1# SPDX-License-Identifier: GPL-2.0-only 2config SECURITY_APPARMOR 3 bool "AppArmor support" 4 depends on SECURITY && NET 5 select AUDIT 6 select SECURITY_PATH 7 select SECURITYFS 8 select SECURITY_NETWORK 9 default n 10 help 11 This enables the AppArmor security module. 12 Required userspace tools (if they are not included in your 13 distribution) and further information may be found at 14 http://apparmor.wiki.kernel.org 15 16 If you are unsure how to answer this question, answer N. 17 18config SECURITY_APPARMOR_DEBUG 19 bool "Build AppArmor with debug code" 20 depends on SECURITY_APPARMOR 21 default n 22 help 23 Build apparmor with debugging logic in apparmor. Not all 24 debugging logic will necessarily be enabled. A submenu will 25 provide fine grained control of the debug options that are 26 available. 27 28config SECURITY_APPARMOR_DEBUG_ASSERTS 29 bool "Build AppArmor with debugging asserts" 30 depends on SECURITY_APPARMOR_DEBUG 31 default y 32 help 33 Enable code assertions made with AA_BUG. These are primarily 34 function entry preconditions but also exist at other key 35 points. If the assert is triggered it will trigger a WARN 36 message. 37 38config SECURITY_APPARMOR_DEBUG_MESSAGES 39 bool "Debug messages enabled by default" 40 depends on SECURITY_APPARMOR_DEBUG 41 default n 42 help 43 Set the default value of the apparmor.debug kernel parameter. 44 When enabled, various debug messages will be logged to 45 the kernel message buffer. 46 47config SECURITY_APPARMOR_INTROSPECT_POLICY 48 bool "Allow loaded policy to be introspected" 49 depends on SECURITY_APPARMOR 50 default y 51 help 52 This option selects whether introspection of loaded policy 53 is available to userspace via the apparmor filesystem. This 54 adds to kernel memory usage. It is required for introspection 55 of loaded policy, and check point and restore support. It 56 can be disabled for embedded systems where reducing memory and 57 cpu is paramount. 58 59config SECURITY_APPARMOR_HASH 60 bool "Enable introspection of sha256 hashes for loaded profiles" 61 depends on SECURITY_APPARMOR_INTROSPECT_POLICY 62 select CRYPTO_LIB_SHA256 63 default y 64 help 65 This option selects whether introspection of loaded policy 66 hashes is available to userspace via the apparmor 67 filesystem. This option provides a light weight means of 68 checking loaded policy. This option adds to policy load 69 time and can be disabled for small embedded systems. 70 71config SECURITY_APPARMOR_HASH_DEFAULT 72 bool "Enable policy hash introspection by default" 73 depends on SECURITY_APPARMOR_HASH 74 default y 75 help 76 This option selects whether sha256 hashing of loaded policy 77 is enabled by default. The generation of sha256 hashes for 78 loaded policy provide system administrators a quick way to 79 verify that policy in the kernel matches what is expected, 80 however it can slow down policy load on some devices. In 81 these cases policy hashing can be disabled by default and 82 enabled only if needed. 83 84config SECURITY_APPARMOR_EXPORT_BINARY 85 bool "Allow exporting the raw binary policy" 86 depends on SECURITY_APPARMOR_INTROSPECT_POLICY 87 select ZSTD_COMPRESS 88 select ZSTD_DECOMPRESS 89 default y 90 help 91 This option allows reading back binary policy as it was loaded. 92 It increases the amount of kernel memory needed by policy and 93 also increases policy load time. This option is required for 94 checkpoint and restore support, and debugging of loaded policy. 95 96config SECURITY_APPARMOR_PARANOID_LOAD 97 bool "Perform full verification of loaded policy" 98 depends on SECURITY_APPARMOR 99 default y 100 help 101 This options allows controlling whether apparmor does a full 102 verification of loaded policy. This should not be disabled 103 except for embedded systems where the image is read only, 104 includes policy, and has some form of integrity check. 105 Disabling the check will speed up policy loads. 106 107config SECURITY_APPARMOR_KUNIT_TEST 108 tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS 109 depends on KUNIT && SECURITY_APPARMOR 110 default KUNIT_ALL_TESTS 111 help 112 This builds the AppArmor KUnit tests. 113 114 KUnit tests run during boot and output the results to the debug log 115 in TAP format (https://testanything.org/). Only useful for kernel devs 116 running KUnit test harness and are not for inclusion into a 117 production build. 118 119 For more information on KUnit and unit tests in general please refer 120 to the KUnit documentation in Documentation/dev-tools/kunit/. 121 122 If unsure, say N. 123