On 07/13/2016 01:50 PM, Arnd Bergmann wrote: > The newly added Kconfig option could never work and just causes a build error > when disabled: > > security/apparmor/lsm.c:675:25: error: > 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function) > bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; > > The problem is that the macro undefined in this case, and we need to use the > IS_ENABLED() > helper to turn it into a boolean constant. > oops yep, looks like I've built with Y and N but not left undefined
> Another minor problem with the original patch is that the option is even > offered > in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the > option > in that case. > ah yeah nice also nice that you pulled the condition check into the calc_profile_hash() fn so the check won't get accidentally dropped by something else calling it > Signed-off-by: Arnd Bergmann <[email protected]> Acked-by: John Johansen <[email protected]> > Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy > hashing is used") > --- > security/apparmor/crypto.c | 3 +++ > security/apparmor/lsm.c | 4 +++- > security/apparmor/policy_unpack.c | 3 +-- > 3 files changed, 7 insertions(+), 3 deletions(-) > > diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c > index 532471d0b3a0..b75dab0df1cb 100644 > --- a/security/apparmor/crypto.c > +++ b/security/apparmor/crypto.c > @@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 > version, void *start, > int error = -ENOMEM; > u32 le32_version = cpu_to_le32(version); > > + if (!aa_g_hash_policy) > + return 0; > + > if (!apparmor_tfm) > return 0; > > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > index 3be30c701bfa..41b8cb115801 100644 > --- a/security/apparmor/lsm.c > +++ b/security/apparmor/lsm.c > @@ -671,9 +671,11 @@ enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; > module_param_call(mode, param_set_mode, param_get_mode, > &aa_g_profile_mode, S_IRUSR | S_IWUSR); > > +#ifdef CONFIG_SECURITY_APPARMOR_HASH > /* whether policy verification hashing is enabled */ > -bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; > +bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); > module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); > +#endif > > /* Debug mode */ > bool aa_g_debug; > diff --git a/security/apparmor/policy_unpack.c > b/security/apparmor/policy_unpack.c > index b9b1c66a32a5..138120698f83 100644 > --- a/security/apparmor/policy_unpack.c > +++ b/security/apparmor/policy_unpack.c > @@ -778,8 +778,7 @@ int aa_unpack(void *udata, size_t size, struct list_head > *lh, const char **ns) > if (error) > goto fail_profile; > > - if (aa_g_hash_policy) > - error = aa_calc_profile_hash(profile, e.version, start, > + error = aa_calc_profile_hash(profile, e.version, start, > e.pos - start); > if (error) > goto fail_profile; >
