xref: /linux/security/apparmor/Kconfig (revision 6d6861d45e38d42a7df9db244c871ee3856acf57) 
1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only
2016d825fSJohn Johansenconfig SECURITY_APPARMOR
3016d825fSJohn Johansen	bool "AppArmor support"
406c22dadSRandy Dunlap	depends on SECURITY && NET
5016d825fSJohn Johansen	select AUDIT
6016d825fSJohn Johansen	select SECURITY_PATH
7016d825fSJohn Johansen	select SECURITYFS
8016d825fSJohn Johansen	select SECURITY_NETWORK
9fe166a9fSJohn Johansen	select ZLIB_INFLATE
10fe166a9fSJohn Johansen	select ZLIB_DEFLATE
11016d825fSJohn Johansen	default n
12016d825fSJohn Johansen	help
13016d825fSJohn Johansen	  This enables the AppArmor security module.
14016d825fSJohn Johansen	  Required userspace tools (if they are not included in your
15016d825fSJohn Johansen	  distribution) and further information may be found at
16016d825fSJohn Johansen	  http://apparmor.wiki.kernel.org
17016d825fSJohn Johansen
18016d825fSJohn Johansen	  If you are unsure how to answer this question, answer N.
19016d825fSJohn Johansen
20f8eb8a13SJohn Johansenconfig SECURITY_APPARMOR_HASH
216059f71fSJohn Johansen	bool "Enable introspection of sha1 hashes for loaded profiles"
22f8eb8a13SJohn Johansen	depends on SECURITY_APPARMOR
23083c1290SArnd Bergmann	select CRYPTO
24f8eb8a13SJohn Johansen	select CRYPTO_SHA1
25f8eb8a13SJohn Johansen	default y
26f8eb8a13SJohn Johansen	help
276059f71fSJohn Johansen	  This option selects whether introspection of loaded policy
286059f71fSJohn Johansen	  is available to userspace via the apparmor filesystem.
296059f71fSJohn Johansen
306059f71fSJohn Johansenconfig SECURITY_APPARMOR_HASH_DEFAULT
316059f71fSJohn Johansen       bool "Enable policy hash introspection by default"
326059f71fSJohn Johansen       depends on SECURITY_APPARMOR_HASH
336059f71fSJohn Johansen       default y
346059f71fSJohn Johansen       help
356059f71fSJohn Johansen         This option selects whether sha1 hashing of loaded policy
366059f71fSJohn Johansen	 is enabled by default. The generation of sha1 hashes for
376059f71fSJohn Johansen	 loaded policy provide system administrators a quick way
386059f71fSJohn Johansen	 to verify that policy in the kernel matches what is expected,
396059f71fSJohn Johansen	 however it can slow down policy load on some devices. In
406059f71fSJohn Johansen	 these cases policy hashing can be disabled by default and
416059f71fSJohn Johansen	 enabled only if needed.
42680cd62eSJohn Johansen
43680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG
44680cd62eSJohn Johansen	bool "Build AppArmor with debug code"
45680cd62eSJohn Johansen	depends on SECURITY_APPARMOR
46680cd62eSJohn Johansen	default n
47680cd62eSJohn Johansen	help
48680cd62eSJohn Johansen	  Build apparmor with debugging logic in apparmor. Not all
49680cd62eSJohn Johansen	  debugging logic will necessarily be enabled. A submenu will
50680cd62eSJohn Johansen	  provide fine grained control of the debug options that are
51680cd62eSJohn Johansen	  available.
52680cd62eSJohn Johansen
53680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG_ASSERTS
54680cd62eSJohn Johansen	bool "Build AppArmor with debugging asserts"
55680cd62eSJohn Johansen	depends on SECURITY_APPARMOR_DEBUG
56680cd62eSJohn Johansen	default y
57680cd62eSJohn Johansen	help
58680cd62eSJohn Johansen	  Enable code assertions made with AA_BUG. These are primarily
59680cd62eSJohn Johansen	  function entry preconditions but also exist at other key
60680cd62eSJohn Johansen	  points. If the assert is triggered it will trigger a WARN
61680cd62eSJohn Johansen	  message.
62680cd62eSJohn Johansen
63680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG_MESSAGES
64680cd62eSJohn Johansen	bool "Debug messages enabled by default"
65680cd62eSJohn Johansen	depends on SECURITY_APPARMOR_DEBUG
66680cd62eSJohn Johansen	default n
67680cd62eSJohn Johansen	help
68680cd62eSJohn Johansen	  Set the default value of the apparmor.debug kernel parameter.
69680cd62eSJohn Johansen	  When enabled, various debug messages will be logged to
70680cd62eSJohn Johansen	  the kernel message buffer.
714d944bcdSMike Salvatore
724d944bcdSMike Salvatoreconfig SECURITY_APPARMOR_KUNIT_TEST
73*6d6861d4SAnders Roxell	bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
7435c57fc3SAlan Maguire	depends on KUNIT=y && SECURITY_APPARMOR
75*6d6861d4SAnders Roxell	default KUNIT_ALL_TESTS
764d944bcdSMike Salvatore	help
774d944bcdSMike Salvatore	  This builds the AppArmor KUnit tests.
784d944bcdSMike Salvatore
794d944bcdSMike Salvatore	  KUnit tests run during boot and output the results to the debug log
804d944bcdSMike Salvatore	  in TAP format (http://testanything.org/). Only useful for kernel devs
814d944bcdSMike Salvatore	  running KUnit test harness and are not for inclusion into a
824d944bcdSMike Salvatore	  production build.
834d944bcdSMike Salvatore
844d944bcdSMike Salvatore	  For more information on KUnit and unit tests in general please refer
854d944bcdSMike Salvatore	  to the KUnit documentation in Documentation/dev-tools/kunit/.
864d944bcdSMike Salvatore
874d944bcdSMike Salvatore	  If unsure, say N.
88