security/apparmor/Kconfig

   1 config SECURITY_APPARMOR
   2         bool "AppArmor support"
   3         depends on SECURITY && NET
   4         select AUDIT
   5         select SECURITY_PATH
   6         select SECURITYFS
   7         select SECURITY_NETWORK
   8         default n
   9         help
  10           This enables the AppArmor security module.
  11           Required userspace tools (if they are not included in your
  12           distribution) and further information may be found at
  13           http://apparmor.wiki.kernel.org
  14
  15           If you are unsure how to answer this question, answer N.
  16
  17 config SECURITY_APPARMOR_BOOTPARAM_VALUE
  18         int "AppArmor boot parameter default value"
  19         depends on SECURITY_APPARMOR
  20         range 0 1
  21         default 1
  22         help
  23           This option sets the default value for the kernel parameter
  24           'apparmor', which allows AppArmor to be enabled or disabled
  25           at boot.  If this option is set to 0 (zero), the AppArmor
  26           kernel parameter will default to 0, disabling AppArmor at
  27           boot.  If this option is set to 1 (one), the AppArmor
  28           kernel parameter will default to 1, enabling AppArmor at
  29           boot.
  30
  31           If you are unsure how to answer this question, answer 1.
  32
  33 config SECURITY_APPARMOR_STATS
  34         bool "enable debug statistics"
  35         depends on SECURITY_APPARMOR
  36         select APPARMOR_LABEL_STATS
  37         default n
  38         help
  39           This enables keeping statistics on various internal structures
  40           and functions in apparmor.
  41
  42           If you are unsure how to answer this question, answer N.
  43
  44 config SECURITY_APPARMOR_UNCONFINED_INIT
  45         bool "Set init to unconfined on boot"
  46         depends on SECURITY_APPARMOR
  47         default y
  48         help
  49           This option determines policy behavior during early boot by
  50           placing the init process in the unconfined state, or the
  51           'default' profile.
  52
  53           This option determines policy behavior during early boot by
  54           placing the init process in the unconfined state, or the
  55           'default' profile.
  56
  57           'Y' means init and its children are not confined, unless the
  58           init process is re-execed after a policy load; loaded policy
  59           will only apply to processes started after the load.
  60
  61           'N' means init and its children are confined in a profile
  62           named 'default', which can be replaced later and thus
  63           provide for confinement for processes started early at boot,
  64           though not confined during early boot.
  65
  66           If you are unsure how to answer this question, answer Y.
  67
  68 config SECURITY_APPARMOR_HASH
  69         bool "Enable introspection of sha1 hashes for loaded profiles"
  70         depends on SECURITY_APPARMOR
  71         select CRYPTO
  72         select CRYPTO_SHA1
  73         default y
  74
  75         help
  76           This option selects whether introspection of loaded policy
  77           is available to userspace via the apparmor filesystem.
  78
  79 config SECURITY_APPARMOR_HASH_DEFAULT
  80         bool "Enable policy hash introspection by default"
  81         depends on SECURITY_APPARMOR_HASH
  82         default y
  83
  84         help
  85           This option selects whether sha1 hashing of loaded policy
  86           is enabled by default. The generation of sha1 hashes for
  87           loaded policy provide system administrators a quick way
  88           to verify that policy in the kernel matches what is expected,
  89           however it can slow down policy load on some devices. In
  90           these cases policy hashing can be disabled by default and
  91           enabled only if needed.