From 5bfcbd22ee4e6ad5ae698518fadd0f03ea109537 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 3 Feb 2021 01:35:12 -0800
Subject: apparmor: Enable tuning of policy paranoid load for embedded systems

AppArmor by default does an extensive check on loaded policy that
can take quite some time on limited resource systems. Allow
disabling this check for embedded systems where system images are
readonly and have checksumming making the need for the embedded
policy to be fully checked to be redundant.

Note: basic policy checks are still done.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/lsm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'security/apparmor/lsm.c')

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 84a4e63d922d..301c2bba4867 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1405,7 +1405,7 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
  * DEPRECATED: read only as strict checking of load is always done now
  * that none root users (user namespaces) can load policy.
  */
-bool aa_g_paranoid_load = true;
+bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_PARANOID_LOAD);
 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
 
 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
-- 
cgit v1.2.3-59-g8ed1b