]>
Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
016d825f JJ |
2 | config SECURITY_APPARMOR |
3 | bool "AppArmor support" | |
06c22dad | 4 | depends on SECURITY && NET |
016d825f JJ |
5 | select AUDIT |
6 | select SECURITY_PATH | |
7 | select SECURITYFS | |
8 | select SECURITY_NETWORK | |
9 | default n | |
10 | help | |
11 | This enables the AppArmor security module. | |
12 | Required userspace tools (if they are not included in your | |
13 | distribution) and further information may be found at | |
14 | http://apparmor.wiki.kernel.org | |
15 | ||
16 | If you are unsure how to answer this question, answer N. | |
17 | ||
f8eb8a13 | 18 | config SECURITY_APPARMOR_HASH |
6059f71f | 19 | bool "Enable introspection of sha1 hashes for loaded profiles" |
f8eb8a13 | 20 | depends on SECURITY_APPARMOR |
083c1290 | 21 | select CRYPTO |
f8eb8a13 JJ |
22 | select CRYPTO_SHA1 |
23 | default y | |
f8eb8a13 | 24 | help |
6059f71f JJ |
25 | This option selects whether introspection of loaded policy |
26 | is available to userspace via the apparmor filesystem. | |
27 | ||
28 | config SECURITY_APPARMOR_HASH_DEFAULT | |
29 | bool "Enable policy hash introspection by default" | |
30 | depends on SECURITY_APPARMOR_HASH | |
31 | default y | |
6059f71f JJ |
32 | help |
33 | This option selects whether sha1 hashing of loaded policy | |
34 | is enabled by default. The generation of sha1 hashes for | |
35 | loaded policy provide system administrators a quick way | |
36 | to verify that policy in the kernel matches what is expected, | |
37 | however it can slow down policy load on some devices. In | |
38 | these cases policy hashing can be disabled by default and | |
39 | enabled only if needed. | |
680cd62e JJ |
40 | |
41 | config SECURITY_APPARMOR_DEBUG | |
42 | bool "Build AppArmor with debug code" | |
43 | depends on SECURITY_APPARMOR | |
44 | default n | |
45 | help | |
46 | Build apparmor with debugging logic in apparmor. Not all | |
47 | debugging logic will necessarily be enabled. A submenu will | |
48 | provide fine grained control of the debug options that are | |
49 | available. | |
50 | ||
51 | config SECURITY_APPARMOR_DEBUG_ASSERTS | |
52 | bool "Build AppArmor with debugging asserts" | |
53 | depends on SECURITY_APPARMOR_DEBUG | |
54 | default y | |
55 | help | |
56 | Enable code assertions made with AA_BUG. These are primarily | |
57 | function entry preconditions but also exist at other key | |
58 | points. If the assert is triggered it will trigger a WARN | |
59 | message. | |
60 | ||
61 | config SECURITY_APPARMOR_DEBUG_MESSAGES | |
62 | bool "Debug messages enabled by default" | |
63 | depends on SECURITY_APPARMOR_DEBUG | |
64 | default n | |
65 | help | |
66 | Set the default value of the apparmor.debug kernel parameter. | |
67 | When enabled, various debug messages will be logged to | |
68 | the kernel message buffer. |