1 # SPDX-License-Identifier: GPL-2.0-only
2 config SECURITY_APPARMOR
3 bool "AppArmor support"
4 depends on SECURITY && NET
8 select SECURITY_NETWORK
13 This enables the AppArmor security module.
14 Required userspace tools (if they are not included in your
15 distribution) and further information may be found at
16 http://apparmor.wiki.kernel.org
18 If you are unsure how to answer this question, answer N.
20 config SECURITY_APPARMOR_HASH
21 bool "Enable introspection of sha1 hashes for loaded profiles"
22 depends on SECURITY_APPARMOR
27 This option selects whether introspection of loaded policy
28 hashes is available to userspace via the apparmor
29 filesystem. This option provides a light weight means of
30 checking loaded policy. This option adds to policy load
31 time and can be disabled for small embedded systems.
33 config SECURITY_APPARMOR_HASH_DEFAULT
34 bool "Enable policy hash introspection by default"
35 depends on SECURITY_APPARMOR_HASH
38 This option selects whether sha1 hashing of loaded policy
39 is enabled by default. The generation of sha1 hashes for
40 loaded policy provide system administrators a quick way
41 to verify that policy in the kernel matches what is expected,
42 however it can slow down policy load on some devices. In
43 these cases policy hashing can be disabled by default and
44 enabled only if needed.
46 config SECURITY_APPARMOR_DEBUG
47 bool "Build AppArmor with debug code"
48 depends on SECURITY_APPARMOR
51 Build apparmor with debugging logic in apparmor. Not all
52 debugging logic will necessarily be enabled. A submenu will
53 provide fine grained control of the debug options that are
56 config SECURITY_APPARMOR_DEBUG_ASSERTS
57 bool "Build AppArmor with debugging asserts"
58 depends on SECURITY_APPARMOR_DEBUG
61 Enable code assertions made with AA_BUG. These are primarily
62 function entry preconditions but also exist at other key
63 points. If the assert is triggered it will trigger a WARN
66 config SECURITY_APPARMOR_DEBUG_MESSAGES
67 bool "Debug messages enabled by default"
68 depends on SECURITY_APPARMOR_DEBUG
71 Set the default value of the apparmor.debug kernel parameter.
72 When enabled, various debug messages will be logged to
73 the kernel message buffer.
75 config SECURITY_APPARMOR_KUNIT_TEST
76 bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
77 depends on KUNIT=y && SECURITY_APPARMOR
78 default KUNIT_ALL_TESTS
80 This builds the AppArmor KUnit tests.
82 KUnit tests run during boot and output the results to the debug log
83 in TAP format (https://testanything.org/). Only useful for kernel devs
84 running KUnit test harness and are not for inclusion into a
87 For more information on KUnit and unit tests in general please refer
88 to the KUnit documentation in Documentation/dev-tools/kunit/.