Commit e33c1b99 authored by Kees Cook's avatar Kees Cook Committed by John Johansen

apparmor: Restore Y/N in /sys for apparmor's "enabled"

Before commit c5459b82 ("LSM: Plumb visibility into optional "enabled"
state"), /sys/module/apparmor/parameters/enabled would show "Y" or "N"
since it was using the "bool" handler. After being changed to "int",
this switched to "1" or "0", breaking the userspace AppArmor detection
of dbus-broker. This restores the Y/N output while keeping the LSM
infrastructure happy.

Before:
	$ cat /sys/module/apparmor/parameters/enabled
	1

After:
	$ cat /sys/module/apparmor/parameters/enabled
	Y
Reported-by: default avatarDavid Rheinsberg <david.rheinsberg@gmail.com>
Reviewed-by: default avatarDavid Rheinsberg <david.rheinsberg@gmail.com>
Link: https://lkml.kernel.org/r/CADyDSO6k8vYb1eryT4g6+EHrLCvb68GAbHVWuULkYjcZcYNhhw@mail.gmail.com
Fixes: c5459b82 ("LSM: Plumb visibility into optional "enabled" state")
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 771acc7e
...@@ -1336,9 +1336,16 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); ...@@ -1336,9 +1336,16 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
bool aa_g_paranoid_load = true; bool aa_g_paranoid_load = true;
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
static int param_set_aaintbool(const char *val, const struct kernel_param *kp);
#define param_check_aaintbool param_check_int
static const struct kernel_param_ops param_ops_aaintbool = {
.set = param_set_aaintbool,
.get = param_get_aaintbool
};
/* Boot time disable flag */ /* Boot time disable flag */
static int apparmor_enabled __lsm_ro_after_init = 1; static int apparmor_enabled __lsm_ro_after_init = 1;
module_param_named(enabled, apparmor_enabled, int, 0444); module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
static int __init apparmor_enabled_setup(char *str) static int __init apparmor_enabled_setup(char *str)
{ {
...@@ -1413,6 +1420,46 @@ static int param_get_aauint(char *buffer, const struct kernel_param *kp) ...@@ -1413,6 +1420,46 @@ static int param_get_aauint(char *buffer, const struct kernel_param *kp)
return param_get_uint(buffer, kp); return param_get_uint(buffer, kp);
} }
/* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */
static int param_set_aaintbool(const char *val, const struct kernel_param *kp)
{
struct kernel_param kp_local;
bool value;
int error;
if (apparmor_initialized)
return -EPERM;
/* Create local copy, with arg pointing to bool type. */
value = !!*((int *)kp->arg);
memcpy(&kp_local, kp, sizeof(kp_local));
kp_local.arg = &value;
error = param_set_bool(val, &kp_local);
if (!error)
*((int *)kp->arg) = *((bool *)kp_local.arg);
return error;
}
/*
* To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to
* 1/0, this converts the "int that is actually bool" back to bool for
* display in the /sys filesystem, while keeping it "int" for the LSM
* infrastructure.
*/
static int param_get_aaintbool(char *buffer, const struct kernel_param *kp)
{
struct kernel_param kp_local;
bool value;
/* Create local copy, with arg pointing to bool type. */
value = !!*((int *)kp->arg);
memcpy(&kp_local, kp, sizeof(kp_local));
kp_local.arg = &value;
return param_get_bool(buffer, &kp_local);
}
static int param_get_audit(char *buffer, const struct kernel_param *kp) static int param_get_audit(char *buffer, const struct kernel_param *kp)
{ {
if (!apparmor_enabled) if (!apparmor_enabled)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment