From: John Johansen <john.johansen@canonical.com>
Date: Fri, 5 Feb 2021 12:56:02 +0000 (-0800)
Subject: apparmor: don't create raw_sha1 symlink if sha1 hashing is disabled
X-Git-Tag: v6.1-rc5~634^2~27
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=482e8050aab4ad10bcd64241f1a9b540463b3274;p=platform%2Fkernel%2Flinux-starfive.git

apparmor: don't create raw_sha1 symlink if sha1 hashing is disabled

Currently if sha1 hashing of policy is disabled a sha1 hash symlink
to the non-existent file is created. There is now reason to create
the symlink in this case so don't do it.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 3770dde..15efe40 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -1736,14 +1736,15 @@ int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
 
 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
 	if (profile->rawdata) {
-		dent = aafs_create("raw_sha1", S_IFLNK | 0444, dir,
-				   profile->label.proxy, NULL, NULL,
-				   &rawdata_link_sha1_iops);
-		if (IS_ERR(dent))
-			goto fail;
-		aa_get_proxy(profile->label.proxy);
-		profile->dents[AAFS_PROF_RAW_HASH] = dent;
-
+		if (aa_g_hash_policy) {
+			dent = aafs_create("raw_sha1", S_IFLNK | 0444, dir,
+					   profile->label.proxy, NULL, NULL,
+					   &rawdata_link_sha1_iops);
+			if (IS_ERR(dent))
+				goto fail;
+			aa_get_proxy(profile->label.proxy);
+			profile->dents[AAFS_PROF_RAW_HASH] = dent;
+		}
 		dent = aafs_create("raw_abi", S_IFLNK | 0444, dir,
 				   profile->label.proxy, NULL, NULL,
 				   &rawdata_link_abi_iops);