[mirror_ubuntu-bionic-kernel.git] / security / apparmor / Kconfig

config SECURITY_APPARMOR
	bool "AppArmor support"
	depends on SECURITY && NET
	select AUDIT
	select SECURITY_PATH
	select SECURITYFS
	select SECURITY_NETWORK
	default n
	help
	  This enables the AppArmor security module.
	  Required userspace tools (if they are not included in your
	  distribution) and further information may be found at
	  http://apparmor.wiki.kernel.org

	  If you are unsure how to answer this question, answer N.

config SECURITY_APPARMOR_BOOTPARAM_VALUE
	int "AppArmor boot parameter default value"
	depends on SECURITY_APPARMOR
	range 0 1
	default 1
	help
	  This option sets the default value for the kernel parameter
	  'apparmor', which allows AppArmor to be enabled or disabled
          at boot.  If this option is set to 0 (zero), the AppArmor
	  kernel parameter will default to 0, disabling AppArmor at
	  boot.  If this option is set to 1 (one), the AppArmor
	  kernel parameter will default to 1, enabling AppArmor at
	  boot.

	  If you are unsure how to answer this question, answer 1.

config SECURITY_APPARMOR_HASH
	bool "Enable introspection of sha1 hashes for loaded profiles"
	depends on SECURITY_APPARMOR
	select CRYPTO
	select CRYPTO_SHA1
	default y
	help
	  This option selects whether introspection of loaded policy
	  is available to userspace via the apparmor filesystem.

config SECURITY_APPARMOR_HASH_DEFAULT
       bool "Enable policy hash introspection by default"
       depends on SECURITY_APPARMOR_HASH
       default y
       help
         This option selects whether sha1 hashing of loaded policy
	 is enabled by default. The generation of sha1 hashes for
	 loaded policy provide system administrators a quick way
	 to verify that policy in the kernel matches what is expected,
	 however it can slow down policy load on some devices. In
	 these cases policy hashing can be disabled by default and
	 enabled only if needed.

config SECURITY_APPARMOR_DEBUG
	bool "Build AppArmor with debug code"
	depends on SECURITY_APPARMOR
	default n
	help
	  Build apparmor with debugging logic in apparmor. Not all
	  debugging logic will necessarily be enabled. A submenu will
	  provide fine grained control of the debug options that are
	  available.

config SECURITY_APPARMOR_DEBUG_ASSERTS
	bool "Build AppArmor with debugging asserts"
	depends on SECURITY_APPARMOR_DEBUG
	default y
	help
	  Enable code assertions made with AA_BUG. These are primarily
	  function entry preconditions but also exist at other key
	  points. If the assert is triggered it will trigger a WARN
	  message.

config SECURITY_APPARMOR_DEBUG_MESSAGES
	bool "Debug messages enabled by default"
	depends on SECURITY_APPARMOR_DEBUG
	default n
	help
	  Set the default value of the apparmor.debug kernel parameter.
	  When enabled, various debug messages will be logged to
	  the kernel message buffer.
Commit	Line	Data
016d825f JJ	1	config SECURITY_APPARMOR
016d825f JJ	2	bool "AppArmor support"
06c22dad	3	depends on SECURITY && NET
016d825f JJ	4	select AUDIT
	5	select SECURITY_PATH
	6	select SECURITYFS
	7	select SECURITY_NETWORK
	8	default n
	9	help
	10	This enables the AppArmor security module.
	11	Required userspace tools (if they are not included in your
	12	distribution) and further information may be found at
	13	http://apparmor.wiki.kernel.org
	14
	15	If you are unsure how to answer this question, answer N.
	16
	17	config SECURITY_APPARMOR_BOOTPARAM_VALUE
	18	int "AppArmor boot parameter default value"
	19	depends on SECURITY_APPARMOR
	20	range 0 1
	21	default 1
	22	help
	23	This option sets the default value for the kernel parameter
	24	'apparmor', which allows AppArmor to be enabled or disabled
	25	at boot. If this option is set to 0 (zero), the AppArmor
	26	kernel parameter will default to 0, disabling AppArmor at
	27	boot. If this option is set to 1 (one), the AppArmor
	28	kernel parameter will default to 1, enabling AppArmor at
	29	boot.
	30
	31	If you are unsure how to answer this question, answer 1.
f8eb8a13 JJ	32
f8eb8a13 JJ	33	config SECURITY_APPARMOR_HASH
6059f71f	34	bool "Enable introspection of sha1 hashes for loaded profiles"
f8eb8a13	35	depends on SECURITY_APPARMOR
083c1290	36	select CRYPTO
f8eb8a13 JJ	37	select CRYPTO_SHA1
f8eb8a13 JJ	38	default y
f8eb8a13	39	help
6059f71f JJ	40	This option selects whether introspection of loaded policy
	41	is available to userspace via the apparmor filesystem.
	42
	43	config SECURITY_APPARMOR_HASH_DEFAULT
	44	bool "Enable policy hash introspection by default"
	45	depends on SECURITY_APPARMOR_HASH
	46	default y
6059f71f JJ	47	help
	48	This option selects whether sha1 hashing of loaded policy
	49	is enabled by default. The generation of sha1 hashes for
	50	loaded policy provide system administrators a quick way
	51	to verify that policy in the kernel matches what is expected,
	52	however it can slow down policy load on some devices. In
	53	these cases policy hashing can be disabled by default and
	54	enabled only if needed.
680cd62e JJ	55
	56	config SECURITY_APPARMOR_DEBUG
	57	bool "Build AppArmor with debug code"
	58	depends on SECURITY_APPARMOR
	59	default n
	60	help
	61	Build apparmor with debugging logic in apparmor. Not all
	62	debugging logic will necessarily be enabled. A submenu will
	63	provide fine grained control of the debug options that are
	64	available.
	65
	66	config SECURITY_APPARMOR_DEBUG_ASSERTS
	67	bool "Build AppArmor with debugging asserts"
	68	depends on SECURITY_APPARMOR_DEBUG
	69	default y
	70	help
	71	Enable code assertions made with AA_BUG. These are primarily
	72	function entry preconditions but also exist at other key
	73	points. If the assert is triggered it will trigger a WARN
	74	message.
	75
	76	config SECURITY_APPARMOR_DEBUG_MESSAGES
	77	bool "Debug messages enabled by default"
	78	depends on SECURITY_APPARMOR_DEBUG
	79	default n
	80	help
	81	Set the default value of the apparmor.debug kernel parameter.
	82	When enabled, various debug messages will be logged to
	83	the kernel message buffer.