config SECURITY_APPARMOR bool "AppArmor support" depends on SECURITY && NET select AUDIT select SECURITY_PATH select SECURITYFS select SECURITY_NETWORK default n help This enables the AppArmor security module. Required userspace tools (if they are not included in your distribution) and further information may be found at http://apparmor.wiki.kernel.org If you are unsure how to answer this question, answer N. config SECURITY_APPARMOR_BOOTPARAM_VALUE int "AppArmor boot parameter default value" depends on SECURITY_APPARMOR range 0 1 default 1 help This option sets the default value for the kernel parameter 'apparmor', which allows AppArmor to be enabled or disabled at boot. If this option is set to 0 (zero), the AppArmor kernel parameter will default to 0, disabling AppArmor at boot. If this option is set to 1 (one), the AppArmor kernel parameter will default to 1, enabling AppArmor at boot. If you are unsure how to answer this question, answer 1. config SECURITY_APPARMOR_STATS bool "enable debug statistics" depends on SECURITY_APPARMOR select APPARMOR_LABEL_STATS default n help This enables keeping statistics on various internal structures and functions in apparmor. If you are unsure how to answer this question, answer N. config SECURITY_APPARMOR_UNCONFINED_INIT bool "Set init to unconfined on boot" depends on SECURITY_APPARMOR default y help This option determines policy behavior during early boot by placing the init process in the unconfined state, or the 'default' profile. This option determines policy behavior during early boot by placing the init process in the unconfined state, or the 'default' profile. 'Y' means init and its children are not confined, unless the init process is re-execed after a policy load; loaded policy will only apply to processes started after the load. 'N' means init and its children are confined in a profile named 'default', which can be replaced later and thus provide for confinement for processes started early at boot, though not confined during early boot. If you are unsure how to answer this question, answer Y. config SECURITY_APPARMOR_HASH bool "Enable introspection of sha1 hashes for loaded profiles" depends on SECURITY_APPARMOR select CRYPTO select CRYPTO_SHA1 default y help This option selects whether introspection of loaded policy is available to userspace via the apparmor filesystem. config SECURITY_APPARMOR_HASH_DEFAULT bool "Enable policy hash introspection by default" depends on SECURITY_APPARMOR_HASH default y help This option selects whether sha1 hashing of loaded policy is enabled by default. The generation of sha1 hashes for loaded policy provide system administrators a quick way to verify that policy in the kernel matches what is expected, however it can slow down policy load on some devices. In these cases policy hashing can be disabled by default and enabled only if needed.