apparmor: add debug assert AA_BUG and Kconfig to control debug info

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

apparmor: add debug assert AA_BUG and Kconfig to control debug info

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 9 years ago 680cd62e 57e36bbd

+43 -4

3 changed files

expand all

security

apparmor

Kconfig

include

lib.h

lsm.c

+29 -2

security/apparmor/Kconfig

··· 36 36 select CRYPTO 37 37 select CRYPTO_SHA1 38 38 default y 39 - 40 39 help 41 40 This option selects whether introspection of loaded policy 42 41 is available to userspace via the apparmor filesystem. ··· 44 45 bool "Enable policy hash introspection by default" 45 46 depends on SECURITY_APPARMOR_HASH 46 47 default y 47 - 48 48 help 49 49 This option selects whether sha1 hashing of loaded policy 50 50 is enabled by default. The generation of sha1 hashes for ··· 52 54 however it can slow down policy load on some devices. In 53 55 these cases policy hashing can be disabled by default and 54 56 enabled only if needed. 57 + 58 + config SECURITY_APPARMOR_DEBUG 59 + bool "Build AppArmor with debug code" 60 + depends on SECURITY_APPARMOR 61 + default n 62 + help 63 + Build apparmor with debugging logic in apparmor. Not all 64 + debugging logic will necessarily be enabled. A submenu will 65 + provide fine grained control of the debug options that are 66 + available. 67 + 68 + config SECURITY_APPARMOR_DEBUG_ASSERTS 69 + bool "Build AppArmor with debugging asserts" 70 + depends on SECURITY_APPARMOR_DEBUG 71 + default y 72 + help 73 + Enable code assertions made with AA_BUG. These are primarily 74 + function entry preconditions but also exist at other key 75 + points. If the assert is triggered it will trigger a WARN 76 + message. 77 + 78 + config SECURITY_APPARMOR_DEBUG_MESSAGES 79 + bool "Debug messages enabled by default" 80 + depends on SECURITY_APPARMOR_DEBUG 81 + default n 82 + help 83 + Set the default value of the apparmor.debug kernel parameter. 84 + When enabled, various debug messages will be logged to 85 + the kernel message buffer.

+13 -1

security/apparmor/include/lib.h

··· 35 35 * which is not related to profile accesses. 36 36 */ 37 37 38 + #define DEBUG_ON (aa_g_debug) 39 + #define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args) 38 40 #define AA_DEBUG(fmt, args...) \ 39 41 do { \ 40 - if (aa_g_debug) \ 42 + if (DEBUG_ON) \ 41 43 pr_debug_ratelimited("AppArmor: " fmt, ##args); \ 42 44 } while (0) 45 + 46 + #define AA_WARN(X) WARN((X), "APPARMOR WARN %s: %s\n", __func__, #X) 47 + 48 + #define AA_BUG(X, args...) AA_BUG_FMT((X), "" args) 49 + #ifdef CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS 50 + #define AA_BUG_FMT(X, fmt, args...) \ 51 + WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args) 52 + #else 53 + #define AA_BUG_FMT(X, fmt, args...) 54 + #endif 43 55 44 56 #define AA_ERROR(fmt, args...) \ 45 57 pr_err_ratelimited("AppArmor: " fmt, ##args)

+1 -1

security/apparmor/lsm.c

··· 681 681 #endif 682 682 683 683 /* Debug mode */ 684 - bool aa_g_debug; 684 + bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES); 685 685 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 686 686 687 687 /* Audit mode */