksumming making the need for the embedded policy to be fully checked to be redundant. Note: basic policy checks are still done. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Родитель
d61c57fde8
Коммит
5bfcbd22ee
|
@ -94,6 +94,17 @@ config SECURITY_APPARMOR_EXPORT_BINARY
|
|||
also increases policy load time. This option is required for
|
||||
checkpoint and restore support, and debugging of loaded policy.
|
||||
|
||||
config SECURITY_APPARMOR_PARANOID_LOAD
|
||||
bool "Perform full verification of loaded policy"
|
||||
depends on SECURITY_APPARMOR
|
||||
default y
|
||||
help
|
||||
This options allows controlling whether apparmor does a full
|
||||
verification of loaded policy. This should not be disabled
|
||||
except for embedded systems where the image is read only,
|
||||
includes policy, and has some form of integrity check.
|
||||
Disabling the check will speed up policy loads.
|
||||
|
||||
config SECURITY_APPARMOR_KUNIT_TEST
|
||||
bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
|
||||
depends on KUNIT=y && SECURITY_APPARMOR
|
||||
|
|
|
@ -1405,7 +1405,7 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
|
|||
* DEPRECATED: read only as strict checking of load is always done now
|
||||
* that none root users (user namespaces) can load policy.
|
||||
*/
|
||||
bool aa_g_paranoid_load = true;
|
||||
bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_PARANOID_LOAD);
|
||||
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
|
||||
|
||||
static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
|
||||
|
|
|
@ -457,7 +457,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e)
|
|||
((e->pos - e->start) & 7);
|
||||
size_t pad = ALIGN(sz, 8) - sz;
|
||||
int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
|
||||
TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES;
|
||||
TO_ACCEPT2_FLAG(YYTD_DATA32);
|
||||
if (aa_g_paranoid_load)
|
||||
flags |= DFA_FLAG_VERIFY_STATES;
|
||||
dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
|
||||
|
||||
if (IS_ERR(dfa))
|
||||
|
|
Загрузка…
Ссылка в новой задаче