--- security/apparmor/Kconfig | 17 +++++++++++++++++ security/apparmor/lsm.c | 16 ++++++++++++++++ 2 files changed, 33 insertions(+) --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -7,4 +7,21 @@ config SECURITY_APPARMOR Required userspace tools (if they are not included in your distribution) and further information may be found at + If you are unsure how to answer this question, answer N. + +config SECURITY_APPARMOR_BOOTPARAM_VALUE + int "AppArmor boot parameter default value" + depends on SECURITY_APPARMOR + range 0 1 + default 1 + help + This option sets the default value for the kernel parameter + 'apparmor', which allows AppArmor to be enabled or disabled + at boot. If this option is set to 0 (zero), the AppArmor + kernel parameter will default to 0, disabling AppArmor at + bootup. If this option is set to 1 (one), the AppArmor + kernel parameter will default to 1, enabling AppArmor at + bootup. + + If you are unsure how to answer this question, answer 1. --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -23,6 +23,17 @@ #include "apparmor.h" #include "inline.h" +/* Boot time disable flag */ +int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; + +static int __init apparmor_enabled_setup(char *str) +{ + apparmor_enabled = simple_strtol(str, NULL, 0); + return 1; +} +__setup("apparmor=", apparmor_enabled_setup); + + static int param_set_aabool(const char *val, struct kernel_param *kp); static int param_get_aabool(char *buffer, struct kernel_param *kp); #define param_check_aabool(name, p) __param_check(name, p, int) @@ -883,6 +894,11 @@ static int __init apparmor_init(void) { int error; + if (!apparmor_enabled) { + info_message("AppArmor disabled by boottime parameter\n"); + return 0; + } + if ((error = create_apparmorfs())) { AA_ERROR("Unable to activate AppArmor filesystem\n"); goto createfs_out;