xref: /openbmc/linux/security/apparmor/Kconfig (revision 51bc620b)
1# SPDX-License-Identifier: GPL-2.0-only
2config SECURITY_APPARMOR
3	bool "AppArmor support"
4	depends on SECURITY && NET
5	select AUDIT
6	select SECURITY_PATH
7	select SECURITYFS
8	select SECURITY_NETWORK
9	default n
10	help
11	  This enables the AppArmor security module.
12	  Required userspace tools (if they are not included in your
13	  distribution) and further information may be found at
14	  http://apparmor.wiki.kernel.org
15
16	  If you are unsure how to answer this question, answer N.
17
18config SECURITY_APPARMOR_HASH
19	bool "Enable introspection of sha1 hashes for loaded profiles"
20	depends on SECURITY_APPARMOR
21	select CRYPTO
22	select CRYPTO_SHA1
23	default y
24	help
25	  This option selects whether introspection of loaded policy
26	  is available to userspace via the apparmor filesystem.
27
28config SECURITY_APPARMOR_HASH_DEFAULT
29       bool "Enable policy hash introspection by default"
30       depends on SECURITY_APPARMOR_HASH
31       default y
32       help
33         This option selects whether sha1 hashing of loaded policy
34	 is enabled by default. The generation of sha1 hashes for
35	 loaded policy provide system administrators a quick way
36	 to verify that policy in the kernel matches what is expected,
37	 however it can slow down policy load on some devices. In
38	 these cases policy hashing can be disabled by default and
39	 enabled only if needed.
40
41config SECURITY_APPARMOR_DEBUG
42	bool "Build AppArmor with debug code"
43	depends on SECURITY_APPARMOR
44	default n
45	help
46	  Build apparmor with debugging logic in apparmor. Not all
47	  debugging logic will necessarily be enabled. A submenu will
48	  provide fine grained control of the debug options that are
49	  available.
50
51config SECURITY_APPARMOR_DEBUG_ASSERTS
52	bool "Build AppArmor with debugging asserts"
53	depends on SECURITY_APPARMOR_DEBUG
54	default y
55	help
56	  Enable code assertions made with AA_BUG. These are primarily
57	  function entry preconditions but also exist at other key
58	  points. If the assert is triggered it will trigger a WARN
59	  message.
60
61config SECURITY_APPARMOR_DEBUG_MESSAGES
62	bool "Debug messages enabled by default"
63	depends on SECURITY_APPARMOR_DEBUG
64	default n
65	help
66	  Set the default value of the apparmor.debug kernel parameter.
67	  When enabled, various debug messages will be logged to
68	  the kernel message buffer.
69