1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2016d825fSJohn Johansenconfig SECURITY_APPARMOR 3016d825fSJohn Johansen bool "AppArmor support" 406c22dadSRandy Dunlap depends on SECURITY && NET 5016d825fSJohn Johansen select AUDIT 6016d825fSJohn Johansen select SECURITY_PATH 7016d825fSJohn Johansen select SECURITYFS 8016d825fSJohn Johansen select SECURITY_NETWORK 9016d825fSJohn Johansen default n 10016d825fSJohn Johansen help 11016d825fSJohn Johansen This enables the AppArmor security module. 12016d825fSJohn Johansen Required userspace tools (if they are not included in your 13016d825fSJohn Johansen distribution) and further information may be found at 14016d825fSJohn Johansen http://apparmor.wiki.kernel.org 15016d825fSJohn Johansen 16016d825fSJohn Johansen If you are unsure how to answer this question, answer N. 17016d825fSJohn Johansen 18680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG 19680cd62eSJohn Johansen bool "Build AppArmor with debug code" 20680cd62eSJohn Johansen depends on SECURITY_APPARMOR 21680cd62eSJohn Johansen default n 22680cd62eSJohn Johansen help 23680cd62eSJohn Johansen Build apparmor with debugging logic in apparmor. Not all 24680cd62eSJohn Johansen debugging logic will necessarily be enabled. A submenu will 25680cd62eSJohn Johansen provide fine grained control of the debug options that are 26680cd62eSJohn Johansen available. 27680cd62eSJohn Johansen 28680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG_ASSERTS 29680cd62eSJohn Johansen bool "Build AppArmor with debugging asserts" 30680cd62eSJohn Johansen depends on SECURITY_APPARMOR_DEBUG 31680cd62eSJohn Johansen default y 32680cd62eSJohn Johansen help 33680cd62eSJohn Johansen Enable code assertions made with AA_BUG. These are primarily 34680cd62eSJohn Johansen function entry preconditions but also exist at other key 35680cd62eSJohn Johansen points. If the assert is triggered it will trigger a WARN 36680cd62eSJohn Johansen message. 37680cd62eSJohn Johansen 38680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG_MESSAGES 39680cd62eSJohn Johansen bool "Debug messages enabled by default" 40680cd62eSJohn Johansen depends on SECURITY_APPARMOR_DEBUG 41680cd62eSJohn Johansen default n 42680cd62eSJohn Johansen help 43680cd62eSJohn Johansen Set the default value of the apparmor.debug kernel parameter. 44680cd62eSJohn Johansen When enabled, various debug messages will be logged to 45680cd62eSJohn Johansen the kernel message buffer. 464d944bcdSMike Salvatore 47d61c57fdSJohn Johansenconfig SECURITY_APPARMOR_INTROSPECT_POLICY 48d61c57fdSJohn Johansen bool "Allow loaded policy to be introspected" 49d61c57fdSJohn Johansen depends on SECURITY_APPARMOR 50d61c57fdSJohn Johansen default y 51d61c57fdSJohn Johansen help 52d61c57fdSJohn Johansen This option selects whether introspection of loaded policy 53d61c57fdSJohn Johansen is available to userspace via the apparmor filesystem. This 54d61c57fdSJohn Johansen adds to kernel memory usage. It is required for introspection 55d61c57fdSJohn Johansen of loaded policy, and check point and restore support. It 56d61c57fdSJohn Johansen can be disabled for embedded systems where reducing memory and 57d61c57fdSJohn Johansen cpu is paramount. 58d61c57fdSJohn Johansen 59d61c57fdSJohn Johansenconfig SECURITY_APPARMOR_HASH 60e44a4dc4SDimitri John Ledkov bool "Enable introspection of sha256 hashes for loaded profiles" 61d61c57fdSJohn Johansen depends on SECURITY_APPARMOR_INTROSPECT_POLICY 62*f93c2709SEric Biggers select CRYPTO_LIB_SHA256 63d61c57fdSJohn Johansen default y 64d61c57fdSJohn Johansen help 65d61c57fdSJohn Johansen This option selects whether introspection of loaded policy 66d61c57fdSJohn Johansen hashes is available to userspace via the apparmor 67d61c57fdSJohn Johansen filesystem. This option provides a light weight means of 68d61c57fdSJohn Johansen checking loaded policy. This option adds to policy load 69d61c57fdSJohn Johansen time and can be disabled for small embedded systems. 70d61c57fdSJohn Johansen 71d61c57fdSJohn Johansenconfig SECURITY_APPARMOR_HASH_DEFAULT 72d61c57fdSJohn Johansen bool "Enable policy hash introspection by default" 73d61c57fdSJohn Johansen depends on SECURITY_APPARMOR_HASH 74d61c57fdSJohn Johansen default y 75d61c57fdSJohn Johansen help 76e44a4dc4SDimitri John Ledkov This option selects whether sha256 hashing of loaded policy 77e44a4dc4SDimitri John Ledkov is enabled by default. The generation of sha256 hashes for 78e44a4dc4SDimitri John Ledkov loaded policy provide system administrators a quick way to 79e44a4dc4SDimitri John Ledkov verify that policy in the kernel matches what is expected, 80d61c57fdSJohn Johansen however it can slow down policy load on some devices. In 81d61c57fdSJohn Johansen these cases policy hashing can be disabled by default and 82d61c57fdSJohn Johansen enabled only if needed. 83d61c57fdSJohn Johansen 84d61c57fdSJohn Johansenconfig SECURITY_APPARMOR_EXPORT_BINARY 85d61c57fdSJohn Johansen bool "Allow exporting the raw binary policy" 86d61c57fdSJohn Johansen depends on SECURITY_APPARMOR_INTROSPECT_POLICY 87f4d6b94bSJon Tourville select ZSTD_COMPRESS 88f4d6b94bSJon Tourville select ZSTD_DECOMPRESS 89d61c57fdSJohn Johansen default y 90d61c57fdSJohn Johansen help 91d61c57fdSJohn Johansen This option allows reading back binary policy as it was loaded. 92d61c57fdSJohn Johansen It increases the amount of kernel memory needed by policy and 93d61c57fdSJohn Johansen also increases policy load time. This option is required for 94d61c57fdSJohn Johansen checkpoint and restore support, and debugging of loaded policy. 95d61c57fdSJohn Johansen 965bfcbd22SJohn Johansenconfig SECURITY_APPARMOR_PARANOID_LOAD 975bfcbd22SJohn Johansen bool "Perform full verification of loaded policy" 985bfcbd22SJohn Johansen depends on SECURITY_APPARMOR 995bfcbd22SJohn Johansen default y 1005bfcbd22SJohn Johansen help 1015bfcbd22SJohn Johansen This options allows controlling whether apparmor does a full 1025bfcbd22SJohn Johansen verification of loaded policy. This should not be disabled 1035bfcbd22SJohn Johansen except for embedded systems where the image is read only, 1045bfcbd22SJohn Johansen includes policy, and has some form of integrity check. 1055bfcbd22SJohn Johansen Disabling the check will speed up policy loads. 1065bfcbd22SJohn Johansen 1074d944bcdSMike Salvatoreconfig SECURITY_APPARMOR_KUNIT_TEST 108b11e51ddSRae Moar tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS 109b11e51ddSRae Moar depends on KUNIT && SECURITY_APPARMOR 1106d6861d4SAnders Roxell default KUNIT_ALL_TESTS 1114d944bcdSMike Salvatore help 1124d944bcdSMike Salvatore This builds the AppArmor KUnit tests. 1134d944bcdSMike Salvatore 1144d944bcdSMike Salvatore KUnit tests run during boot and output the results to the debug log 115c9fecf50SAlexander A. Klimov in TAP format (https://testanything.org/). Only useful for kernel devs 1164d944bcdSMike Salvatore running KUnit test harness and are not for inclusion into a 1174d944bcdSMike Salvatore production build. 1184d944bcdSMike Salvatore 1194d944bcdSMike Salvatore For more information on KUnit and unit tests in general please refer 1204d944bcdSMike Salvatore to the KUnit documentation in Documentation/dev-tools/kunit/. 1214d944bcdSMike Salvatore 1224d944bcdSMike Salvatore If unsure, say N. 123