apparmor: Enable tuning of policy paranoid load for embedded systems

AppArmor by default does an extensive check on loaded policy that
can take quite some time on limited resource systems. Allow
disabling this check for embedded systems where system images are
readonly and have checksumming making the need for the embedded
policy to be fully checked to be redundant.

Note: basic policy checks are still done.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
index 4c34a28a2ddf0aa6f369e9d68eabfb9772bf2e9d..cb3496e00d8a6ab9d425d233c2a9bb3bfad631b1 100644 (file)
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -94,6 +94,17 @@ config SECURITY_APPARMOR_EXPORT_BINARY
          also increases policy load time. This option is required for
          checkpoint and restore support, and debugging of loaded policy.
 
+config SECURITY_APPARMOR_PARANOID_LOAD
+       bool "Perform full verification of loaded policy"
+       depends on SECURITY_APPARMOR
+       default y
+       help
+         This options allows controlling whether apparmor does a full
+         verification of loaded policy. This should not be disabled
+         except for embedded systems where the image is read only,
+         includes policy, and has some form of integrity check.
+         Disabling the check will speed up policy loads.
+
 config SECURITY_APPARMOR_KUNIT_TEST
        bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
        depends on KUNIT=y && SECURITY_APPARMOR

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 84a4e63d922da706de2c2fe62b3e31cec7705273..301c2bba4867d82384333cf49a79072f136a401a 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1405,7 +1405,7 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
  * DEPRECATED: read only as strict checking of load is always done now
  * that none root users (user namespaces) can load policy.
  */
-bool aa_g_paranoid_load = true;
+bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_PARANOID_LOAD);
 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
 
 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 31d2c2626ea56b0326ef89eae92f01f75fa1ab8c..55dca9e3af507dec8174fe39ecca7cc5d37b9548 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -457,7 +457,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e)
                        ((e->pos - e->start) & 7);
                size_t pad = ALIGN(sz, 8) - sz;
                int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
-                       TO_ACCEPT2_FLAG(YYTD_DATA32) | DFA_FLAG_VERIFY_STATES;
+                       TO_ACCEPT2_FLAG(YYTD_DATA32);
+               if (aa_g_paranoid_load)
+                       flags |= DFA_FLAG_VERIFY_STATES;
                dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
 
                if (IS_ERR(dfa))