Linux Audio

Check our new training course

Open Menu / security / apparmor / Kconfig
Loading...
v4.17
 
 1config SECURITY_APPARMOR
 2	bool "AppArmor support"
 3	depends on SECURITY && NET
 4	select AUDIT
 5	select SECURITY_PATH
 6	select SECURITYFS
 7	select SECURITY_NETWORK
 8	default n
 9	help
10	  This enables the AppArmor security module.
11	  Required userspace tools (if they are not included in your
12	  distribution) and further information may be found at
13	  http://apparmor.wiki.kernel.org
14
15	  If you are unsure how to answer this question, answer N.
16
17config SECURITY_APPARMOR_BOOTPARAM_VALUE
18	int "AppArmor boot parameter default value"
19	depends on SECURITY_APPARMOR
20	range 0 1
21	default 1
22	help
23	  This option sets the default value for the kernel parameter
24	  'apparmor', which allows AppArmor to be enabled or disabled
25          at boot.  If this option is set to 0 (zero), the AppArmor
26	  kernel parameter will default to 0, disabling AppArmor at
27	  boot.  If this option is set to 1 (one), the AppArmor
28	  kernel parameter will default to 1, enabling AppArmor at
29	  boot.
30
31	  If you are unsure how to answer this question, answer 1.
32
33config SECURITY_APPARMOR_HASH
34	bool "Enable introspection of sha1 hashes for loaded profiles"
35	depends on SECURITY_APPARMOR
36	select CRYPTO
37	select CRYPTO_SHA1
38	default y
39	help
40	  This option selects whether introspection of loaded policy
41	  is available to userspace via the apparmor filesystem.
42
43config SECURITY_APPARMOR_HASH_DEFAULT
44       bool "Enable policy hash introspection by default"
45       depends on SECURITY_APPARMOR_HASH
46       default y
47       help
48         This option selects whether sha1 hashing of loaded policy
49	 is enabled by default. The generation of sha1 hashes for
50	 loaded policy provide system administrators a quick way
51	 to verify that policy in the kernel matches what is expected,
52	 however it can slow down policy load on some devices. In
53	 these cases policy hashing can be disabled by default and
54	 enabled only if needed.
55
56config SECURITY_APPARMOR_DEBUG
57	bool "Build AppArmor with debug code"
58	depends on SECURITY_APPARMOR
59	default n
60	help
61	  Build apparmor with debugging logic in apparmor. Not all
62	  debugging logic will necessarily be enabled. A submenu will
63	  provide fine grained control of the debug options that are
64	  available.
65
66config SECURITY_APPARMOR_DEBUG_ASSERTS
67	bool "Build AppArmor with debugging asserts"
68	depends on SECURITY_APPARMOR_DEBUG
69	default y
70	help
71	  Enable code assertions made with AA_BUG. These are primarily
72	  function entry preconditions but also exist at other key
73	  points. If the assert is triggered it will trigger a WARN
74	  message.
75
76config SECURITY_APPARMOR_DEBUG_MESSAGES
77	bool "Debug messages enabled by default"
78	depends on SECURITY_APPARMOR_DEBUG
79	default n
80	help
81	  Set the default value of the apparmor.debug kernel parameter.
82	  When enabled, various debug messages will be logged to
83	  the kernel message buffer.
v6.8
  1# SPDX-License-Identifier: GPL-2.0-only
  2config SECURITY_APPARMOR
  3	bool "AppArmor support"
  4	depends on SECURITY && NET
  5	select AUDIT
  6	select SECURITY_PATH
  7	select SECURITYFS
  8	select SECURITY_NETWORK
  9	default n
 10	help
 11	  This enables the AppArmor security module.
 12	  Required userspace tools (if they are not included in your
 13	  distribution) and further information may be found at
 14	  http://apparmor.wiki.kernel.org
 15
 16	  If you are unsure how to answer this question, answer N.
 17
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 18config SECURITY_APPARMOR_DEBUG
 19	bool "Build AppArmor with debug code"
 20	depends on SECURITY_APPARMOR
 21	default n
 22	help
 23	  Build apparmor with debugging logic in apparmor. Not all
 24	  debugging logic will necessarily be enabled. A submenu will
 25	  provide fine grained control of the debug options that are
 26	  available.
 27
 28config SECURITY_APPARMOR_DEBUG_ASSERTS
 29	bool "Build AppArmor with debugging asserts"
 30	depends on SECURITY_APPARMOR_DEBUG
 31	default y
 32	help
 33	  Enable code assertions made with AA_BUG. These are primarily
 34	  function entry preconditions but also exist at other key
 35	  points. If the assert is triggered it will trigger a WARN
 36	  message.
 37
 38config SECURITY_APPARMOR_DEBUG_MESSAGES
 39	bool "Debug messages enabled by default"
 40	depends on SECURITY_APPARMOR_DEBUG
 41	default n
 42	help
 43	  Set the default value of the apparmor.debug kernel parameter.
 44	  When enabled, various debug messages will be logged to
 45	  the kernel message buffer.
 46
 47config SECURITY_APPARMOR_INTROSPECT_POLICY
 48	bool "Allow loaded policy to be introspected"
 49	depends on SECURITY_APPARMOR
 50	default y
 51	help
 52	  This option selects whether introspection of loaded policy
 53	  is available to userspace via the apparmor filesystem. This
 54	  adds to kernel memory usage. It is required for introspection
 55	  of loaded policy, and check point and restore support. It
 56	  can be disabled for embedded systems where reducing memory and
 57	  cpu is paramount.
 58
 59config SECURITY_APPARMOR_HASH
 60	bool "Enable introspection of sha256 hashes for loaded profiles"
 61	depends on SECURITY_APPARMOR_INTROSPECT_POLICY
 62	select CRYPTO
 63	select CRYPTO_SHA256
 64	default y
 65	help
 66	  This option selects whether introspection of loaded policy
 67	  hashes is available to userspace via the apparmor
 68	  filesystem. This option provides a light weight means of
 69	  checking loaded policy.  This option adds to policy load
 70	  time and can be disabled for small embedded systems.
 71
 72config SECURITY_APPARMOR_HASH_DEFAULT
 73       bool "Enable policy hash introspection by default"
 74       depends on SECURITY_APPARMOR_HASH
 75       default y
 76       help
 77	 This option selects whether sha256 hashing of loaded policy
 78	 is enabled by default. The generation of sha256 hashes for
 79	 loaded policy provide system administrators a quick way to
 80	 verify that policy in the kernel matches what is expected,
 81	 however it can slow down policy load on some devices. In
 82	 these cases policy hashing can be disabled by default and
 83	 enabled only if needed.
 84
 85config SECURITY_APPARMOR_EXPORT_BINARY
 86	bool "Allow exporting the raw binary policy"
 87	depends on SECURITY_APPARMOR_INTROSPECT_POLICY
 88	select ZSTD_COMPRESS
 89	select ZSTD_DECOMPRESS
 90	default y
 91	help
 92	  This option allows reading back binary policy as it was loaded.
 93	  It increases the amount of kernel memory needed by policy and
 94	  also increases policy load time. This option is required for
 95	  checkpoint and restore support, and debugging of loaded policy.
 96
 97config SECURITY_APPARMOR_PARANOID_LOAD
 98	bool "Perform full verification of loaded policy"
 99	depends on SECURITY_APPARMOR
100	default y
101	help
102	  This options allows controlling whether apparmor does a full
103	  verification of loaded policy. This should not be disabled
104	  except for embedded systems where the image is read only,
105	  includes policy, and has some form of integrity check.
106	  Disabling the check will speed up policy loads.
107
108config SECURITY_APPARMOR_KUNIT_TEST
109	tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
110	depends on KUNIT && SECURITY_APPARMOR
111	default KUNIT_ALL_TESTS
112	help
113	  This builds the AppArmor KUnit tests.
114
115	  KUnit tests run during boot and output the results to the debug log
116	  in TAP format (https://testanything.org/). Only useful for kernel devs
117	  running KUnit test harness and are not for inclusion into a
118	  production build.
119
120	  For more information on KUnit and unit tests in general please refer
121	  to the KUnit documentation in Documentation/dev-tools/kunit/.
122
123	  If unsure, say N.