1# SPDX-License-Identifier: GPL-2.0-only 2config SECURITY_APPARMOR 3 bool "AppArmor support" 4 depends on SECURITY && NET 5 select AUDIT 6 select SECURITY_PATH 7 select SECURITYFS 8 select SECURITY_NETWORK 9 select ZLIB_INFLATE 10 select ZLIB_DEFLATE 11 default n 12 help 13 This enables the AppArmor security module. 14 Required userspace tools (if they are not included in your 15 distribution) and further information may be found at 16 http://apparmor.wiki.kernel.org 17 18 If you are unsure how to answer this question, answer N. 19 20config SECURITY_APPARMOR_HASH 21 bool "Enable introspection of sha1 hashes for loaded profiles" 22 depends on SECURITY_APPARMOR 23 select CRYPTO 24 select CRYPTO_SHA1 25 default y 26 help 27 This option selects whether introspection of loaded policy 28 is available to userspace via the apparmor filesystem. 29 30config SECURITY_APPARMOR_HASH_DEFAULT 31 bool "Enable policy hash introspection by default" 32 depends on SECURITY_APPARMOR_HASH 33 default y 34 help 35 This option selects whether sha1 hashing of loaded policy 36 is enabled by default. The generation of sha1 hashes for 37 loaded policy provide system administrators a quick way 38 to verify that policy in the kernel matches what is expected, 39 however it can slow down policy load on some devices. In 40 these cases policy hashing can be disabled by default and 41 enabled only if needed. 42 43config SECURITY_APPARMOR_DEBUG 44 bool "Build AppArmor with debug code" 45 depends on SECURITY_APPARMOR 46 default n 47 help 48 Build apparmor with debugging logic in apparmor. Not all 49 debugging logic will necessarily be enabled. A submenu will 50 provide fine grained control of the debug options that are 51 available. 52 53config SECURITY_APPARMOR_DEBUG_ASSERTS 54 bool "Build AppArmor with debugging asserts" 55 depends on SECURITY_APPARMOR_DEBUG 56 default y 57 help 58 Enable code assertions made with AA_BUG. These are primarily 59 function entry preconditions but also exist at other key 60 points. If the assert is triggered it will trigger a WARN 61 message. 62 63config SECURITY_APPARMOR_DEBUG_MESSAGES 64 bool "Debug messages enabled by default" 65 depends on SECURITY_APPARMOR_DEBUG 66 default n 67 help 68 Set the default value of the apparmor.debug kernel parameter. 69 When enabled, various debug messages will be logged to 70 the kernel message buffer. 71 72config SECURITY_APPARMOR_KUNIT_TEST 73 bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS 74 depends on KUNIT=y && SECURITY_APPARMOR 75 default KUNIT_ALL_TESTS 76 help 77 This builds the AppArmor KUnit tests. 78 79 KUnit tests run during boot and output the results to the debug log 80 in TAP format (http://testanything.org/). Only useful for kernel devs 81 running KUnit test harness and are not for inclusion into a 82 production build. 83 84 For more information on KUnit and unit tests in general please refer 85 to the KUnit documentation in Documentation/dev-tools/kunit/. 86 87 If unsure, say N. 88