xref: /linux/security/apparmor/Kconfig (revision 65cc9c391c3c4096ccc47ecd8b9f58f470b57225) 
1# SPDX-License-Identifier: GPL-2.0-only
2config SECURITY_APPARMOR
3	bool "AppArmor support"
4	depends on SECURITY && NET
5	select AUDIT
6	select SECURITY_PATH
7	select SECURITYFS
8	select SECURITY_NETWORK
9	select ZLIB_INFLATE
10	select ZLIB_DEFLATE
11	default n
12	help
13	  This enables the AppArmor security module.
14	  Required userspace tools (if they are not included in your
15	  distribution) and further information may be found at
16	  http://apparmor.wiki.kernel.org
17
18	  If you are unsure how to answer this question, answer N.
19
20config SECURITY_APPARMOR_HASH
21	bool "Enable introspection of sha1 hashes for loaded profiles"
22	depends on SECURITY_APPARMOR
23	select CRYPTO
24	select CRYPTO_SHA1
25	default y
26	help
27	  This option selects whether introspection of loaded policy
28	  hashes is available to userspace via the apparmor
29	  filesystem. This option provides a light weight means of
30	  checking loaded policy.  This option adds to policy load
31	  time and can be disabled for small embedded systems.
32
33config SECURITY_APPARMOR_HASH_DEFAULT
34       bool "Enable policy hash introspection by default"
35       depends on SECURITY_APPARMOR_HASH
36       default y
37       help
38         This option selects whether sha1 hashing of loaded policy
39	 is enabled by default. The generation of sha1 hashes for
40	 loaded policy provide system administrators a quick way
41	 to verify that policy in the kernel matches what is expected,
42	 however it can slow down policy load on some devices. In
43	 these cases policy hashing can be disabled by default and
44	 enabled only if needed.
45
46config SECURITY_APPARMOR_DEBUG
47	bool "Build AppArmor with debug code"
48	depends on SECURITY_APPARMOR
49	default n
50	help
51	  Build apparmor with debugging logic in apparmor. Not all
52	  debugging logic will necessarily be enabled. A submenu will
53	  provide fine grained control of the debug options that are
54	  available.
55
56config SECURITY_APPARMOR_DEBUG_ASSERTS
57	bool "Build AppArmor with debugging asserts"
58	depends on SECURITY_APPARMOR_DEBUG
59	default y
60	help
61	  Enable code assertions made with AA_BUG. These are primarily
62	  function entry preconditions but also exist at other key
63	  points. If the assert is triggered it will trigger a WARN
64	  message.
65
66config SECURITY_APPARMOR_DEBUG_MESSAGES
67	bool "Debug messages enabled by default"
68	depends on SECURITY_APPARMOR_DEBUG
69	default n
70	help
71	  Set the default value of the apparmor.debug kernel parameter.
72	  When enabled, various debug messages will be logged to
73	  the kernel message buffer.
74
75config SECURITY_APPARMOR_KUNIT_TEST
76	bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
77	depends on KUNIT=y && SECURITY_APPARMOR
78	default KUNIT_ALL_TESTS
79	help
80	  This builds the AppArmor KUnit tests.
81
82	  KUnit tests run during boot and output the results to the debug log
83	  in TAP format (https://testanything.org/). Only useful for kernel devs
84	  running KUnit test harness and are not for inclusion into a
85	  production build.
86
87	  For more information on KUnit and unit tests in general please refer
88	  to the KUnit documentation in Documentation/dev-tools/kunit/.
89
90	  If unsure, say N.
91