Kconfig 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. # SPDX-License-Identifier: GPL-2.0-only
  2. config SECURITY_APPARMOR
  3. bool "AppArmor support"
  4. depends on SECURITY && NET
  5. select AUDIT
  6. select SECURITY_PATH
  7. select SECURITYFS
  8. select SECURITY_NETWORK
  9. default n
  10. help
  11. This enables the AppArmor security module.
  12. Required userspace tools (if they are not included in your
  13. distribution) and further information may be found at
  14. http://apparmor.wiki.kernel.org
  15. If you are unsure how to answer this question, answer N.
  16. config SECURITY_APPARMOR_DEBUG
  17. bool "Build AppArmor with debug code"
  18. depends on SECURITY_APPARMOR
  19. default n
  20. help
  21. Build apparmor with debugging logic in apparmor. Not all
  22. debugging logic will necessarily be enabled. A submenu will
  23. provide fine grained control of the debug options that are
  24. available.
  25. config SECURITY_APPARMOR_DEBUG_ASSERTS
  26. bool "Build AppArmor with debugging asserts"
  27. depends on SECURITY_APPARMOR_DEBUG
  28. default y
  29. help
  30. Enable code assertions made with AA_BUG. These are primarily
  31. function entry preconditions but also exist at other key
  32. points. If the assert is triggered it will trigger a WARN
  33. message.
  34. config SECURITY_APPARMOR_DEBUG_MESSAGES
  35. bool "Debug messages enabled by default"
  36. depends on SECURITY_APPARMOR_DEBUG
  37. default n
  38. help
  39. Set the default value of the apparmor.debug kernel parameter.
  40. When enabled, various debug messages will be logged to
  41. the kernel message buffer.
  42. config SECURITY_APPARMOR_INTROSPECT_POLICY
  43. bool "Allow loaded policy to be introspected"
  44. depends on SECURITY_APPARMOR
  45. default y
  46. help
  47. This option selects whether introspection of loaded policy
  48. is available to userspace via the apparmor filesystem. This
  49. adds to kernel memory usage. It is required for introspection
  50. of loaded policy, and check point and restore support. It
  51. can be disabled for embedded systems where reducing memory and
  52. cpu is paramount.
  53. config SECURITY_APPARMOR_HASH
  54. bool "Enable introspection of sha1 hashes for loaded profiles"
  55. depends on SECURITY_APPARMOR_INTROSPECT_POLICY
  56. select CRYPTO
  57. select CRYPTO_SHA1
  58. default y
  59. help
  60. This option selects whether introspection of loaded policy
  61. hashes is available to userspace via the apparmor
  62. filesystem. This option provides a light weight means of
  63. checking loaded policy. This option adds to policy load
  64. time and can be disabled for small embedded systems.
  65. config SECURITY_APPARMOR_HASH_DEFAULT
  66. bool "Enable policy hash introspection by default"
  67. depends on SECURITY_APPARMOR_HASH
  68. default y
  69. help
  70. This option selects whether sha1 hashing of loaded policy
  71. is enabled by default. The generation of sha1 hashes for
  72. loaded policy provide system administrators a quick way
  73. to verify that policy in the kernel matches what is expected,
  74. however it can slow down policy load on some devices. In
  75. these cases policy hashing can be disabled by default and
  76. enabled only if needed.
  77. config SECURITY_APPARMOR_EXPORT_BINARY
  78. bool "Allow exporting the raw binary policy"
  79. depends on SECURITY_APPARMOR_INTROSPECT_POLICY
  80. select ZLIB_INFLATE
  81. select ZLIB_DEFLATE
  82. default y
  83. help
  84. This option allows reading back binary policy as it was loaded.
  85. It increases the amount of kernel memory needed by policy and
  86. also increases policy load time. This option is required for
  87. checkpoint and restore support, and debugging of loaded policy.
  88. config SECURITY_APPARMOR_PARANOID_LOAD
  89. bool "Perform full verification of loaded policy"
  90. depends on SECURITY_APPARMOR
  91. default y
  92. help
  93. This options allows controlling whether apparmor does a full
  94. verification of loaded policy. This should not be disabled
  95. except for embedded systems where the image is read only,
  96. includes policy, and has some form of integrity check.
  97. Disabling the check will speed up policy loads.
  98. config SECURITY_APPARMOR_KUNIT_TEST
  99. tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
  100. depends on KUNIT && SECURITY_APPARMOR
  101. default KUNIT_ALL_TESTS
  102. help
  103. This builds the AppArmor KUnit tests.
  104. KUnit tests run during boot and output the results to the debug log
  105. in TAP format (https://testanything.org/). Only useful for kernel devs
  106. running KUnit test harness and are not for inclusion into a
  107. production build.
  108. For more information on KUnit and unit tests in general please refer
  109. to the KUnit documentation in Documentation/dev-tools/kunit/.
  110. If unsure, say N.