18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
28c2ecf20Sopenharmony_ciconfig SECURITY_APPARMOR
38c2ecf20Sopenharmony_ci	bool "AppArmor support"
48c2ecf20Sopenharmony_ci	depends on SECURITY && NET
58c2ecf20Sopenharmony_ci	select AUDIT
68c2ecf20Sopenharmony_ci	select SECURITY_PATH
78c2ecf20Sopenharmony_ci	select SECURITYFS
88c2ecf20Sopenharmony_ci	select SECURITY_NETWORK
98c2ecf20Sopenharmony_ci	select ZLIB_INFLATE
108c2ecf20Sopenharmony_ci	select ZLIB_DEFLATE
118c2ecf20Sopenharmony_ci	default n
128c2ecf20Sopenharmony_ci	help
138c2ecf20Sopenharmony_ci	  This enables the AppArmor security module.
148c2ecf20Sopenharmony_ci	  Required userspace tools (if they are not included in your
158c2ecf20Sopenharmony_ci	  distribution) and further information may be found at
168c2ecf20Sopenharmony_ci	  http://apparmor.wiki.kernel.org
178c2ecf20Sopenharmony_ci
188c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
198c2ecf20Sopenharmony_ci
208c2ecf20Sopenharmony_ciconfig SECURITY_APPARMOR_HASH
218c2ecf20Sopenharmony_ci	bool "Enable introspection of sha1 hashes for loaded profiles"
228c2ecf20Sopenharmony_ci	depends on SECURITY_APPARMOR
238c2ecf20Sopenharmony_ci	select CRYPTO
248c2ecf20Sopenharmony_ci	select CRYPTO_SHA1
258c2ecf20Sopenharmony_ci	default y
268c2ecf20Sopenharmony_ci	help
278c2ecf20Sopenharmony_ci	  This option selects whether introspection of loaded policy
288c2ecf20Sopenharmony_ci	  is available to userspace via the apparmor filesystem.
298c2ecf20Sopenharmony_ci
308c2ecf20Sopenharmony_ciconfig SECURITY_APPARMOR_HASH_DEFAULT
318c2ecf20Sopenharmony_ci       bool "Enable policy hash introspection by default"
328c2ecf20Sopenharmony_ci       depends on SECURITY_APPARMOR_HASH
338c2ecf20Sopenharmony_ci       default y
348c2ecf20Sopenharmony_ci       help
358c2ecf20Sopenharmony_ci         This option selects whether sha1 hashing of loaded policy
368c2ecf20Sopenharmony_ci	 is enabled by default. The generation of sha1 hashes for
378c2ecf20Sopenharmony_ci	 loaded policy provide system administrators a quick way
388c2ecf20Sopenharmony_ci	 to verify that policy in the kernel matches what is expected,
398c2ecf20Sopenharmony_ci	 however it can slow down policy load on some devices. In
408c2ecf20Sopenharmony_ci	 these cases policy hashing can be disabled by default and
418c2ecf20Sopenharmony_ci	 enabled only if needed.
428c2ecf20Sopenharmony_ci
438c2ecf20Sopenharmony_ciconfig SECURITY_APPARMOR_DEBUG
448c2ecf20Sopenharmony_ci	bool "Build AppArmor with debug code"
458c2ecf20Sopenharmony_ci	depends on SECURITY_APPARMOR
468c2ecf20Sopenharmony_ci	default n
478c2ecf20Sopenharmony_ci	help
488c2ecf20Sopenharmony_ci	  Build apparmor with debugging logic in apparmor. Not all
498c2ecf20Sopenharmony_ci	  debugging logic will necessarily be enabled. A submenu will
508c2ecf20Sopenharmony_ci	  provide fine grained control of the debug options that are
518c2ecf20Sopenharmony_ci	  available.
528c2ecf20Sopenharmony_ci
538c2ecf20Sopenharmony_ciconfig SECURITY_APPARMOR_DEBUG_ASSERTS
548c2ecf20Sopenharmony_ci	bool "Build AppArmor with debugging asserts"
558c2ecf20Sopenharmony_ci	depends on SECURITY_APPARMOR_DEBUG
568c2ecf20Sopenharmony_ci	default y
578c2ecf20Sopenharmony_ci	help
588c2ecf20Sopenharmony_ci	  Enable code assertions made with AA_BUG. These are primarily
598c2ecf20Sopenharmony_ci	  function entry preconditions but also exist at other key
608c2ecf20Sopenharmony_ci	  points. If the assert is triggered it will trigger a WARN
618c2ecf20Sopenharmony_ci	  message.
628c2ecf20Sopenharmony_ci
638c2ecf20Sopenharmony_ciconfig SECURITY_APPARMOR_DEBUG_MESSAGES
648c2ecf20Sopenharmony_ci	bool "Debug messages enabled by default"
658c2ecf20Sopenharmony_ci	depends on SECURITY_APPARMOR_DEBUG
668c2ecf20Sopenharmony_ci	default n
678c2ecf20Sopenharmony_ci	help
688c2ecf20Sopenharmony_ci	  Set the default value of the apparmor.debug kernel parameter.
698c2ecf20Sopenharmony_ci	  When enabled, various debug messages will be logged to
708c2ecf20Sopenharmony_ci	  the kernel message buffer.
718c2ecf20Sopenharmony_ci
728c2ecf20Sopenharmony_ciconfig SECURITY_APPARMOR_KUNIT_TEST
738c2ecf20Sopenharmony_ci	bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
748c2ecf20Sopenharmony_ci	depends on KUNIT=y && SECURITY_APPARMOR
758c2ecf20Sopenharmony_ci	default KUNIT_ALL_TESTS
768c2ecf20Sopenharmony_ci	help
778c2ecf20Sopenharmony_ci	  This builds the AppArmor KUnit tests.
788c2ecf20Sopenharmony_ci
798c2ecf20Sopenharmony_ci	  KUnit tests run during boot and output the results to the debug log
808c2ecf20Sopenharmony_ci	  in TAP format (https://testanything.org/). Only useful for kernel devs
818c2ecf20Sopenharmony_ci	  running KUnit test harness and are not for inclusion into a
828c2ecf20Sopenharmony_ci	  production build.
838c2ecf20Sopenharmony_ci
848c2ecf20Sopenharmony_ci	  For more information on KUnit and unit tests in general please refer
858c2ecf20Sopenharmony_ci	  to the KUnit documentation in Documentation/dev-tools/kunit/.
868c2ecf20Sopenharmony_ci
878c2ecf20Sopenharmony_ci	  If unsure, say N.
88