1 # SPDX-License-Identifier: GPL-2.0-only <<
2 config SECURITY_APPARMOR 1 config SECURITY_APPARMOR
3 bool "AppArmor support" 2 bool "AppArmor support"
4 depends on SECURITY && NET 3 depends on SECURITY && NET
5 select AUDIT 4 select AUDIT
6 select SECURITY_PATH 5 select SECURITY_PATH
7 select SECURITYFS 6 select SECURITYFS
8 select SECURITY_NETWORK 7 select SECURITY_NETWORK
9 default n 8 default n
10 help 9 help
11 This enables the AppArmor security m 10 This enables the AppArmor security module.
12 Required userspace tools (if they ar 11 Required userspace tools (if they are not included in your
13 distribution) and further informatio 12 distribution) and further information may be found at
14 http://apparmor.wiki.kernel.org 13 http://apparmor.wiki.kernel.org
15 14
16 If you are unsure how to answer this 15 If you are unsure how to answer this question, answer N.
17 16
18 config SECURITY_APPARMOR_DEBUG !! 17 config SECURITY_APPARMOR_BOOTPARAM_VALUE
19 bool "Build AppArmor with debug code" !! 18 int "AppArmor boot parameter default value"
20 depends on SECURITY_APPARMOR 19 depends on SECURITY_APPARMOR
21 default n !! 20 range 0 1
22 help !! 21 default 1
23 Build apparmor with debugging logic <<
24 debugging logic will necessarily be <<
25 provide fine grained control of the <<
26 available. <<
27 <<
28 config SECURITY_APPARMOR_DEBUG_ASSERTS <<
29 bool "Build AppArmor with debugging as <<
30 depends on SECURITY_APPARMOR_DEBUG <<
31 default y <<
32 help 22 help
33 Enable code assertions made with AA_ !! 23 This option sets the default value for the kernel parameter
34 function entry preconditions but als !! 24 'apparmor', which allows AppArmor to be enabled or disabled
35 points. If the assert is triggered i !! 25 at boot. If this option is set to 0 (zero), the AppArmor
36 message. !! 26 kernel parameter will default to 0, disabling AppArmor at
37 !! 27 boot. If this option is set to 1 (one), the AppArmor
38 config SECURITY_APPARMOR_DEBUG_MESSAGES !! 28 kernel parameter will default to 1, enabling AppArmor at
39 bool "Debug messages enabled by defaul !! 29 boot.
40 depends on SECURITY_APPARMOR_DEBUG <<
41 default n <<
42 help <<
43 Set the default value of the apparmo <<
44 When enabled, various debug messages <<
45 the kernel message buffer. <<
46 30
47 config SECURITY_APPARMOR_INTROSPECT_POLICY !! 31 If you are unsure how to answer this question, answer 1.
48 bool "Allow loaded policy to be intros <<
49 depends on SECURITY_APPARMOR <<
50 default y <<
51 help <<
52 This option selects whether introspe <<
53 is available to userspace via the ap <<
54 adds to kernel memory usage. It is r <<
55 of loaded policy, and check point an <<
56 can be disabled for embedded systems <<
57 cpu is paramount. <<
58 32
59 config SECURITY_APPARMOR_HASH 33 config SECURITY_APPARMOR_HASH
60 bool "Enable introspection of sha256 h !! 34 bool "Enable introspection of sha1 hashes for loaded profiles"
61 depends on SECURITY_APPARMOR_INTROSPEC !! 35 depends on SECURITY_APPARMOR
62 select CRYPTO 36 select CRYPTO
63 select CRYPTO_SHA256 !! 37 select CRYPTO_SHA1
64 default y 38 default y
>> 39
65 help 40 help
66 This option selects whether introspe 41 This option selects whether introspection of loaded policy
67 hashes is available to userspace via !! 42 is available to userspace via the apparmor filesystem.
68 filesystem. This option provides a l <<
69 checking loaded policy. This option <<
70 time and can be disabled for small e <<
71 43
72 config SECURITY_APPARMOR_HASH_DEFAULT 44 config SECURITY_APPARMOR_HASH_DEFAULT
73 bool "Enable policy hash introspection 45 bool "Enable policy hash introspection by default"
74 depends on SECURITY_APPARMOR_HASH 46 depends on SECURITY_APPARMOR_HASH
75 default y 47 default y
>> 48
76 help 49 help
77 This option selects whether sha256 ha !! 50 This option selects whether sha1 hashing of loaded policy
78 is enabled by default. The generation !! 51 is enabled by default. The generation of sha1 hashes for
79 loaded policy provide system administ !! 52 loaded policy provide system administrators a quick way
80 verify that policy in the kernel matc !! 53 to verify that policy in the kernel matches what is expected,
81 however it can slow down policy load 54 however it can slow down policy load on some devices. In
82 these cases policy hashing can be dis 55 these cases policy hashing can be disabled by default and
83 enabled only if needed. 56 enabled only if needed.
84 <<
85 config SECURITY_APPARMOR_EXPORT_BINARY <<
86 bool "Allow exporting the raw binary p <<
87 depends on SECURITY_APPARMOR_INTROSPEC <<
88 select ZSTD_COMPRESS <<
89 select ZSTD_DECOMPRESS <<
90 default y <<
91 help <<
92 This option allows reading back bina <<
93 It increases the amount of kernel me <<
94 also increases policy load time. Thi <<
95 checkpoint and restore support, and <<
96 <<
97 config SECURITY_APPARMOR_PARANOID_LOAD <<
98 bool "Perform full verification of loa <<
99 depends on SECURITY_APPARMOR <<
100 default y <<
101 help <<
102 This options allows controlling whet <<
103 verification of loaded policy. This <<
104 except for embedded systems where th <<
105 includes policy, and has some form o <<
106 Disabling the check will speed up po <<
107 <<
108 config SECURITY_APPARMOR_KUNIT_TEST <<
109 tristate "Build KUnit tests for policy <<
110 depends on KUNIT && SECURITY_APPARMOR <<
111 default KUNIT_ALL_TESTS <<
112 help <<
113 This builds the AppArmor KUnit tests <<
114 <<
115 KUnit tests run during boot and outp <<
116 in TAP format (https://testanything. <<
117 running KUnit test harness and are n <<
118 production build. <<
119 <<
120 For more information on KUnit and un <<
121 to the KUnit documentation in Docume <<
122 <<
123 If unsure, say N. <<
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.