projects / mirror_ubuntu-jammy-kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| 016d825f JJ |
2 | config SECURITY_APPARMOR |
| 3 | bool "AppArmor support" | |
| 06c22dad | 4 | depends on SECURITY && NET |
| 016d825f JJ |
5 | select AUDIT |
| 6 | select SECURITY_PATH | |
| 7 | select SECURITYFS | |
| 8 | select SECURITY_NETWORK | |
| fe166a9f JJ |
9 | select ZLIB_INFLATE |
| 10 | select ZLIB_DEFLATE | |
| 016d825f JJ |
11 | default n |
| 12 | help | |
| 13 | This enables the AppArmor security module. | |
| 14 | Required userspace tools (if they are not included in your | |
| 15 | distribution) and further information may be found at | |
| 16 | http://apparmor.wiki.kernel.org | |
| 17 | ||
| 18 | If you are unsure how to answer this question, answer N. | |
| 19 | ||
| f8eb8a13 | 20 | config SECURITY_APPARMOR_HASH |
| 6059f71f | 21 | bool "Enable introspection of sha1 hashes for loaded profiles" |
| f8eb8a13 | 22 | depends on SECURITY_APPARMOR |
| 083c1290 | 23 | select CRYPTO |
| f8eb8a13 JJ |
24 | select CRYPTO_SHA1 |
| 25 | default y | |
| f8eb8a13 | 26 | help |
| 6059f71f JJ |
27 | This option selects whether introspection of loaded policy |
| 28 | is available to userspace via the apparmor filesystem. | |
| 29 | ||
| 30 | config SECURITY_APPARMOR_HASH_DEFAULT | |
| 31 | bool "Enable policy hash introspection by default" | |
| 32 | depends on SECURITY_APPARMOR_HASH | |
| 33 | default y | |
| 6059f71f JJ |
34 | help |
| 35 | This option selects whether sha1 hashing of loaded policy | |
| 36 | is enabled by default. The generation of sha1 hashes for | |
| 37 | loaded policy provide system administrators a quick way | |
| 38 | to verify that policy in the kernel matches what is expected, | |
| 39 | however it can slow down policy load on some devices. In | |
| 40 | these cases policy hashing can be disabled by default and | |
| 41 | enabled only if needed. | |
| 680cd62e JJ |
42 | |
| 43 | config SECURITY_APPARMOR_DEBUG | |
| 44 | bool "Build AppArmor with debug code" | |
| 45 | depends on SECURITY_APPARMOR | |
| 46 | default n | |
| 47 | help | |
| 48 | Build apparmor with debugging logic in apparmor. Not all | |
| 49 | debugging logic will necessarily be enabled. A submenu will | |
| 50 | provide fine grained control of the debug options that are | |
| 51 | available. | |
| 52 | ||
| 53 | config SECURITY_APPARMOR_DEBUG_ASSERTS | |
| 54 | bool "Build AppArmor with debugging asserts" | |
| 55 | depends on SECURITY_APPARMOR_DEBUG | |
| 56 | default y | |
| 57 | help | |
| 58 | Enable code assertions made with AA_BUG. These are primarily | |
| 59 | function entry preconditions but also exist at other key | |
| 60 | points. If the assert is triggered it will trigger a WARN | |
| 61 | message. | |
| 62 | ||
| 63 | config SECURITY_APPARMOR_DEBUG_MESSAGES | |
| 64 | bool "Debug messages enabled by default" | |
| 65 | depends on SECURITY_APPARMOR_DEBUG | |
| 66 | default n | |
| 67 | help | |
| 68 | Set the default value of the apparmor.debug kernel parameter. | |
| 69 | When enabled, various debug messages will be logged to | |
| 70 | the kernel message buffer. | |
| 4d944bcd MS |
71 | |
| 72 | config SECURITY_APPARMOR_KUNIT_TEST | |
| 6d6861d4 | 73 | bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS |
| 35c57fc3 | 74 | depends on KUNIT=y && SECURITY_APPARMOR |
| 6d6861d4 | 75 | default KUNIT_ALL_TESTS |
| 4d944bcd MS |
76 | help |
| 77 | This builds the AppArmor KUnit tests. | |
| 78 | ||
| 79 | KUnit tests run during boot and output the results to the debug log | |
| c9fecf50 | 80 | in TAP format (https://testanything.org/). Only useful for kernel devs |
| 4d944bcd MS |
81 | running KUnit test harness and are not for inclusion into a |
| 82 | production build. | |
| 83 | ||
| 84 | For more information on KUnit and unit tests in general please refer | |
| 85 | to the KUnit documentation in Documentation/dev-tools/kunit/. | |
| 86 | ||
| 87 | If unsure, say N. |