Re: [PATCH 12/12] Kconfig and Makefiles to enable configurationand building of AppArmor.
From: Serge E. Hallyn
Date: Mon Feb 22 2010 - 17:17:05 EST
Quoting john.johansen@xxxxxxxxxxxxx (john.johansen@xxxxxxxxxxxxx):
> From: John Johansen <john.johansen@xxxxxxxxxxxxx>
>
> Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
> ---
> security/Kconfig | 6 ++++
> security/Makefile | 2 +
> security/apparmor/.gitignore | 5 +++
> security/apparmor/Kconfig | 62 ++++++++++++++++++++++++++++++++++++++++++
> security/apparmor/Makefile | 25 +++++++++++++++++
> 5 files changed, 100 insertions(+), 0 deletions(-)
> create mode 100644 security/apparmor/.gitignore
> create mode 100644 security/apparmor/Kconfig
> create mode 100644 security/apparmor/Makefile
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 226b955..bd72ae6 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -140,6 +140,7 @@ config LSM_MMAP_MIN_ADDR
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
> +source security/apparmor/Kconfig
>
> source security/integrity/ima/Kconfig
>
> @@ -148,6 +149,7 @@ choice
> default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
> default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
> default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
> + default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
> default DEFAULT_SECURITY_DAC
>
> help
> @@ -163,6 +165,9 @@ choice
> config DEFAULT_SECURITY_TOMOYO
> bool "TOMOYO" if SECURITY_TOMOYO=y
>
> + config DEFAULT_SECURITY_APPARMOR
> + bool "AppArmor" if SECURITY_APPARMOR=y
> +
> config DEFAULT_SECURITY_DAC
> bool "Unix Discretionary Access Controls"
>
> @@ -173,6 +178,7 @@ config DEFAULT_SECURITY
> default "selinux" if DEFAULT_SECURITY_SELINUX
> default "smack" if DEFAULT_SECURITY_SMACK
> default "tomoyo" if DEFAULT_SECURITY_TOMOYO
> + default "apparmor" if DEFAULT_SECURITY_APPARMOR
> default "" if DEFAULT_SECURITY_DAC
>
> endmenu
> diff --git a/security/Makefile b/security/Makefile
> index da20a19..8bb0fe9 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -6,6 +6,7 @@ obj-$(CONFIG_KEYS) += keys/
> subdir-$(CONFIG_SECURITY_SELINUX) += selinux
> subdir-$(CONFIG_SECURITY_SMACK) += smack
> subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
> +subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
>
> # always enable default capabilities
> obj-y += commoncap.o
> @@ -19,6 +20,7 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
> obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
> obj-$(CONFIG_AUDIT) += lsm_audit.o
> obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
> +obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o
> obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
>
> # Object integrity file lists
> diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
> new file mode 100644
> index 0000000..0a0a99f
> --- /dev/null
> +++ b/security/apparmor/.gitignore
> @@ -0,0 +1,5 @@
> +#
> +# Generated include files
> +#
> +af_names.h
> +capability_names.h
> diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
> new file mode 100644
> index 0000000..01c8754
> --- /dev/null
> +++ b/security/apparmor/Kconfig
> @@ -0,0 +1,62 @@
> +config SECURITY_APPARMOR
> + bool "AppArmor support"
> + depends on SECURITY && SECURITY_NETWORK && NET && INET
> + select AUDIT
> + select SECURITY_PATH
> + select SECURITYFS
> + default n
> + help
> + This enables the AppArmor security module.
> + Required userspace tools (if they are not included in your
> + distribution) and further information may be found at
> + <http://forge.novell.com/modules/xfmod/project/?apparmor>
> +
> + If you are unsure how to answer this question, answer N.
> +
> +config SECURITY_APPARMOR_NETWORK
> + bool "AppArmor network support"
> + depends on SECURITY_APPARMOR
> + default n
> + help
> + This enables AppArmor to mediate applications network use.
> + This will enable the SECURITY_NETWORK hooks.
Is there a compelling reason to have SECURITY_APPARMOR_NETWORK? Does
it impact performance? Is there older userspace that will just break?
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/