lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20100222221657.GB22194@us.ibm.com>
Date:	Mon, 22 Feb 2010 16:16:57 -0600
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	john.johansen@...onical.com
Cc:	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH 12/12] Kconfig and Makefiles to enable configuration
 and building of AppArmor.

Quoting john.johansen@...onical.com (john.johansen@...onical.com):
> From: John Johansen <john.johansen@...onical.com>
> 
> Signed-off-by: John Johansen <john.johansen@...onical.com>
> ---
>  security/Kconfig             |    6 ++++
>  security/Makefile            |    2 +
>  security/apparmor/.gitignore |    5 +++
>  security/apparmor/Kconfig    |   62 ++++++++++++++++++++++++++++++++++++++++++
>  security/apparmor/Makefile   |   25 +++++++++++++++++
>  5 files changed, 100 insertions(+), 0 deletions(-)
>  create mode 100644 security/apparmor/.gitignore
>  create mode 100644 security/apparmor/Kconfig
>  create mode 100644 security/apparmor/Makefile
> 
> diff --git a/security/Kconfig b/security/Kconfig
> index 226b955..bd72ae6 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -140,6 +140,7 @@ config LSM_MMAP_MIN_ADDR
>  source security/selinux/Kconfig
>  source security/smack/Kconfig
>  source security/tomoyo/Kconfig
> +source security/apparmor/Kconfig
> 
>  source security/integrity/ima/Kconfig
> 
> @@ -148,6 +149,7 @@ choice
>  	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
>  	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
>  	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> +	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
>  	default DEFAULT_SECURITY_DAC
> 
>  	help
> @@ -163,6 +165,9 @@ choice
>  	config DEFAULT_SECURITY_TOMOYO
>  		bool "TOMOYO" if SECURITY_TOMOYO=y
> 
> +	config DEFAULT_SECURITY_APPARMOR
> +		bool "AppArmor" if SECURITY_APPARMOR=y
> +
>  	config DEFAULT_SECURITY_DAC
>  		bool "Unix Discretionary Access Controls"
> 
> @@ -173,6 +178,7 @@ config DEFAULT_SECURITY
>  	default "selinux" if DEFAULT_SECURITY_SELINUX
>  	default "smack" if DEFAULT_SECURITY_SMACK
>  	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> +	default "apparmor" if DEFAULT_SECURITY_APPARMOR
>  	default "" if DEFAULT_SECURITY_DAC
> 
>  endmenu
> diff --git a/security/Makefile b/security/Makefile
> index da20a19..8bb0fe9 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -6,6 +6,7 @@ obj-$(CONFIG_KEYS)			+= keys/
>  subdir-$(CONFIG_SECURITY_SELINUX)	+= selinux
>  subdir-$(CONFIG_SECURITY_SMACK)		+= smack
>  subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
> +subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor
> 
>  # always enable default capabilities
>  obj-y					+= commoncap.o
> @@ -19,6 +20,7 @@ obj-$(CONFIG_SECURITY_SELINUX)		+= selinux/built-in.o
>  obj-$(CONFIG_SECURITY_SMACK)		+= smack/built-in.o
>  obj-$(CONFIG_AUDIT)			+= lsm_audit.o
>  obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/built-in.o
> +obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/built-in.o
>  obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
> 
>  # Object integrity file lists
> diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
> new file mode 100644
> index 0000000..0a0a99f
> --- /dev/null
> +++ b/security/apparmor/.gitignore
> @@ -0,0 +1,5 @@
> +#
> +# Generated include files
> +#
> +af_names.h
> +capability_names.h
> diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
> new file mode 100644
> index 0000000..01c8754
> --- /dev/null
> +++ b/security/apparmor/Kconfig
> @@ -0,0 +1,62 @@
> +config SECURITY_APPARMOR
> +	bool "AppArmor support"
> +	depends on SECURITY && SECURITY_NETWORK && NET && INET
> +	select AUDIT
> +	select SECURITY_PATH
> +	select SECURITYFS
> +	default n
> +	help
> +	  This enables the AppArmor security module.
> +	  Required userspace tools (if they are not included in your
> +	  distribution) and further information may be found at
> +	  <http://forge.novell.com/modules/xfmod/project/?apparmor>
> +
> +	  If you are unsure how to answer this question, answer N.
> +
> +config SECURITY_APPARMOR_NETWORK
> +       bool "AppArmor network support"
> +       depends on SECURITY_APPARMOR
> +       default n
> +       help
> +	 This enables AppArmor to mediate applications network use.
> +	 This will enable the SECURITY_NETWORK hooks.

Is there a compelling reason to have SECURITY_APPARMOR_NETWORK?   Does
it impact performance?  Is there older userspace that will just break?

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ