| # SPDX-License-Identifier: GPL-2.0-only |
| config SECURITY_APPARMOR |
| bool "AppArmor support" |
| depends on SECURITY && NET |
| select AUDIT |
| select SECURITY_PATH |
| select SECURITYFS |
| select SECURITY_NETWORK |
| select ZLIB_INFLATE |
| select ZLIB_DEFLATE |
| default n |
| help |
| This enables the AppArmor security module. |
| Required userspace tools (if they are not included in your |
| distribution) and further information may be found at |
| http://apparmor.wiki.kernel.org |
| |
| If you are unsure how to answer this question, answer N. |
| |
| config SECURITY_APPARMOR_HASH |
| bool "Enable introspection of sha1 hashes for loaded profiles" |
| depends on SECURITY_APPARMOR |
| select CRYPTO |
| select CRYPTO_SHA1 |
| default y |
| help |
| This option selects whether introspection of loaded policy |
| is available to userspace via the apparmor filesystem. |
| |
| config SECURITY_APPARMOR_HASH_DEFAULT |
| bool "Enable policy hash introspection by default" |
| depends on SECURITY_APPARMOR_HASH |
| default y |
| help |
| This option selects whether sha1 hashing of loaded policy |
| is enabled by default. The generation of sha1 hashes for |
| loaded policy provide system administrators a quick way |
| to verify that policy in the kernel matches what is expected, |
| however it can slow down policy load on some devices. In |
| these cases policy hashing can be disabled by default and |
| enabled only if needed. |
| |
| config SECURITY_APPARMOR_DEBUG |
| bool "Build AppArmor with debug code" |
| depends on SECURITY_APPARMOR |
| default n |
| help |
| Build apparmor with debugging logic in apparmor. Not all |
| debugging logic will necessarily be enabled. A submenu will |
| provide fine grained control of the debug options that are |
| available. |
| |
| config SECURITY_APPARMOR_DEBUG_ASSERTS |
| bool "Build AppArmor with debugging asserts" |
| depends on SECURITY_APPARMOR_DEBUG |
| default y |
| help |
| Enable code assertions made with AA_BUG. These are primarily |
| function entry preconditions but also exist at other key |
| points. If the assert is triggered it will trigger a WARN |
| message. |
| |
| config SECURITY_APPARMOR_DEBUG_MESSAGES |
| bool "Debug messages enabled by default" |
| depends on SECURITY_APPARMOR_DEBUG |
| default n |
| help |
| Set the default value of the apparmor.debug kernel parameter. |
| When enabled, various debug messages will be logged to |
| the kernel message buffer. |
| |
| config SECURITY_APPARMOR_KUNIT_TEST |
| bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS |
| depends on KUNIT=y && SECURITY_APPARMOR |
| default KUNIT_ALL_TESTS |
| help |
| This builds the AppArmor KUnit tests. |
| |
| KUnit tests run during boot and output the results to the debug log |
| in TAP format (http://testanything.org/). Only useful for kernel devs |
| running KUnit test harness and are not for inclusion into a |
| production build. |
| |
| For more information on KUnit and unit tests in general please refer |
| to the KUnit documentation in Documentation/dev-tools/kunit/. |
| |
| If unsure, say N. |