diff options
| author | John Johansen <john.johansen@canonical.com> | 2021-02-03 10:35:12 +0100 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2022-07-10 00:13:59 +0200 |
| commit | 5bfcbd22ee4e6ad5ae698518fadd0f03ea109537 (patch) | |
| tree | 6724a92839d6ab4b84e590ecf14a09911df81090 /security/apparmor/policy_unpack.c | |
| parent | apparmor: make export of raw binary profile to userspace optional (diff) | |
| download | linux-5bfcbd22ee4e6ad5ae698518fadd0f03ea109537.tar.xz linux-5bfcbd22ee4e6ad5ae698518fadd0f03ea109537.zip | |
apparmor: Enable tuning of policy paranoid load for embedded systems
AppArmor by default does an extensive check on loaded policy that
can take quite some time on limited resource systems. Allow
disabling this check for embedded systems where system images are
readonly and have checksumming making the need for the embedded
policy to be fully checked to be redundant.
Note: basic policy checks are still done.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to '')
| -rw-r--r-- | security/apparmor/policy_unpack.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 31d2c2626ea5..55dca9e3af50 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -457,7 +457,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e) ((e->pos - e->start) & 7); size_t pad = ALIGN(sz, 8) - sz; int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | - TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES; + TO_ACCEPT2_FLAG(YYTD_DATA32); + if (aa_g_paranoid_load) + flags |= DFA_FLAG_VERIFY_STATES; dfa = aa_dfa_unpack(blob + pad, size - pad, flags); if (IS_ERR(dfa)) |