1# SPDX-License-Identifier: GPL-2.0-only 2config SECURITY_APPARMOR 3 bool "AppArmor support" 4 depends on SECURITY && NET 5 select AUDIT 6 select SECURITY_PATH 7 select SECURITYFS 8 select SECURITY_NETWORK 9 default n 10 help 11 This enables the AppArmor security module. 12 Required userspace tools (if they are not included in your 13 distribution) and further information may be found at 14 http://apparmor.wiki.kernel.org 15 16 If you are unsure how to answer this question, answer N. 17 18config SECURITY_APPARMOR_DEBUG 19 bool "Build AppArmor with debug code" 20 depends on SECURITY_APPARMOR 21 default n 22 help 23 Build apparmor with debugging logic in apparmor. Not all 24 debugging logic will necessarily be enabled. A submenu will 25 provide fine grained control of the debug options that are 26 available. 27 28config SECURITY_APPARMOR_DEBUG_ASSERTS 29 bool "Build AppArmor with debugging asserts" 30 depends on SECURITY_APPARMOR_DEBUG 31 default y 32 help 33 Enable code assertions made with AA_BUG. These are primarily 34 function entry preconditions but also exist at other key 35 points. If the assert is triggered it will trigger a WARN 36 message. 37 38config SECURITY_APPARMOR_DEBUG_MESSAGES 39 bool "Debug messages enabled by default" 40 depends on SECURITY_APPARMOR_DEBUG 41 default n 42 help 43 Set the default value of the apparmor.debug kernel parameter. 44 When enabled, various debug messages will be logged to 45 the kernel message buffer. 46 47config SECURITY_APPARMOR_INTROSPECT_POLICY 48 bool "Allow loaded policy to be introspected" 49 depends on SECURITY_APPARMOR 50 default y 51 help 52 This option selects whether introspection of loaded policy 53 is available to userspace via the apparmor filesystem. This 54 adds to kernel memory usage. It is required for introspection 55 of loaded policy, and check point and restore support. It 56 can be disabled for embedded systems where reducing memory and 57 cpu is paramount. 58 59config SECURITY_APPARMOR_HASH 60 bool "Enable introspection of sha256 hashes for loaded profiles" 61 depends on SECURITY_APPARMOR_INTROSPECT_POLICY 62 select CRYPTO 63 select CRYPTO_SHA256 64 default y 65 help 66 This option selects whether introspection of loaded policy 67 hashes is available to userspace via the apparmor 68 filesystem. This option provides a light weight means of 69 checking loaded policy. This option adds to policy load 70 time and can be disabled for small embedded systems. 71 72config SECURITY_APPARMOR_HASH_DEFAULT 73 bool "Enable policy hash introspection by default" 74 depends on SECURITY_APPARMOR_HASH 75 default y 76 help 77 This option selects whether sha256 hashing of loaded policy 78 is enabled by default. The generation of sha256 hashes for 79 loaded policy provide system administrators a quick way to 80 verify that policy in the kernel matches what is expected, 81 however it can slow down policy load on some devices. In 82 these cases policy hashing can be disabled by default and 83 enabled only if needed. 84 85config SECURITY_APPARMOR_EXPORT_BINARY 86 bool "Allow exporting the raw binary policy" 87 depends on SECURITY_APPARMOR_INTROSPECT_POLICY 88 select ZSTD_COMPRESS 89 select ZSTD_DECOMPRESS 90 default y 91 help 92 This option allows reading back binary policy as it was loaded. 93 It increases the amount of kernel memory needed by policy and 94 also increases policy load time. This option is required for 95 checkpoint and restore support, and debugging of loaded policy. 96 97config SECURITY_APPARMOR_PARANOID_LOAD 98 bool "Perform full verification of loaded policy" 99 depends on SECURITY_APPARMOR 100 default y 101 help 102 This options allows controlling whether apparmor does a full 103 verification of loaded policy. This should not be disabled 104 except for embedded systems where the image is read only, 105 includes policy, and has some form of integrity check. 106 Disabling the check will speed up policy loads. 107 108config SECURITY_APPARMOR_KUNIT_TEST 109 tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS 110 depends on KUNIT && SECURITY_APPARMOR 111 default KUNIT_ALL_TESTS 112 help 113 This builds the AppArmor KUnit tests. 114 115 KUnit tests run during boot and output the results to the debug log 116 in TAP format (https://testanything.org/). Only useful for kernel devs 117 running KUnit test harness and are not for inclusion into a 118 production build. 119 120 For more information on KUnit and unit tests in general please refer 121 to the KUnit documentation in Documentation/dev-tools/kunit/. 122 123 If unsure, say N. 124