apparmor: make export of raw binary profile to userspace optional

Embedded systems have limited space and don't need the introspection or checkpoint restore capability provided by exporting the raw profile binary data so make it so make it a config option. This will reduce run time memory use and also speed up policy loads. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2021-02-01 03:43:18 -0800
committer: John Johansen <john.johansen@canonical.com> 2022-07-09 15:13:59 -0700
commit: d61c57fde81915c04b41982f66a159ccc014e799 (patch)
tree: b16d5eda5b6e54da16541ec8f7d911411f409ef5 /security/apparmor/lsm.c
parent: 65cc9c391c3c4096ccc47ecd8b9f58f470b57225 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 2654bcb5f462..84a4e63d922d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1357,6 +1357,12 @@ bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
 #endif
 
+/* whether policy exactly as loaded is retained for debug and checkpointing */
+bool aa_g_export_binary = IS_ENABLED(CONFIG_SECURITY_APPARMOR_EXPORT_BINARY);
+#ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
+module_param_named(export_binary, aa_g_export_binary, aabool, 0600);
+#endif
+
 /* policy loaddata compression level */
 int aa_g_rawdata_compression_level = Z_DEFAULT_COMPRESSION;
 module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level,
author	John Johansen <john.johansen@canonical.com>	2021-02-01 03:43:18 -0800
committer	John Johansen <john.johansen@canonical.com>	2022-07-09 15:13:59 -0700
commit	d61c57fde81915c04b41982f66a159ccc014e799 (patch)
tree	b16d5eda5b6e54da16541ec8f7d911411f409ef5 /security/apparmor/lsm.c
parent	65cc9c391c3c4096ccc47ecd8b9f58f470b57225 (diff)