apparmor: add debug assert AA_BUG and Kconfig to control debug info

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
index be5e9414a29574c80aca1cd9cab242a99ce77508..b6b68a7750ce36597ecba044f82385c8e6efc71f 100644 (file)
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -36,7 +36,6 @@ config SECURITY_APPARMOR_HASH
        select CRYPTO
        select CRYPTO_SHA1
        default y
-
        help
          This option selects whether introspection of loaded policy
          is available to userspace via the apparmor filesystem.
@@ -45,7 +44,6 @@ config SECURITY_APPARMOR_HASH_DEFAULT
        bool "Enable policy hash introspection by default"
        depends on SECURITY_APPARMOR_HASH
        default y
-
        help
          This option selects whether sha1 hashing of loaded policy
         is enabled by default. The generation of sha1 hashes for
@@ -54,3 +52,32 @@ config SECURITY_APPARMOR_HASH_DEFAULT
         however it can slow down policy load on some devices. In
         these cases policy hashing can be disabled by default and
         enabled only if needed.
+
+config SECURITY_APPARMOR_DEBUG
+       bool "Build AppArmor with debug code"
+       depends on SECURITY_APPARMOR
+       default n
+       help
+         Build apparmor with debugging logic in apparmor. Not all
+         debugging logic will necessarily be enabled. A submenu will
+         provide fine grained control of the debug options that are
+         available.
+
+config SECURITY_APPARMOR_DEBUG_ASSERTS
+       bool "Build AppArmor with debugging asserts"
+       depends on SECURITY_APPARMOR_DEBUG
+       default y
+       help
+         Enable code assertions made with AA_BUG. These are primarily
+         function entry preconditions but also exist at other key
+         points. If the assert is triggered it will trigger a WARN
+         message.
+
+config SECURITY_APPARMOR_DEBUG_MESSAGES
+       bool "Debug messages enabled by default"
+       depends on SECURITY_APPARMOR_DEBUG
+       default n
+       help
+         Set the default value of the apparmor.debug kernel parameter.
+         When enabled, various debug messages will be logged to
+         the kernel message buffer.

diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index 61dedd7333df2c491b46b74b63bb3b0d17ea088b..d507c73ac9b8145bd9d18589e59cc528123bc43d 100644 (file)
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -35,12 +35,24 @@
  * which is not related to profile accesses.
  */
 
+#define DEBUG_ON (aa_g_debug)
+#define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args)
 #define AA_DEBUG(fmt, args...)                                         \
        do {                                                            \
-               if (aa_g_debug)                                         \
+               if (DEBUG_ON)                                           \
                        pr_debug_ratelimited("AppArmor: " fmt, ##args); \
        } while (0)
 
+#define AA_WARN(X) WARN((X), "APPARMOR WARN %s: %s\n", __func__, #X)
+
+#define AA_BUG(X, args...) AA_BUG_FMT((X), "" args)
+#ifdef CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS
+#define AA_BUG_FMT(X, fmt, args...)                                    \
+       WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args)
+#else
+#define AA_BUG_FMT(X, fmt, args...)
+#endif
+
 #define AA_ERROR(fmt, args...)                                         \
        pr_err_ratelimited("AppArmor: " fmt, ##args)
 

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 1dae66ba757b5a187276398dc2f8b5c464cd3293..99a6e5ec4ffe7d1dfdf1ef38a68f6466a2e5fedb 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
 #endif
 
 /* Debug mode */
-bool aa_g_debug;
+bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);
 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
 
 /* Audit mode */