forked from Minki/linux
79e178a57d
- increase left match history buffer size to provide inproved conflict resolution in overlapping execution rules. - switch buffer allocation to use a memory pool and GFP_KERNEL where possible. - add compression of policy blobs to reduce memory usage. + Cleanups - fix spelling mistake "immutible" -> "immutable" + Bug fixes - fix unsigned len comparison in update_for_len macro - fix sparse warning for type-casting of current->real_cred -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAl3mvPUACgkQBS82cBjV w9gM8hAArhbBiGHlYlsGCOws4+ObCSIAxPkKw9ZC+FjTOKE6uN+GDUM+s4TWjbkL 65NKGBqHfHIzRYHD6BNi5I3Yf0xKCXuMenZVptiDHYQ+65mCL6QlZOA5K2Mp67fY uMKoOIMSAkDkLJHEsH8o1YURAlvY5DjK2XfSrc2GeaExnBZTisfhDwbYjv9OYI6U JPDP361zzJMSpkcDf5WX5vVuvfjTnAXjfH3av61hiSNAzivd4P1Mp34ellOkz7Ya Ch6K+32agVcE8LIbalRKhWVw7Fhfbys2+/nBZ0Tb5HPG0tRWbm+ueggOsp8/liWQ Ik9NigK61lHjd5ttDrswD0UfslTxac2pPFhlYRYoSUSMITOjJke50Q12ZosK4wUY pdsBiWVDo2W3/E9sretmFpWlzish8q3tNJU55aKD+FTo0yqMC3X7H/l9xGLuLUt/ vHwUcGZNSrAWqc8yMamzEvqj9e1DECMJZQIlE3YJgGLCkcO6LFY+5pSWSvMQIG7v 451oob3QalzqIDyh3OOxlA8pfUVyk9HL48Kw7+0ZJrbJK6pAjHZhE8gFVMPECB7b n22XrABdPdjAFvlqCzkm4qZ5sjqdk8T9Iexc5bnrFvBW4teHnAX0xrk+gxVpnEYf dV6ERcxmRjnZhT6FtOQkLOia3gIiAQVi6Rd9K6HHhPH83wNyjjI= =lPsA -----END PGP SIGNATURE----- Merge tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "Features: - increase left match history buffer size to provide improved conflict resolution in overlapping execution rules. - switch buffer allocation to use a memory pool and GFP_KERNEL where possible. - add compression of policy blobs to reduce memory usage. Cleanups: - fix spelling mistake "immutible" -> "immutable" Bug fixes: - fix unsigned len comparison in update_for_len macro - fix sparse warning for type-casting of current->real_cred" * tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: make it so work buffers can be allocated from atomic context apparmor: reduce rcu_read_lock scope for aa_file_perm mediation apparmor: fix wrong buffer allocation in aa_new_mount apparmor: fix unsigned len comparison with less than zero apparmor: increase left match history buffer size apparmor: Switch to GFP_KERNEL where possible apparmor: Use a memory pool instead per-CPU caches apparmor: Force type-casting of current->real_cred apparmor: fix spelling mistake "immutible" -> "immutable" apparmor: fix blob compression when ns is forced on a policy load apparmor: fix missing ZLIB defines apparmor: fix blob compression build failure on ppc apparmor: Initial implementation of raw policy blob compression
71 lines
2.3 KiB
Plaintext
71 lines
2.3 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
config SECURITY_APPARMOR
|
|
bool "AppArmor support"
|
|
depends on SECURITY && NET
|
|
select AUDIT
|
|
select SECURITY_PATH
|
|
select SECURITYFS
|
|
select SECURITY_NETWORK
|
|
select ZLIB_INFLATE
|
|
select ZLIB_DEFLATE
|
|
default n
|
|
help
|
|
This enables the AppArmor security module.
|
|
Required userspace tools (if they are not included in your
|
|
distribution) and further information may be found at
|
|
http://apparmor.wiki.kernel.org
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_APPARMOR_HASH
|
|
bool "Enable introspection of sha1 hashes for loaded profiles"
|
|
depends on SECURITY_APPARMOR
|
|
select CRYPTO
|
|
select CRYPTO_SHA1
|
|
default y
|
|
help
|
|
This option selects whether introspection of loaded policy
|
|
is available to userspace via the apparmor filesystem.
|
|
|
|
config SECURITY_APPARMOR_HASH_DEFAULT
|
|
bool "Enable policy hash introspection by default"
|
|
depends on SECURITY_APPARMOR_HASH
|
|
default y
|
|
help
|
|
This option selects whether sha1 hashing of loaded policy
|
|
is enabled by default. The generation of sha1 hashes for
|
|
loaded policy provide system administrators a quick way
|
|
to verify that policy in the kernel matches what is expected,
|
|
however it can slow down policy load on some devices. In
|
|
these cases policy hashing can be disabled by default and
|
|
enabled only if needed.
|
|
|
|
config SECURITY_APPARMOR_DEBUG
|
|
bool "Build AppArmor with debug code"
|
|
depends on SECURITY_APPARMOR
|
|
default n
|
|
help
|
|
Build apparmor with debugging logic in apparmor. Not all
|
|
debugging logic will necessarily be enabled. A submenu will
|
|
provide fine grained control of the debug options that are
|
|
available.
|
|
|
|
config SECURITY_APPARMOR_DEBUG_ASSERTS
|
|
bool "Build AppArmor with debugging asserts"
|
|
depends on SECURITY_APPARMOR_DEBUG
|
|
default y
|
|
help
|
|
Enable code assertions made with AA_BUG. These are primarily
|
|
function entry preconditions but also exist at other key
|
|
points. If the assert is triggered it will trigger a WARN
|
|
message.
|
|
|
|
config SECURITY_APPARMOR_DEBUG_MESSAGES
|
|
bool "Debug messages enabled by default"
|
|
depends on SECURITY_APPARMOR_DEBUG
|
|
default n
|
|
help
|
|
Set the default value of the apparmor.debug kernel parameter.
|
|
When enabled, various debug messages will be logged to
|
|
the kernel message buffer.
|