# SPDX-License-Identifier: GPL-2.0-only config SECURITY_APPARMOR bool "AppArmor support" depends on SECURITY && NET select AUDIT select SECURITY_PATH select SECURITYFS select SECURITY_NETWORK select ZLIB_INFLATE select ZLIB_DEFLATE default n help This enables the AppArmor security module. Required userspace tools (if they are not included in your distribution) and further information may be found at http://apparmor.wiki.kernel.org If you are unsure how to answer this question, answer N. config SECURITY_APPARMOR_HASH bool "Enable introspection of sha1 hashes for loaded profiles" depends on SECURITY_APPARMOR select CRYPTO select CRYPTO_SHA1 default y help This option selects whether introspection of loaded policy is available to userspace via the apparmor filesystem. config SECURITY_APPARMOR_HASH_DEFAULT bool "Enable policy hash introspection by default" depends on SECURITY_APPARMOR_HASH default y help This option selects whether sha1 hashing of loaded policy is enabled by default. The generation of sha1 hashes for loaded policy provide system administrators a quick way to verify that policy in the kernel matches what is expected, however it can slow down policy load on some devices. In these cases policy hashing can be disabled by default and enabled only if needed. config SECURITY_APPARMOR_DEBUG bool "Build AppArmor with debug code" depends on SECURITY_APPARMOR default n help Build apparmor with debugging logic in apparmor. Not all debugging logic will necessarily be enabled. A submenu will provide fine grained control of the debug options that are available. config SECURITY_APPARMOR_DEBUG_ASSERTS bool "Build AppArmor with debugging asserts" depends on SECURITY_APPARMOR_DEBUG default y help Enable code assertions made with AA_BUG. These are primarily function entry preconditions but also exist at other key points. If the assert is triggered it will trigger a WARN message. config SECURITY_APPARMOR_DEBUG_MESSAGES bool "Debug messages enabled by default" depends on SECURITY_APPARMOR_DEBUG default n help Set the default value of the apparmor.debug kernel parameter. When enabled, various debug messages will be logged to the kernel message buffer. config SECURITY_APPARMOR_KUNIT_TEST bool "Build KUnit tests for policy_unpack.c" depends on KUNIT=y && SECURITY_APPARMOR help This builds the AppArmor KUnit tests. KUnit tests run during boot and output the results to the debug log in TAP format (https://testanything.org/). Only useful for kernel devs running KUnit test harness and are not for inclusion into a production build. For more information on KUnit and unit tests in general please refer to the KUnit documentation in Documentation/dev-tools/kunit/. If unsure, say N.