The variable aa_unprivileged_uring_restricted is still exposed to
userspace even when CONFIG_IO_URING is disabled and the variable would
do nothing. This patch hides both the apparmorfs entry and the sysctl
when CONFIG_IO_URING is disabled.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
security/apparmor/apparmorfs.c | 2 ++
security/apparmor/lsm.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index be6c3293c9e0..d1ea78c9122f 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -2587,8 +2587,10 @@ static struct aa_sfs_entry aa_sfs_entry_domain[] = {
static struct aa_sfs_entry aa_sfs_entry_unconfined[] = {
AA_SFS_FILE_BOOLEAN("change_profile", 1),
AA_SFS_FILE_INTPTR("userns",
aa_unprivileged_userns_restricted),
+#ifdef CONFIG_IO_URING
AA_SFS_FILE_INTPTR("io_uring",
aa_unprivileged_uring_restricted),
+#endif
{ }
};
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 9b086451f6e3..245207b005e7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -2462,6 +2462,7 @@ static struct ctl_table apparmor_sysctl_table[] = {
.mode = 0644,
.proc_handler = userns_restrict_dointvec,
},
+#ifdef CONFIG_IO_URING
{
.procname = "apparmor_restrict_unprivileged_io_uring",
.data = &aa_unprivileged_uring_restricted,
@@ -2469,6 +2470,7 @@ static struct ctl_table apparmor_sysctl_table[] = {
.mode = 0600,
.proc_handler = apparmor_dointvec,
},
+#endif
{ }
};
--
2.43.0
