162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
262306a36Sopenharmony_ciconfig SECURITY_APPARMOR
362306a36Sopenharmony_ci	bool "AppArmor support"
462306a36Sopenharmony_ci	depends on SECURITY && NET
562306a36Sopenharmony_ci	select AUDIT
662306a36Sopenharmony_ci	select SECURITY_PATH
762306a36Sopenharmony_ci	select SECURITYFS
862306a36Sopenharmony_ci	select SECURITY_NETWORK
962306a36Sopenharmony_ci	default n
1062306a36Sopenharmony_ci	help
1162306a36Sopenharmony_ci	  This enables the AppArmor security module.
1262306a36Sopenharmony_ci	  Required userspace tools (if they are not included in your
1362306a36Sopenharmony_ci	  distribution) and further information may be found at
1462306a36Sopenharmony_ci	  http://apparmor.wiki.kernel.org
1562306a36Sopenharmony_ci
1662306a36Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
1762306a36Sopenharmony_ci
1862306a36Sopenharmony_ciconfig SECURITY_APPARMOR_DEBUG
1962306a36Sopenharmony_ci	bool "Build AppArmor with debug code"
2062306a36Sopenharmony_ci	depends on SECURITY_APPARMOR
2162306a36Sopenharmony_ci	default n
2262306a36Sopenharmony_ci	help
2362306a36Sopenharmony_ci	  Build apparmor with debugging logic in apparmor. Not all
2462306a36Sopenharmony_ci	  debugging logic will necessarily be enabled. A submenu will
2562306a36Sopenharmony_ci	  provide fine grained control of the debug options that are
2662306a36Sopenharmony_ci	  available.
2762306a36Sopenharmony_ci
2862306a36Sopenharmony_ciconfig SECURITY_APPARMOR_DEBUG_ASSERTS
2962306a36Sopenharmony_ci	bool "Build AppArmor with debugging asserts"
3062306a36Sopenharmony_ci	depends on SECURITY_APPARMOR_DEBUG
3162306a36Sopenharmony_ci	default y
3262306a36Sopenharmony_ci	help
3362306a36Sopenharmony_ci	  Enable code assertions made with AA_BUG. These are primarily
3462306a36Sopenharmony_ci	  function entry preconditions but also exist at other key
3562306a36Sopenharmony_ci	  points. If the assert is triggered it will trigger a WARN
3662306a36Sopenharmony_ci	  message.
3762306a36Sopenharmony_ci
3862306a36Sopenharmony_ciconfig SECURITY_APPARMOR_DEBUG_MESSAGES
3962306a36Sopenharmony_ci	bool "Debug messages enabled by default"
4062306a36Sopenharmony_ci	depends on SECURITY_APPARMOR_DEBUG
4162306a36Sopenharmony_ci	default n
4262306a36Sopenharmony_ci	help
4362306a36Sopenharmony_ci	  Set the default value of the apparmor.debug kernel parameter.
4462306a36Sopenharmony_ci	  When enabled, various debug messages will be logged to
4562306a36Sopenharmony_ci	  the kernel message buffer.
4662306a36Sopenharmony_ci
4762306a36Sopenharmony_ciconfig SECURITY_APPARMOR_INTROSPECT_POLICY
4862306a36Sopenharmony_ci	bool "Allow loaded policy to be introspected"
4962306a36Sopenharmony_ci	depends on SECURITY_APPARMOR
5062306a36Sopenharmony_ci	default y
5162306a36Sopenharmony_ci	help
5262306a36Sopenharmony_ci	  This option selects whether introspection of loaded policy
5362306a36Sopenharmony_ci	  is available to userspace via the apparmor filesystem. This
5462306a36Sopenharmony_ci	  adds to kernel memory usage. It is required for introspection
5562306a36Sopenharmony_ci	  of loaded policy, and check point and restore support. It
5662306a36Sopenharmony_ci	  can be disabled for embedded systems where reducing memory and
5762306a36Sopenharmony_ci	  cpu is paramount.
5862306a36Sopenharmony_ci
5962306a36Sopenharmony_ciconfig SECURITY_APPARMOR_HASH
6062306a36Sopenharmony_ci	bool "Enable introspection of sha1 hashes for loaded profiles"
6162306a36Sopenharmony_ci	depends on SECURITY_APPARMOR_INTROSPECT_POLICY
6262306a36Sopenharmony_ci	select CRYPTO
6362306a36Sopenharmony_ci	select CRYPTO_SHA1
6462306a36Sopenharmony_ci	default y
6562306a36Sopenharmony_ci	help
6662306a36Sopenharmony_ci	  This option selects whether introspection of loaded policy
6762306a36Sopenharmony_ci	  hashes is available to userspace via the apparmor
6862306a36Sopenharmony_ci	  filesystem. This option provides a light weight means of
6962306a36Sopenharmony_ci	  checking loaded policy.  This option adds to policy load
7062306a36Sopenharmony_ci	  time and can be disabled for small embedded systems.
7162306a36Sopenharmony_ci
7262306a36Sopenharmony_ciconfig SECURITY_APPARMOR_HASH_DEFAULT
7362306a36Sopenharmony_ci       bool "Enable policy hash introspection by default"
7462306a36Sopenharmony_ci       depends on SECURITY_APPARMOR_HASH
7562306a36Sopenharmony_ci       default y
7662306a36Sopenharmony_ci       help
7762306a36Sopenharmony_ci         This option selects whether sha1 hashing of loaded policy
7862306a36Sopenharmony_ci	 is enabled by default. The generation of sha1 hashes for
7962306a36Sopenharmony_ci	 loaded policy provide system administrators a quick way
8062306a36Sopenharmony_ci	 to verify that policy in the kernel matches what is expected,
8162306a36Sopenharmony_ci	 however it can slow down policy load on some devices. In
8262306a36Sopenharmony_ci	 these cases policy hashing can be disabled by default and
8362306a36Sopenharmony_ci	 enabled only if needed.
8462306a36Sopenharmony_ci
8562306a36Sopenharmony_ciconfig SECURITY_APPARMOR_EXPORT_BINARY
8662306a36Sopenharmony_ci	bool "Allow exporting the raw binary policy"
8762306a36Sopenharmony_ci	depends on SECURITY_APPARMOR_INTROSPECT_POLICY
8862306a36Sopenharmony_ci	select ZSTD_COMPRESS
8962306a36Sopenharmony_ci	select ZSTD_DECOMPRESS
9062306a36Sopenharmony_ci	default y
9162306a36Sopenharmony_ci	help
9262306a36Sopenharmony_ci	  This option allows reading back binary policy as it was loaded.
9362306a36Sopenharmony_ci	  It increases the amount of kernel memory needed by policy and
9462306a36Sopenharmony_ci	  also increases policy load time. This option is required for
9562306a36Sopenharmony_ci	  checkpoint and restore support, and debugging of loaded policy.
9662306a36Sopenharmony_ci
9762306a36Sopenharmony_ciconfig SECURITY_APPARMOR_PARANOID_LOAD
9862306a36Sopenharmony_ci	bool "Perform full verification of loaded policy"
9962306a36Sopenharmony_ci	depends on SECURITY_APPARMOR
10062306a36Sopenharmony_ci	default y
10162306a36Sopenharmony_ci	help
10262306a36Sopenharmony_ci	  This options allows controlling whether apparmor does a full
10362306a36Sopenharmony_ci	  verification of loaded policy. This should not be disabled
10462306a36Sopenharmony_ci	  except for embedded systems where the image is read only,
10562306a36Sopenharmony_ci	  includes policy, and has some form of integrity check.
10662306a36Sopenharmony_ci	  Disabling the check will speed up policy loads.
10762306a36Sopenharmony_ci
10862306a36Sopenharmony_ciconfig SECURITY_APPARMOR_KUNIT_TEST
10962306a36Sopenharmony_ci	tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
11062306a36Sopenharmony_ci	depends on KUNIT && SECURITY_APPARMOR
11162306a36Sopenharmony_ci	default KUNIT_ALL_TESTS
11262306a36Sopenharmony_ci	help
11362306a36Sopenharmony_ci	  This builds the AppArmor KUnit tests.
11462306a36Sopenharmony_ci
11562306a36Sopenharmony_ci	  KUnit tests run during boot and output the results to the debug log
11662306a36Sopenharmony_ci	  in TAP format (https://testanything.org/). Only useful for kernel devs
11762306a36Sopenharmony_ci	  running KUnit test harness and are not for inclusion into a
11862306a36Sopenharmony_ci	  production build.
11962306a36Sopenharmony_ci
12062306a36Sopenharmony_ci	  For more information on KUnit and unit tests in general please refer
12162306a36Sopenharmony_ci	  to the KUnit documentation in Documentation/dev-tools/kunit/.
12262306a36Sopenharmony_ci
12362306a36Sopenharmony_ci	  If unsure, say N.
124