apparmor: add debug assert AA_BUG and Kconfig to control debug info

Signed-off-by: John Johansen <john.johansen@canonical.com>

security/apparmor/Kconfig

@@ -36,7 +36,6 @@ config SECURITY_APPARMOR_HASH
 	select CRYPTO
 	select CRYPTO_SHA1
 	default y
-
 	help
 	  This option selects whether introspection of loaded policy
 	  is available to userspace via the apparmor filesystem.
@@ -45,7 +44,6 @@ config SECURITY_APPARMOR_HASH_DEFAULT
        bool "Enable policy hash introspection by default"
        depends on SECURITY_APPARMOR_HASH
        default y
-
        help
          This option selects whether sha1 hashing of loaded policy
 	 is enabled by default. The generation of sha1 hashes for
@@ -54,3 +52,32 @@ config SECURITY_APPARMOR_HASH_DEFAULT
 	 however it can slow down policy load on some devices. In
 	 these cases policy hashing can be disabled by default and
 	 enabled only if needed.
+
+config SECURITY_APPARMOR_DEBUG
+	bool "Build AppArmor with debug code"
+	depends on SECURITY_APPARMOR
+	default n
+	help
+	  Build apparmor with debugging logic in apparmor. Not all
+	  debugging logic will necessarily be enabled. A submenu will
+	  provide fine grained control of the debug options that are
+	  available.
+
+config SECURITY_APPARMOR_DEBUG_ASSERTS
+	bool "Build AppArmor with debugging asserts"
+	depends on SECURITY_APPARMOR_DEBUG
+	default y
+	help
+	  Enable code assertions made with AA_BUG. These are primarily
+	  function entry preconditions but also exist at other key
+	  points. If the assert is triggered it will trigger a WARN
+	  message.
+
+config SECURITY_APPARMOR_DEBUG_MESSAGES
+	bool "Debug messages enabled by default"
+	depends on SECURITY_APPARMOR_DEBUG
+	default n
+	help
+	  Set the default value of the apparmor.debug kernel parameter.
+	  When enabled, various debug messages will be logged to
+	  the kernel message buffer.

security/apparmor/include/lib.h

@@ -35,12 +35,24 @@
  * which is not related to profile accesses.
  */
 
+#define DEBUG_ON (aa_g_debug)
+#define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args)
 #define AA_DEBUG(fmt, args...)						\
 	do {								\
-		if (aa_g_debug)						\
+		if (DEBUG_ON)						\
 			pr_debug_ratelimited("AppArmor: " fmt, ##args);	\
 	} while (0)
 
+#define AA_WARN(X) WARN((X), "APPARMOR WARN %s: %s\n", __func__, #X)
+
+#define AA_BUG(X, args...) AA_BUG_FMT((X), "" args)
+#ifdef CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS
+#define AA_BUG_FMT(X, fmt, args...)					\
+	WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args)
+#else
+#define AA_BUG_FMT(X, fmt, args...)
+#endif
+
 #define AA_ERROR(fmt, args...)						\
 	pr_err_ratelimited("AppArmor: " fmt, ##args)
 

security/apparmor/lsm.c

@@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
 #endif
 
 /* Debug mode */
-bool aa_g_debug;
+bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);
 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
 
 /* Audit mode */