apparmor: remove paranoid load switch

Policy should always under go a full paranoid verification. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2017-01-16 09:42:37 +0100
committer: John Johansen <john.johansen@canonical.com> 2017-01-16 10:18:30 +0100
commit: abbf8734039fe57c72c999e37bd1c30d8aed1943 (patch)
tree: d8df6efee365c8f70ff459f6dcf6a8a80b392f28 /security/apparmor/lsm.c
parent: apparmor: name null-XXX profiles after the executable (diff)
download: linux-abbf8734039fe57c72c999e37bd1c30d8aed1943.tar.xz
linux-abbf8734039fe57c72c999e37bd1c30d8aed1943.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index a757c163fda6..e40eecbbaefa 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -714,10 +714,11 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
 
 /* Determines how paranoid loading of policy is and how much verification
  * on the loaded policy is done.
+ * DEPRECATED: read only as strict checking of load is always done now
+ * that none root users (user namespaces) can load policy.
  */
 bool aa_g_paranoid_load = 1;
-module_param_named(paranoid_load, aa_g_paranoid_load, aabool,
-		   S_IRUSR | S_IWUSR);
+module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
 
 /* Boot time disable flag */
 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
author	John Johansen <john.johansen@canonical.com>	2017-01-16 09:42:37 +0100
committer	John Johansen <john.johansen@canonical.com>	2017-01-16 10:18:30 +0100
commit	abbf8734039fe57c72c999e37bd1c30d8aed1943 (patch)
tree	d8df6efee365c8f70ff459f6dcf6a8a80b392f28 /security/apparmor/lsm.c
parent	apparmor: name null-XXX profiles after the executable (diff)
download	linux-abbf8734039fe57c72c999e37bd1c30d8aed1943.tar.xz linux-abbf8734039fe57c72c999e37bd1c30d8aed1943.zip