~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/apparmor/Kconfig

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 # SPDX-License-Identifier: GPL-2.0-only
  2 config SECURITY_APPARMOR
  3         bool "AppArmor support"
  4         depends on SECURITY && NET
  5         select AUDIT
  6         select SECURITY_PATH
  7         select SECURITYFS
  8         select SECURITY_NETWORK
  9         default n
 10         help
 11           This enables the AppArmor security module.
 12           Required userspace tools (if they are not included in your
 13           distribution) and further information may be found at
 14           http://apparmor.wiki.kernel.org
 15 
 16           If you are unsure how to answer this question, answer N.
 17 
 18 config SECURITY_APPARMOR_DEBUG
 19         bool "Build AppArmor with debug code"
 20         depends on SECURITY_APPARMOR
 21         default n
 22         help
 23           Build apparmor with debugging logic in apparmor. Not all
 24           debugging logic will necessarily be enabled. A submenu will
 25           provide fine grained control of the debug options that are
 26           available.
 27 
 28 config SECURITY_APPARMOR_DEBUG_ASSERTS
 29         bool "Build AppArmor with debugging asserts"
 30         depends on SECURITY_APPARMOR_DEBUG
 31         default y
 32         help
 33           Enable code assertions made with AA_BUG. These are primarily
 34           function entry preconditions but also exist at other key
 35           points. If the assert is triggered it will trigger a WARN
 36           message.
 37 
 38 config SECURITY_APPARMOR_DEBUG_MESSAGES
 39         bool "Debug messages enabled by default"
 40         depends on SECURITY_APPARMOR_DEBUG
 41         default n
 42         help
 43           Set the default value of the apparmor.debug kernel parameter.
 44           When enabled, various debug messages will be logged to
 45           the kernel message buffer.
 46 
 47 config SECURITY_APPARMOR_INTROSPECT_POLICY
 48         bool "Allow loaded policy to be introspected"
 49         depends on SECURITY_APPARMOR
 50         default y
 51         help
 52           This option selects whether introspection of loaded policy
 53           is available to userspace via the apparmor filesystem. This
 54           adds to kernel memory usage. It is required for introspection
 55           of loaded policy, and check point and restore support. It
 56           can be disabled for embedded systems where reducing memory and
 57           cpu is paramount.
 58 
 59 config SECURITY_APPARMOR_HASH
 60         bool "Enable introspection of sha256 hashes for loaded profiles"
 61         depends on SECURITY_APPARMOR_INTROSPECT_POLICY
 62         select CRYPTO
 63         select CRYPTO_SHA256
 64         default y
 65         help
 66           This option selects whether introspection of loaded policy
 67           hashes is available to userspace via the apparmor
 68           filesystem. This option provides a light weight means of
 69           checking loaded policy.  This option adds to policy load
 70           time and can be disabled for small embedded systems.
 71 
 72 config SECURITY_APPARMOR_HASH_DEFAULT
 73        bool "Enable policy hash introspection by default"
 74        depends on SECURITY_APPARMOR_HASH
 75        default y
 76        help
 77          This option selects whether sha256 hashing of loaded policy
 78          is enabled by default. The generation of sha256 hashes for
 79          loaded policy provide system administrators a quick way to
 80          verify that policy in the kernel matches what is expected,
 81          however it can slow down policy load on some devices. In
 82          these cases policy hashing can be disabled by default and
 83          enabled only if needed.
 84 
 85 config SECURITY_APPARMOR_EXPORT_BINARY
 86         bool "Allow exporting the raw binary policy"
 87         depends on SECURITY_APPARMOR_INTROSPECT_POLICY
 88         select ZSTD_COMPRESS
 89         select ZSTD_DECOMPRESS
 90         default y
 91         help
 92           This option allows reading back binary policy as it was loaded.
 93           It increases the amount of kernel memory needed by policy and
 94           also increases policy load time. This option is required for
 95           checkpoint and restore support, and debugging of loaded policy.
 96 
 97 config SECURITY_APPARMOR_PARANOID_LOAD
 98         bool "Perform full verification of loaded policy"
 99         depends on SECURITY_APPARMOR
100         default y
101         help
102           This options allows controlling whether apparmor does a full
103           verification of loaded policy. This should not be disabled
104           except for embedded systems where the image is read only,
105           includes policy, and has some form of integrity check.
106           Disabling the check will speed up policy loads.
107 
108 config SECURITY_APPARMOR_KUNIT_TEST
109         tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
110         depends on KUNIT && SECURITY_APPARMOR
111         default KUNIT_ALL_TESTS
112         help
113           This builds the AppArmor KUnit tests.
114 
115           KUnit tests run during boot and output the results to the debug log
116           in TAP format (https://testanything.org/). Only useful for kernel devs
117           running KUnit test harness and are not for inclusion into a
118           production build.
119 
120           For more information on KUnit and unit tests in general please refer
121           to the KUnit documentation in Documentation/dev-tools/kunit/.
122 
123           If unsure, say N.

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php