1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 config SECURITY_APPARMOR 2 config SECURITY_APPARMOR
3 bool "AppArmor support" 3 bool "AppArmor support"
4 depends on SECURITY && NET 4 depends on SECURITY && NET
5 select AUDIT 5 select AUDIT
6 select SECURITY_PATH 6 select SECURITY_PATH
7 select SECURITYFS 7 select SECURITYFS
8 select SECURITY_NETWORK 8 select SECURITY_NETWORK
>> 9 select ZLIB_INFLATE
>> 10 select ZLIB_DEFLATE
9 default n 11 default n
10 help 12 help
11 This enables the AppArmor security m 13 This enables the AppArmor security module.
12 Required userspace tools (if they ar 14 Required userspace tools (if they are not included in your
13 distribution) and further informatio 15 distribution) and further information may be found at
14 http://apparmor.wiki.kernel.org 16 http://apparmor.wiki.kernel.org
15 17
16 If you are unsure how to answer this 18 If you are unsure how to answer this question, answer N.
17 19
>> 20 config SECURITY_APPARMOR_HASH
>> 21 bool "Enable introspection of sha1 hashes for loaded profiles"
>> 22 depends on SECURITY_APPARMOR
>> 23 select CRYPTO
>> 24 select CRYPTO_SHA1
>> 25 default y
>> 26 help
>> 27 This option selects whether introspection of loaded policy
>> 28 is available to userspace via the apparmor filesystem.
>> 29
>> 30 config SECURITY_APPARMOR_HASH_DEFAULT
>> 31 bool "Enable policy hash introspection by default"
>> 32 depends on SECURITY_APPARMOR_HASH
>> 33 default y
>> 34 help
>> 35 This option selects whether sha1 hashing of loaded policy
>> 36 is enabled by default. The generation of sha1 hashes for
>> 37 loaded policy provide system administrators a quick way
>> 38 to verify that policy in the kernel matches what is expected,
>> 39 however it can slow down policy load on some devices. In
>> 40 these cases policy hashing can be disabled by default and
>> 41 enabled only if needed.
>> 42
18 config SECURITY_APPARMOR_DEBUG 43 config SECURITY_APPARMOR_DEBUG
19 bool "Build AppArmor with debug code" 44 bool "Build AppArmor with debug code"
20 depends on SECURITY_APPARMOR 45 depends on SECURITY_APPARMOR
21 default n 46 default n
22 help 47 help
23 Build apparmor with debugging logic 48 Build apparmor with debugging logic in apparmor. Not all
24 debugging logic will necessarily be 49 debugging logic will necessarily be enabled. A submenu will
25 provide fine grained control of the 50 provide fine grained control of the debug options that are
26 available. 51 available.
27 52
28 config SECURITY_APPARMOR_DEBUG_ASSERTS 53 config SECURITY_APPARMOR_DEBUG_ASSERTS
29 bool "Build AppArmor with debugging as 54 bool "Build AppArmor with debugging asserts"
30 depends on SECURITY_APPARMOR_DEBUG 55 depends on SECURITY_APPARMOR_DEBUG
31 default y 56 default y
32 help 57 help
33 Enable code assertions made with AA_ 58 Enable code assertions made with AA_BUG. These are primarily
34 function entry preconditions but als 59 function entry preconditions but also exist at other key
35 points. If the assert is triggered i 60 points. If the assert is triggered it will trigger a WARN
36 message. 61 message.
37 62
38 config SECURITY_APPARMOR_DEBUG_MESSAGES 63 config SECURITY_APPARMOR_DEBUG_MESSAGES
39 bool "Debug messages enabled by defaul 64 bool "Debug messages enabled by default"
40 depends on SECURITY_APPARMOR_DEBUG 65 depends on SECURITY_APPARMOR_DEBUG
41 default n 66 default n
42 help 67 help
43 Set the default value of the apparmo 68 Set the default value of the apparmor.debug kernel parameter.
44 When enabled, various debug messages 69 When enabled, various debug messages will be logged to
45 the kernel message buffer. 70 the kernel message buffer.
46 71
47 config SECURITY_APPARMOR_INTROSPECT_POLICY <<
48 bool "Allow loaded policy to be intros <<
49 depends on SECURITY_APPARMOR <<
50 default y <<
51 help <<
52 This option selects whether introspe <<
53 is available to userspace via the ap <<
54 adds to kernel memory usage. It is r <<
55 of loaded policy, and check point an <<
56 can be disabled for embedded systems <<
57 cpu is paramount. <<
58 <<
59 config SECURITY_APPARMOR_HASH <<
60 bool "Enable introspection of sha256 h <<
61 depends on SECURITY_APPARMOR_INTROSPEC <<
62 select CRYPTO <<
63 select CRYPTO_SHA256 <<
64 default y <<
65 help <<
66 This option selects whether introspe <<
67 hashes is available to userspace via <<
68 filesystem. This option provides a l <<
69 checking loaded policy. This option <<
70 time and can be disabled for small e <<
71 <<
72 config SECURITY_APPARMOR_HASH_DEFAULT <<
73 bool "Enable policy hash introspection <<
74 depends on SECURITY_APPARMOR_HASH <<
75 default y <<
76 help <<
77 This option selects whether sha256 ha <<
78 is enabled by default. The generation <<
79 loaded policy provide system administ <<
80 verify that policy in the kernel matc <<
81 however it can slow down policy load <<
82 these cases policy hashing can be dis <<
83 enabled only if needed. <<
84 <<
85 config SECURITY_APPARMOR_EXPORT_BINARY <<
86 bool "Allow exporting the raw binary p <<
87 depends on SECURITY_APPARMOR_INTROSPEC <<
88 select ZSTD_COMPRESS <<
89 select ZSTD_DECOMPRESS <<
90 default y <<
91 help <<
92 This option allows reading back bina <<
93 It increases the amount of kernel me <<
94 also increases policy load time. Thi <<
95 checkpoint and restore support, and <<
96 <<
97 config SECURITY_APPARMOR_PARANOID_LOAD <<
98 bool "Perform full verification of loa <<
99 depends on SECURITY_APPARMOR <<
100 default y <<
101 help <<
102 This options allows controlling whet <<
103 verification of loaded policy. This <<
104 except for embedded systems where th <<
105 includes policy, and has some form o <<
106 Disabling the check will speed up po <<
107 <<
108 config SECURITY_APPARMOR_KUNIT_TEST 72 config SECURITY_APPARMOR_KUNIT_TEST
109 tristate "Build KUnit tests for policy !! 73 bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
110 depends on KUNIT && SECURITY_APPARMOR !! 74 depends on KUNIT=y && SECURITY_APPARMOR
111 default KUNIT_ALL_TESTS 75 default KUNIT_ALL_TESTS
112 help 76 help
113 This builds the AppArmor KUnit tests 77 This builds the AppArmor KUnit tests.
114 78
115 KUnit tests run during boot and outp 79 KUnit tests run during boot and output the results to the debug log
116 in TAP format (https://testanything. 80 in TAP format (https://testanything.org/). Only useful for kernel devs
117 running KUnit test harness and are n 81 running KUnit test harness and are not for inclusion into a
118 production build. 82 production build.
119 83
120 For more information on KUnit and un 84 For more information on KUnit and unit tests in general please refer
121 to the KUnit documentation in Docume 85 to the KUnit documentation in Documentation/dev-tools/kunit/.
122 86
123 If unsure, say N. 87 If unsure, say N.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.