Changes in Kconfig

e44a4dc4 - apparmor: switch SECURITY_APPARMOR_HASH from sha1 to sha256

Sun, 22 Oct 2023 19:40:26 +0000

apparmor: switch SECURITY_APPARMOR_HASH from sha1 to sha256sha1 is insecure and has colisions, thus it is not useful for evenlightweight policy hash checks. Switch to sha256, which on modernhardware is fast enough.Separately as per NIST Policy on Hash Functions, sha1 usage must bewithdrawn by 2030. This config option currently is one of many thatholds up sha1 usage.Signed-off-by: Dimitri John Ledkov Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Kconfig

b11e51dd - apparmor: test: make static symbols visible during kunit testing

Wed, 07 Dec 2022 01:40:24 +0000

apparmor: test: make static symbols visible during kunit testingUse macros, VISIBLE_IF_KUNIT and EXPORT_SYMBOL_IF_KUNIT, to allowstatic symbols to be conditionally set to be visible duringapparmor_policy_unpack_test, which removes the need to include the testingfile in the implementation file.Change the namespace of the symbols that are now conditionally visible (byadding the prefix aa_) to avoid confusion with symbols of the same name.Allow the test to be built as a module and namespace the module name frompolicy_unpack_test to apparmor_policy_unpack_test to improve clarity ofthe module name.Provide an example of how static symbols can be dealt with in testing.Signed-off-by: Rae Moar Reviewed-by: David Gow Acked-by: John Johansen Signed-off-by: Shuah Khan List of files: /linux-6.15/security/apparmor/Kconfig

f4d6b94b - apparmor: use zstd compression for profile data

Mon, 11 Jul 2022 16:36:08 +0000

apparmor: use zstd compression for profile dataChange the algorithm used by apparmor to compress profile data fromzlib to zstd, using the new zstd API introduced in 5.16.Zstd provides a larger range of compression levels than zlib andsignificantly better performance at the default level (for a relativelysmall increase in compressed size).The apparmor module parameter raw_data_compression_level is now clampedto the minimum and maximum compression levels reported by the zstdlibrary. A compression level of 0 retains the previous behavior ofdisabling policy compression instead of using zstd's behavior, which isto use the default compression level.Signed-off-by: Jon Tourville Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Kconfig

5bfcbd22 - apparmor: Enable tuning of policy paranoid load for embedded systems

Wed, 03 Feb 2021 09:35:12 +0000

apparmor: Enable tuning of policy paranoid load for embedded systemsAppArmor by default does an extensive check on loaded policy thatcan take quite some time on limited resource systems. Allowdisabling this check for embedded systems where system images arereadonly and have checksumming making the need for the embeddedpolicy to be fully checked to be redundant.Note: basic policy checks are still done.Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Kconfig

d61c57fd - apparmor: make export of raw binary profile to userspace optional

Mon, 01 Feb 2021 11:43:18 +0000

apparmor: make export of raw binary profile to userspace optionalEmbedded systems have limited space and don't need the introspectionor checkpoint restore capability provided by exporting the rawprofile binary data so make it so make it a config option.This will reduce run time memory use and also speed up policy loads.Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Kconfig

65cc9c39 - apparmor: Update help description of policy hash for introspection

Mon, 01 Feb 2021 10:20:35 +0000

apparmor: Update help description of policy hash for introspectionUpdate help to note this option is not needed for small embedded systemswhere regular policy introspection is not used.Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Kconfig

c9fecf50 - Replace HTTP links with HTTPS ones: security

Sun, 05 Jul 2020 21:45:12 +0000

Replace HTTP links with HTTPS ones: securityRationale:Reduces attack surface on kernel devs opening the links for MITMas HTTPS traffic is much harder to manipulate.Deterministic algorithm:For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS.Signed-off-by: Alexander A. Klimov Acked-by: John Johansen Signed-off-by: James Morris List of files: /linux-6.15/security/apparmor/Kconfig

6d6861d4 - security: apparmor: default KUNIT_* fragments to KUNIT_ALL_TESTS

Mon, 11 May 2020 13:14:42 +0000

security: apparmor: default KUNIT_* fragments to KUNIT_ALL_TESTSThis makes it easier to enable all KUnit fragments.Adding 'if !KUNIT_ALL_TESTS' so individual tests can not be turned off.Therefore if KUNIT_ALL_TESTS is enabled that will hide the prompt inmenuconfig.Reviewed-by: David Gow Signed-off-by: Anders Roxell Acked-by: John Johansen Signed-off-by: Shuah Khan List of files: /linux-6.15/security/apparmor/Kconfig

35c57fc3 - kunit: building kunit as a module breaks allmodconfig

Fri, 10 Jan 2020 11:49:25 +0000

kunit: building kunit as a module breaks allmodconfigkunit tests that do not support module build should dependon KUNIT=y rather than just KUNIT in Kconfig, otherwisethey will trigger compilation errors for "make allmodconfig"builds.Fixes: 9fe124bf1b77 ("kunit: allow kunit to be loaded as a module")Reported-by: Stephen Rothwell Signed-off-by: Alan Maguire Signed-off-by: Shuah Khan List of files: /linux-6.15/security/apparmor/Kconfig

4d944bcd - apparmor: add AppArmor KUnit tests for policy unpack

Wed, 06 Nov 2019 00:43:29 +0000

apparmor: add AppArmor KUnit tests for policy unpackAdd KUnit tests to test AppArmor unpacking of userspace policies.AppArmor uses a serialized binary format for loading policies. To findpolicy format documentation seeDocumentation/admin-guide/LSM/apparmor.rst.In order to write the tests against the policy unpacking code, somestatic functions needed to be exposed for testing purposes. One of thegoals of this patch is to establish a pattern for which testing thesekinds of functions should be done in the future.Signed-off-by: Brendan Higgins Signed-off-by: Mike Salvatore Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Shuah Khan List of files: /linux-6.15/security/apparmor/Kconfig

ec8f24b7 - treewide: Add SPDX license identifier - Makefile/Kconfig

Sun, 19 May 2019 12:07:45 +0000

treewide: Add SPDX license identifier - Makefile/KconfigAdd SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any formThese files fall under the project license, GPL v2 only. The resulting SPDXlicense identifier is: GPL-2.0-onlySigned-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux-6.15/security/apparmor/Kconfig

fe166a9f - apparmor: fix missing ZLIB defines

Tue, 12 Feb 2019 05:56:46 +0000

apparmor: fix missing ZLIB definesOn configs where ZLIB is not already selected we are gettingundefined reference to `zlib_deflateInit2'undefined reference to `zlib_deflate'undefined reference to `zlib_deflateEnd'For now just select the necessary ZLIB configs.Fixes: 876dd866c084 ("apparmor: Initial implementation of raw policy blob compression")Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Kconfig

0102fb83 - apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE

Tue, 02 Oct 2018 00:08:57 +0000

apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUEIn preparation for removing CONFIG_DEFAULT_SECURITY, this removes thesoon-to-be redundant SECURITY_APPARMOR_BOOTPARAM_VALUE. Since explicitordering via CONFIG_LSM or "lsm=" will define whether an LSM is enabled ornot, this CONFIG will become effectively ignored, so remove it. However,in order to stay backward-compatible with "security=apparmor", the enablevariable defaults to true.Signed-off-by: Kees Cook List of files: /linux-6.15/security/apparmor/Kconfig

680cd62e - apparmor: add debug assert AA_BUG and Kconfig to control debug info

Mon, 16 Jan 2017 08:42:27 +0000

apparmor: add debug assert AA_BUG and Kconfig to control debug infoSigned-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Kconfig

6059f71f - apparmor: add parameter to control whether policy hashing is used

Fri, 24 Oct 2014 16:16:14 +0000

apparmor: add parameter to control whether policy hashing is usedSigned-off-by: John Johansen Acked-by: Tyler Hicks Acked-by: Seth Arnold List of files: /linux-6.15/security/apparmor/Kconfig

083c1290 - apparmor: clarify CRYPTO dependency

Wed, 21 Oct 2015 19:16:29 +0000

apparmor: clarify CRYPTO dependencyThe crypto framework can be built as a loadable module, but theapparmor hash code can only be built-in, which then causes alink error:security/built-in.o: In function `aa_calc_profile_hash':integrity_audit.c:(.text+0x21610): undefined reference to `crypto_shash_update'security/built-in.o: In function `init_profile_hash':integrity_audit.c:(.init.text+0xb4c): undefined reference to `crypto_alloc_shash'This changes Apparmor to use 'select CRYPTO' like a lot of othersubsystems do.Signed-off-by: Arnd Bergmann Acked-by: John Johansen Signed-off-by: James Morris List of files: /linux-6.15/security/apparmor/Kconfig

f8eb8a13 - apparmor: add the ability to report a sha1 hash of loaded policy

Wed, 14 Aug 2013 18:27:36 +0000

apparmor: add the ability to report a sha1 hash of loaded policyProvide userspace the ability to introspect a sha1 hash value for eachprofile currently loaded.Signed-off-by: John Johansen Acked-by: Seth Arnold List of files: /linux-6.15/security/apparmor/Kconfig

06c22dad - apparmor: depends on NET

Mon, 02 Aug 2010 17:52:18 +0000

apparmor: depends on NETSECURITY_APPARMOR should depend on NET since AUDIT needs(depends on) NET.Fixes 70-80 errors that occur when CONFIG_NET is not enabled,but APPARMOR selects AUDIT without qualification. E.g.:audit.c:(.text+0x33361): undefined reference to `netlink_unicast'(.text+0x333df): undefined reference to `netlink_unicast'audit.c:(.text+0x3341d): undefined reference to `skb_queue_tail'audit.c:(.text+0x33424): undefined reference to `kfree_skb'audit.c:(.text+0x334cb): undefined reference to `kfree_skb'audit.c:(.text+0x33597): undefined reference to `skb_put'audit.c:(.text+0x3369b): undefined reference to `__alloc_skb'audit.c:(.text+0x336d7): undefined reference to `kfree_skb'(.text+0x3374c): undefined reference to `__alloc_skb'auditfilter.c:(.text+0x35305): undefined reference to `skb_queue_tail'lsm_audit.c:(.text+0x2873): undefined reference to `init_net'lsm_audit.c:(.text+0x2878): undefined reference to `dev_get_by_index'Signed-off-by: Randy Dunlap Signed-off-by: John Johansen Signed-off-by: James Morris List of files: /linux-6.15/security/apparmor/Kconfig

016d825f - AppArmor: Enable configuring and building of the AppArmor security module

Fri, 30 Jul 2010 03:46:33 +0000

AppArmor: Enable configuring and building of the AppArmor security moduleKconfig and Makefiles to enable configuration and building of AppArmor.Signed-off-by: John Johansen Signed-off-by: James Morris List of files: /linux-6.15/security/apparmor/Kconfig