apparmor: Improve debug print infrastructure

Make it so apparmor debug output can be controlled by class flags as well as the debug flag on labels. This provides much finer control at what is being output so apparmor doesn't flood the logs with information that is not needed, making it hard to find what is important. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2022-09-23 16:36:10 -0700
committer: John Johansen <john.johansen@canonical.com> 2025-01-18 06:47:11 -0800
commit: 71e6cff3e0dde6f6a3355d6c73ca3e176567995e (patch)
tree: b4a139d926b32f1fd43405725f606dc22345d554 /security/apparmor/policy.c
parent: c602537de3c137e55582d7fccfb18e50f1cd9c83 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index d0244fab0653..25cb34e43786 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -280,7 +280,7 @@ void aa_free_profile(struct aa_profile *profile)
 	struct aa_ruleset *rule, *tmp;
 	struct rhashtable *rht;
 
-	AA_DEBUG("%s(%p)\n", __func__, profile);
+	AA_DEBUG(DEBUG_POLICY, "%s(%p)\n", __func__, profile);
 
 	if (!profile)
 		return;
@@ -833,8 +833,8 @@ bool aa_policy_admin_capable(const struct cred *subj_cred,
 	bool capable = policy_ns_capable(subj_cred, label, user_ns,
 					 CAP_MAC_ADMIN) == 0;
 
-	AA_DEBUG("cap_mac_admin? %d\n", capable);
-	AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);
+	AA_DEBUG(DEBUG_POLICY, "cap_mac_admin? %d\n", capable);
+	AA_DEBUG(DEBUG_POLICY, "policy locked? %d\n", aa_g_lock_policy);
 
 	return aa_policy_view_capable(subj_cred, label, ns) && capable &&
 		!aa_g_lock_policy;
author	John Johansen <john.johansen@canonical.com>	2022-09-23 16:36:10 -0700
committer	John Johansen <john.johansen@canonical.com>	2025-01-18 06:47:11 -0800
commit	71e6cff3e0dde6f6a3355d6c73ca3e176567995e (patch)
tree	b4a139d926b32f1fd43405725f606dc22345d554 /security/apparmor/policy.c
parent	c602537de3c137e55582d7fccfb18e50f1cd9c83 (diff)