mirror of https://github.com/Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
123 lines
4.3 KiB
123 lines
4.3 KiB
# SPDX-License-Identifier: GPL-2.0-only |
|
config SECURITY_APPARMOR |
|
bool "AppArmor support" |
|
depends on SECURITY && NET |
|
select AUDIT |
|
select SECURITY_PATH |
|
select SECURITYFS |
|
select SECURITY_NETWORK |
|
default n |
|
help |
|
This enables the AppArmor security module. |
|
Required userspace tools (if they are not included in your |
|
distribution) and further information may be found at |
|
http://apparmor.wiki.kernel.org |
|
|
|
If you are unsure how to answer this question, answer N. |
|
|
|
config SECURITY_APPARMOR_DEBUG |
|
bool "Build AppArmor with debug code" |
|
depends on SECURITY_APPARMOR |
|
default n |
|
help |
|
Build apparmor with debugging logic in apparmor. Not all |
|
debugging logic will necessarily be enabled. A submenu will |
|
provide fine grained control of the debug options that are |
|
available. |
|
|
|
config SECURITY_APPARMOR_DEBUG_ASSERTS |
|
bool "Build AppArmor with debugging asserts" |
|
depends on SECURITY_APPARMOR_DEBUG |
|
default y |
|
help |
|
Enable code assertions made with AA_BUG. These are primarily |
|
function entry preconditions but also exist at other key |
|
points. If the assert is triggered it will trigger a WARN |
|
message. |
|
|
|
config SECURITY_APPARMOR_DEBUG_MESSAGES |
|
bool "Debug messages enabled by default" |
|
depends on SECURITY_APPARMOR_DEBUG |
|
default n |
|
help |
|
Set the default value of the apparmor.debug kernel parameter. |
|
When enabled, various debug messages will be logged to |
|
the kernel message buffer. |
|
|
|
config SECURITY_APPARMOR_INTROSPECT_POLICY |
|
bool "Allow loaded policy to be introspected" |
|
depends on SECURITY_APPARMOR |
|
default y |
|
help |
|
This option selects whether introspection of loaded policy |
|
is available to userspace via the apparmor filesystem. This |
|
adds to kernel memory usage. It is required for introspection |
|
of loaded policy, and check point and restore support. It |
|
can be disabled for embedded systems where reducing memory and |
|
cpu is paramount. |
|
|
|
config SECURITY_APPARMOR_HASH |
|
bool "Enable introspection of sha1 hashes for loaded profiles" |
|
depends on SECURITY_APPARMOR_INTROSPECT_POLICY |
|
select CRYPTO |
|
select CRYPTO_SHA1 |
|
default y |
|
help |
|
This option selects whether introspection of loaded policy |
|
hashes is available to userspace via the apparmor |
|
filesystem. This option provides a light weight means of |
|
checking loaded policy. This option adds to policy load |
|
time and can be disabled for small embedded systems. |
|
|
|
config SECURITY_APPARMOR_HASH_DEFAULT |
|
bool "Enable policy hash introspection by default" |
|
depends on SECURITY_APPARMOR_HASH |
|
default y |
|
help |
|
This option selects whether sha1 hashing of loaded policy |
|
is enabled by default. The generation of sha1 hashes for |
|
loaded policy provide system administrators a quick way |
|
to verify that policy in the kernel matches what is expected, |
|
however it can slow down policy load on some devices. In |
|
these cases policy hashing can be disabled by default and |
|
enabled only if needed. |
|
|
|
config SECURITY_APPARMOR_EXPORT_BINARY |
|
bool "Allow exporting the raw binary policy" |
|
depends on SECURITY_APPARMOR_INTROSPECT_POLICY |
|
select ZLIB_INFLATE |
|
select ZLIB_DEFLATE |
|
default y |
|
help |
|
This option allows reading back binary policy as it was loaded. |
|
It increases the amount of kernel memory needed by policy and |
|
also increases policy load time. This option is required for |
|
checkpoint and restore support, and debugging of loaded policy. |
|
|
|
config SECURITY_APPARMOR_PARANOID_LOAD |
|
bool "Perform full verification of loaded policy" |
|
depends on SECURITY_APPARMOR |
|
default y |
|
help |
|
This options allows controlling whether apparmor does a full |
|
verification of loaded policy. This should not be disabled |
|
except for embedded systems where the image is read only, |
|
includes policy, and has some form of integrity check. |
|
Disabling the check will speed up policy loads. |
|
|
|
config SECURITY_APPARMOR_KUNIT_TEST |
|
bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS |
|
depends on KUNIT=y && SECURITY_APPARMOR |
|
default KUNIT_ALL_TESTS |
|
help |
|
This builds the AppArmor KUnit tests. |
|
|
|
KUnit tests run during boot and output the results to the debug log |
|
in TAP format (https://testanything.org/). Only useful for kernel devs |
|
running KUnit test harness and are not for inclusion into a |
|
production build. |
|
|
|
For more information on KUnit and unit tests in general please refer |
|
to the KUnit documentation in Documentation/dev-tools/kunit/. |
|
|
|
If unsure, say N.
|
|
|