apparmor: add debug assert AA_BUG and Kconfig to control debug info
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
57e36bbd67
commit
680cd62e91
|
@ -36,7 +36,6 @@ config SECURITY_APPARMOR_HASH
|
|||
select CRYPTO
|
||||
select CRYPTO_SHA1
|
||||
default y
|
||||
|
||||
help
|
||||
This option selects whether introspection of loaded policy
|
||||
is available to userspace via the apparmor filesystem.
|
||||
|
@ -45,7 +44,6 @@ config SECURITY_APPARMOR_HASH_DEFAULT
|
|||
bool "Enable policy hash introspection by default"
|
||||
depends on SECURITY_APPARMOR_HASH
|
||||
default y
|
||||
|
||||
help
|
||||
This option selects whether sha1 hashing of loaded policy
|
||||
is enabled by default. The generation of sha1 hashes for
|
||||
|
@ -54,3 +52,32 @@ config SECURITY_APPARMOR_HASH_DEFAULT
|
|||
however it can slow down policy load on some devices. In
|
||||
these cases policy hashing can be disabled by default and
|
||||
enabled only if needed.
|
||||
|
||||
config SECURITY_APPARMOR_DEBUG
|
||||
bool "Build AppArmor with debug code"
|
||||
depends on SECURITY_APPARMOR
|
||||
default n
|
||||
help
|
||||
Build apparmor with debugging logic in apparmor. Not all
|
||||
debugging logic will necessarily be enabled. A submenu will
|
||||
provide fine grained control of the debug options that are
|
||||
available.
|
||||
|
||||
config SECURITY_APPARMOR_DEBUG_ASSERTS
|
||||
bool "Build AppArmor with debugging asserts"
|
||||
depends on SECURITY_APPARMOR_DEBUG
|
||||
default y
|
||||
help
|
||||
Enable code assertions made with AA_BUG. These are primarily
|
||||
function entry preconditions but also exist at other key
|
||||
points. If the assert is triggered it will trigger a WARN
|
||||
message.
|
||||
|
||||
config SECURITY_APPARMOR_DEBUG_MESSAGES
|
||||
bool "Debug messages enabled by default"
|
||||
depends on SECURITY_APPARMOR_DEBUG
|
||||
default n
|
||||
help
|
||||
Set the default value of the apparmor.debug kernel parameter.
|
||||
When enabled, various debug messages will be logged to
|
||||
the kernel message buffer.
|
||||
|
|
|
@ -35,12 +35,24 @@
|
|||
* which is not related to profile accesses.
|
||||
*/
|
||||
|
||||
#define DEBUG_ON (aa_g_debug)
|
||||
#define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args)
|
||||
#define AA_DEBUG(fmt, args...) \
|
||||
do { \
|
||||
if (aa_g_debug) \
|
||||
if (DEBUG_ON) \
|
||||
pr_debug_ratelimited("AppArmor: " fmt, ##args); \
|
||||
} while (0)
|
||||
|
||||
#define AA_WARN(X) WARN((X), "APPARMOR WARN %s: %s\n", __func__, #X)
|
||||
|
||||
#define AA_BUG(X, args...) AA_BUG_FMT((X), "" args)
|
||||
#ifdef CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS
|
||||
#define AA_BUG_FMT(X, fmt, args...) \
|
||||
WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args)
|
||||
#else
|
||||
#define AA_BUG_FMT(X, fmt, args...)
|
||||
#endif
|
||||
|
||||
#define AA_ERROR(fmt, args...) \
|
||||
pr_err_ratelimited("AppArmor: " fmt, ##args)
|
||||
|
||||
|
|
|
@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
|
|||
#endif
|
||||
|
||||
/* Debug mode */
|
||||
bool aa_g_debug;
|
||||
bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);
|
||||
module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
|
||||
|
||||
/* Audit mode */
|
||||
|
|
Loading…
Reference in New Issue