diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-01-19 10:53:55 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-01-19 10:53:55 -0800 |
commit | 237c31cb5d83b3f77715f6d6a185f46a5ee4ec88 (patch) | |
tree | 3f804594af7a2f6b9f4eb2f0096381416eb24f1a /security/apparmor/Kconfig | |
parent | 556e2d17cae620d549c5474b1ece053430cd50bc (diff) | |
parent | 8ead196be219adade3bd0d4115cc9b8506643121 (diff) |
Merge tag 'apparmor-pr-2024-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
Pull AppArmor updates from John Johansen:
"This adds a single feature, switch the hash used to check policy from
sha1 to sha256
There are fixes for two memory leaks, and refcount bug and a potential
crash when a profile name is empty. Along with a couple minor code
cleanups.
Summary:
Features
- switch policy hash from sha1 to sha256
Bug Fixes
- Fix refcount leak in task_kill
- Fix leak of pdb objects and trans_table
- avoid crash when parse profie name is empty
Cleanups
- add static to stack_msg and nulldfa
- more kernel-doc cleanups"
* tag 'apparmor-pr-2024-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
apparmor: Fix memory leak in unpack_profile()
apparmor: avoid crash when parsed profile name is empty
apparmor: fix possible memory leak in unpack_trans_table
apparmor: free the allocated pdb objects
apparmor: Fix ref count leak in task_kill
apparmor: cleanup network hook comments
apparmor: add missing params to aa_may_ptrace kernel-doc comments
apparmor: declare nulldfa as static
apparmor: declare stack_msg as static
apparmor: switch SECURITY_APPARMOR_HASH from sha1 to sha256
Diffstat (limited to 'security/apparmor/Kconfig')
-rw-r--r-- | security/apparmor/Kconfig | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index e0d1dd0a192a..64cc3044a42c 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -57,10 +57,10 @@ config SECURITY_APPARMOR_INTROSPECT_POLICY cpu is paramount. config SECURITY_APPARMOR_HASH - bool "Enable introspection of sha1 hashes for loaded profiles" + bool "Enable introspection of sha256 hashes for loaded profiles" depends on SECURITY_APPARMOR_INTROSPECT_POLICY select CRYPTO - select CRYPTO_SHA1 + select CRYPTO_SHA256 default y help This option selects whether introspection of loaded policy @@ -74,10 +74,10 @@ config SECURITY_APPARMOR_HASH_DEFAULT depends on SECURITY_APPARMOR_HASH default y help - This option selects whether sha1 hashing of loaded policy - is enabled by default. The generation of sha1 hashes for - loaded policy provide system administrators a quick way - to verify that policy in the kernel matches what is expected, + This option selects whether sha256 hashing of loaded policy + is enabled by default. The generation of sha256 hashes for + loaded policy provide system administrators a quick way to + verify that policy in the kernel matches what is expected, however it can slow down policy load on some devices. In these cases policy hashing can be disabled by default and enabled only if needed. |