1 # SPDX-License-Identifier: GPL-2.0-only
2 config SECURITY_APPARMOR
3 bool "AppArmor support"
4 depends on SECURITY && NET
5 select AUDIT
6 select SECURITY_PATH
7 select SECURITYFS
8 select SECURITY_NETWORK
9 default n
10 help
11 This enables the AppArmor security m
12 Required userspace tools (if they ar
13 distribution) and further informatio
14 http://apparmor.wiki.kernel.org
15
16 If you are unsure how to answer this
17
18 config SECURITY_APPARMOR_DEBUG
19 bool "Build AppArmor with debug code"
20 depends on SECURITY_APPARMOR
21 default n
22 help
23 Build apparmor with debugging logic
24 debugging logic will necessarily be
25 provide fine grained control of the
26 available.
27
28 config SECURITY_APPARMOR_DEBUG_ASSERTS
29 bool "Build AppArmor with debugging as
30 depends on SECURITY_APPARMOR_DEBUG
31 default y
32 help
33 Enable code assertions made with AA_
34 function entry preconditions but als
35 points. If the assert is triggered i
36 message.
37
38 config SECURITY_APPARMOR_DEBUG_MESSAGES
39 bool "Debug messages enabled by defaul
40 depends on SECURITY_APPARMOR_DEBUG
41 default n
42 help
43 Set the default value of the apparmo
44 When enabled, various debug messages
45 the kernel message buffer.
46
47 config SECURITY_APPARMOR_INTROSPECT_POLICY
48 bool "Allow loaded policy to be intros
49 depends on SECURITY_APPARMOR
50 default y
51 help
52 This option selects whether introspe
53 is available to userspace via the ap
54 adds to kernel memory usage. It is r
55 of loaded policy, and check point an
56 can be disabled for embedded systems
57 cpu is paramount.
58
59 config SECURITY_APPARMOR_HASH
60 bool "Enable introspection of sha256 h
61 depends on SECURITY_APPARMOR_INTROSPEC
62 select CRYPTO
63 select CRYPTO_SHA256
64 default y
65 help
66 This option selects whether introspe
67 hashes is available to userspace via
68 filesystem. This option provides a l
69 checking loaded policy. This option
70 time and can be disabled for small e
71
72 config SECURITY_APPARMOR_HASH_DEFAULT
73 bool "Enable policy hash introspection
74 depends on SECURITY_APPARMOR_HASH
75 default y
76 help
77 This option selects whether sha256 ha
78 is enabled by default. The generation
79 loaded policy provide system administ
80 verify that policy in the kernel matc
81 however it can slow down policy load
82 these cases policy hashing can be dis
83 enabled only if needed.
84
85 config SECURITY_APPARMOR_EXPORT_BINARY
86 bool "Allow exporting the raw binary p
87 depends on SECURITY_APPARMOR_INTROSPEC
88 select ZSTD_COMPRESS
89 select ZSTD_DECOMPRESS
90 default y
91 help
92 This option allows reading back bina
93 It increases the amount of kernel me
94 also increases policy load time. Thi
95 checkpoint and restore support, and
96
97 config SECURITY_APPARMOR_PARANOID_LOAD
98 bool "Perform full verification of loa
99 depends on SECURITY_APPARMOR
100 default y
101 help
102 This options allows controlling whet
103 verification of loaded policy. This
104 except for embedded systems where th
105 includes policy, and has some form o
106 Disabling the check will speed up po
107
108 config SECURITY_APPARMOR_KUNIT_TEST
109 tristate "Build KUnit tests for policy
110 depends on KUNIT && SECURITY_APPARMOR
111 default KUNIT_ALL_TESTS
112 help
113 This builds the AppArmor KUnit tests
114
115 KUnit tests run during boot and outp
116 in TAP format (https://testanything.
117 running KUnit test harness and are n
118 production build.
119
120 For more information on KUnit and un
121 to the KUnit documentation in Docume
122
123 If unsure, say N.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.