1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only 2 config SECURITY_APPARMOR 2 config SECURITY_APPARMOR 3 bool "AppArmor support" 3 bool "AppArmor support" 4 depends on SECURITY && NET 4 depends on SECURITY && NET 5 select AUDIT 5 select AUDIT 6 select SECURITY_PATH 6 select SECURITY_PATH 7 select SECURITYFS 7 select SECURITYFS 8 select SECURITY_NETWORK 8 select SECURITY_NETWORK 9 default n 9 default n 10 help 10 help 11 This enables the AppArmor security m 11 This enables the AppArmor security module. 12 Required userspace tools (if they ar 12 Required userspace tools (if they are not included in your 13 distribution) and further informatio 13 distribution) and further information may be found at 14 http://apparmor.wiki.kernel.org 14 http://apparmor.wiki.kernel.org 15 15 16 If you are unsure how to answer this 16 If you are unsure how to answer this question, answer N. 17 17 18 config SECURITY_APPARMOR_DEBUG 18 config SECURITY_APPARMOR_DEBUG 19 bool "Build AppArmor with debug code" 19 bool "Build AppArmor with debug code" 20 depends on SECURITY_APPARMOR 20 depends on SECURITY_APPARMOR 21 default n 21 default n 22 help 22 help 23 Build apparmor with debugging logic 23 Build apparmor with debugging logic in apparmor. Not all 24 debugging logic will necessarily be 24 debugging logic will necessarily be enabled. A submenu will 25 provide fine grained control of the 25 provide fine grained control of the debug options that are 26 available. 26 available. 27 27 28 config SECURITY_APPARMOR_DEBUG_ASSERTS 28 config SECURITY_APPARMOR_DEBUG_ASSERTS 29 bool "Build AppArmor with debugging as 29 bool "Build AppArmor with debugging asserts" 30 depends on SECURITY_APPARMOR_DEBUG 30 depends on SECURITY_APPARMOR_DEBUG 31 default y 31 default y 32 help 32 help 33 Enable code assertions made with AA_ 33 Enable code assertions made with AA_BUG. These are primarily 34 function entry preconditions but als 34 function entry preconditions but also exist at other key 35 points. If the assert is triggered i 35 points. If the assert is triggered it will trigger a WARN 36 message. 36 message. 37 37 38 config SECURITY_APPARMOR_DEBUG_MESSAGES 38 config SECURITY_APPARMOR_DEBUG_MESSAGES 39 bool "Debug messages enabled by defaul 39 bool "Debug messages enabled by default" 40 depends on SECURITY_APPARMOR_DEBUG 40 depends on SECURITY_APPARMOR_DEBUG 41 default n 41 default n 42 help 42 help 43 Set the default value of the apparmo 43 Set the default value of the apparmor.debug kernel parameter. 44 When enabled, various debug messages 44 When enabled, various debug messages will be logged to 45 the kernel message buffer. 45 the kernel message buffer. 46 46 47 config SECURITY_APPARMOR_INTROSPECT_POLICY 47 config SECURITY_APPARMOR_INTROSPECT_POLICY 48 bool "Allow loaded policy to be intros 48 bool "Allow loaded policy to be introspected" 49 depends on SECURITY_APPARMOR 49 depends on SECURITY_APPARMOR 50 default y 50 default y 51 help 51 help 52 This option selects whether introspe 52 This option selects whether introspection of loaded policy 53 is available to userspace via the ap 53 is available to userspace via the apparmor filesystem. This 54 adds to kernel memory usage. It is r 54 adds to kernel memory usage. It is required for introspection 55 of loaded policy, and check point an 55 of loaded policy, and check point and restore support. It 56 can be disabled for embedded systems 56 can be disabled for embedded systems where reducing memory and 57 cpu is paramount. 57 cpu is paramount. 58 58 59 config SECURITY_APPARMOR_HASH 59 config SECURITY_APPARMOR_HASH 60 bool "Enable introspection of sha256 h !! 60 bool "Enable introspection of sha1 hashes for loaded profiles" 61 depends on SECURITY_APPARMOR_INTROSPEC 61 depends on SECURITY_APPARMOR_INTROSPECT_POLICY 62 select CRYPTO 62 select CRYPTO 63 select CRYPTO_SHA256 !! 63 select CRYPTO_SHA1 64 default y 64 default y 65 help 65 help 66 This option selects whether introspe 66 This option selects whether introspection of loaded policy 67 hashes is available to userspace via 67 hashes is available to userspace via the apparmor 68 filesystem. This option provides a l 68 filesystem. This option provides a light weight means of 69 checking loaded policy. This option 69 checking loaded policy. This option adds to policy load 70 time and can be disabled for small e 70 time and can be disabled for small embedded systems. 71 71 72 config SECURITY_APPARMOR_HASH_DEFAULT 72 config SECURITY_APPARMOR_HASH_DEFAULT 73 bool "Enable policy hash introspection 73 bool "Enable policy hash introspection by default" 74 depends on SECURITY_APPARMOR_HASH 74 depends on SECURITY_APPARMOR_HASH 75 default y 75 default y 76 help 76 help 77 This option selects whether sha256 ha !! 77 This option selects whether sha1 hashing of loaded policy 78 is enabled by default. The generation !! 78 is enabled by default. The generation of sha1 hashes for 79 loaded policy provide system administ !! 79 loaded policy provide system administrators a quick way 80 verify that policy in the kernel matc !! 80 to verify that policy in the kernel matches what is expected, 81 however it can slow down policy load 81 however it can slow down policy load on some devices. In 82 these cases policy hashing can be dis 82 these cases policy hashing can be disabled by default and 83 enabled only if needed. 83 enabled only if needed. 84 84 85 config SECURITY_APPARMOR_EXPORT_BINARY 85 config SECURITY_APPARMOR_EXPORT_BINARY 86 bool "Allow exporting the raw binary p 86 bool "Allow exporting the raw binary policy" 87 depends on SECURITY_APPARMOR_INTROSPEC 87 depends on SECURITY_APPARMOR_INTROSPECT_POLICY 88 select ZSTD_COMPRESS !! 88 select ZLIB_INFLATE 89 select ZSTD_DECOMPRESS !! 89 select ZLIB_DEFLATE 90 default y 90 default y 91 help 91 help 92 This option allows reading back bina 92 This option allows reading back binary policy as it was loaded. 93 It increases the amount of kernel me 93 It increases the amount of kernel memory needed by policy and 94 also increases policy load time. Thi 94 also increases policy load time. This option is required for 95 checkpoint and restore support, and 95 checkpoint and restore support, and debugging of loaded policy. 96 96 97 config SECURITY_APPARMOR_PARANOID_LOAD 97 config SECURITY_APPARMOR_PARANOID_LOAD 98 bool "Perform full verification of loa 98 bool "Perform full verification of loaded policy" 99 depends on SECURITY_APPARMOR 99 depends on SECURITY_APPARMOR 100 default y 100 default y 101 help 101 help 102 This options allows controlling whet 102 This options allows controlling whether apparmor does a full 103 verification of loaded policy. This 103 verification of loaded policy. This should not be disabled 104 except for embedded systems where th 104 except for embedded systems where the image is read only, 105 includes policy, and has some form o 105 includes policy, and has some form of integrity check. 106 Disabling the check will speed up po 106 Disabling the check will speed up policy loads. 107 107 108 config SECURITY_APPARMOR_KUNIT_TEST 108 config SECURITY_APPARMOR_KUNIT_TEST 109 tristate "Build KUnit tests for policy !! 109 bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS 110 depends on KUNIT && SECURITY_APPARMOR !! 110 depends on KUNIT=y && SECURITY_APPARMOR 111 default KUNIT_ALL_TESTS 111 default KUNIT_ALL_TESTS 112 help 112 help 113 This builds the AppArmor KUnit tests 113 This builds the AppArmor KUnit tests. 114 114 115 KUnit tests run during boot and outp 115 KUnit tests run during boot and output the results to the debug log 116 in TAP format (https://testanything. 116 in TAP format (https://testanything.org/). Only useful for kernel devs 117 running KUnit test harness and are n 117 running KUnit test harness and are not for inclusion into a 118 production build. 118 production build. 119 119 120 For more information on KUnit and un 120 For more information on KUnit and unit tests in general please refer 121 to the KUnit documentation in Docume 121 to the KUnit documentation in Documentation/dev-tools/kunit/. 122 122 123 If unsure, say N. 123 If unsure, say N.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.