xref: /linux/security/apparmor/Kconfig (revision 4b65b859f55b036649a4525f09fa7c5bbbab384e)
1# SPDX-License-Identifier: GPL-2.0-only
2config SECURITY_APPARMOR
3	bool "AppArmor support"
4	depends on SECURITY && NET
5	select AUDIT
6	select SECURITY_PATH
7	select SECURITYFS
8	select SECURITY_NETWORK
9	default n
10	help
11	  This enables the AppArmor security module.
12	  Required userspace tools (if they are not included in your
13	  distribution) and further information may be found at
14	  http://apparmor.wiki.kernel.org
15
16	  If you are unsure how to answer this question, answer N.
17
18config SECURITY_APPARMOR_DEBUG
19	bool "Build AppArmor with debug code"
20	depends on SECURITY_APPARMOR
21	default n
22	help
23	  Build apparmor with debugging logic in apparmor. Not all
24	  debugging logic will necessarily be enabled. A submenu will
25	  provide fine grained control of the debug options that are
26	  available.
27
28config SECURITY_APPARMOR_DEBUG_ASSERTS
29	bool "Build AppArmor with debugging asserts"
30	depends on SECURITY_APPARMOR_DEBUG
31	default y
32	help
33	  Enable code assertions made with AA_BUG. These are primarily
34	  function entry preconditions but also exist at other key
35	  points. If the assert is triggered it will trigger a WARN
36	  message.
37
38config SECURITY_APPARMOR_DEBUG_MESSAGES
39	bool "Debug messages enabled by default"
40	depends on SECURITY_APPARMOR_DEBUG
41	default n
42	help
43	  Set the default value of the apparmor.debug kernel parameter.
44	  When enabled, various debug messages will be logged to
45	  the kernel message buffer.
46
47config SECURITY_APPARMOR_INTROSPECT_POLICY
48	bool "Allow loaded policy to be introspected"
49	depends on SECURITY_APPARMOR
50	default y
51	help
52	  This option selects whether introspection of loaded policy
53	  is available to userspace via the apparmor filesystem. This
54	  adds to kernel memory usage. It is required for introspection
55	  of loaded policy, and check point and restore support. It
56	  can be disabled for embedded systems where reducing memory and
57	  cpu is paramount.
58
59config SECURITY_APPARMOR_HASH
60	bool "Enable introspection of sha256 hashes for loaded profiles"
61	depends on SECURITY_APPARMOR_INTROSPECT_POLICY
62	select CRYPTO_LIB_SHA256
63	default y
64	help
65	  This option selects whether introspection of loaded policy
66	  hashes is available to userspace via the apparmor
67	  filesystem. This option provides a light weight means of
68	  checking loaded policy.  This option adds to policy load
69	  time and can be disabled for small embedded systems.
70
71config SECURITY_APPARMOR_HASH_DEFAULT
72       bool "Enable policy hash introspection by default"
73       depends on SECURITY_APPARMOR_HASH
74       default y
75       help
76	 This option selects whether sha256 hashing of loaded policy
77	 is enabled by default. The generation of sha256 hashes for
78	 loaded policy provide system administrators a quick way to
79	 verify that policy in the kernel matches what is expected,
80	 however it can slow down policy load on some devices. In
81	 these cases policy hashing can be disabled by default and
82	 enabled only if needed.
83
84config SECURITY_APPARMOR_EXPORT_BINARY
85	bool "Allow exporting the raw binary policy"
86	depends on SECURITY_APPARMOR_INTROSPECT_POLICY
87	select ZSTD_COMPRESS
88	select ZSTD_DECOMPRESS
89	default y
90	help
91	  This option allows reading back binary policy as it was loaded.
92	  It increases the amount of kernel memory needed by policy and
93	  also increases policy load time. This option is required for
94	  checkpoint and restore support, and debugging of loaded policy.
95
96config SECURITY_APPARMOR_PARANOID_LOAD
97	bool "Perform full verification of loaded policy"
98	depends on SECURITY_APPARMOR
99	default y
100	help
101	  This options allows controlling whether apparmor does a full
102	  verification of loaded policy. This should not be disabled
103	  except for embedded systems where the image is read only,
104	  includes policy, and has some form of integrity check.
105	  Disabling the check will speed up policy loads.
106
107config SECURITY_APPARMOR_KUNIT_TEST
108	tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
109	depends on KUNIT && SECURITY_APPARMOR
110	default KUNIT_ALL_TESTS
111	help
112	  This builds the AppArmor KUnit tests.
113
114	  KUnit tests run during boot and output the results to the debug log
115	  in TAP format (https://testanything.org/). Only useful for kernel devs
116	  running KUnit test harness and are not for inclusion into a
117	  production build.
118
119	  For more information on KUnit and unit tests in general please refer
120	  to the KUnit documentation in Documentation/dev-tools/kunit/.
121
122	  If unsure, say N.
123