| Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| John Johansen | 016d825 | 2010-07-30 13:46:33 +1000 | [diff] [blame] | 2 | config SECURITY_APPARMOR |
| 3 | bool "AppArmor support" |
| Randy Dunlap | 06c22da | 2010-08-02 10:52:18 -0700 | [diff] [blame] | 4 | depends on SECURITY && NET |
| John Johansen | 016d825 | 2010-07-30 13:46:33 +1000 | [diff] [blame] | 5 | select AUDIT |
| 6 | select SECURITY_PATH |
| 7 | select SECURITYFS |
| 8 | select SECURITY_NETWORK |
| 9 | default n |
| 10 | help |
| 11 | This enables the AppArmor security module. |
| 12 | Required userspace tools (if they are not included in your |
| 13 | distribution) and further information may be found at |
| 14 | http://apparmor.wiki.kernel.org |
| 15 | |
| 16 | If you are unsure how to answer this question, answer N. |
| 17 | |
| John Johansen | f8eb8a1 | 2013-08-14 11:27:36 -0700 | [diff] [blame] | 18 | config SECURITY_APPARMOR_HASH |
| John Johansen | 6059f71 | 2014-10-24 09:16:14 -0700 | [diff] [blame] | 19 | bool "Enable introspection of sha1 hashes for loaded profiles" |
| John Johansen | f8eb8a1 | 2013-08-14 11:27:36 -0700 | [diff] [blame] | 20 | depends on SECURITY_APPARMOR |
| Arnd Bergmann | 083c129 | 2015-10-21 21:16:29 +0200 | [diff] [blame] | 21 | select CRYPTO |
| John Johansen | f8eb8a1 | 2013-08-14 11:27:36 -0700 | [diff] [blame] | 22 | select CRYPTO_SHA1 |
| 23 | default y |
| John Johansen | f8eb8a1 | 2013-08-14 11:27:36 -0700 | [diff] [blame] | 24 | help |
| John Johansen | 6059f71 | 2014-10-24 09:16:14 -0700 | [diff] [blame] | 25 | This option selects whether introspection of loaded policy |
| 26 | is available to userspace via the apparmor filesystem. |
| 27 | |
| 28 | config SECURITY_APPARMOR_HASH_DEFAULT |
| 29 | bool "Enable policy hash introspection by default" |
| 30 | depends on SECURITY_APPARMOR_HASH |
| 31 | default y |
| John Johansen | 6059f71 | 2014-10-24 09:16:14 -0700 | [diff] [blame] | 32 | help |
| 33 | This option selects whether sha1 hashing of loaded policy |
| 34 | is enabled by default. The generation of sha1 hashes for |
| 35 | loaded policy provide system administrators a quick way |
| 36 | to verify that policy in the kernel matches what is expected, |
| 37 | however it can slow down policy load on some devices. In |
| 38 | these cases policy hashing can be disabled by default and |
| 39 | enabled only if needed. |
| John Johansen | 680cd62 | 2017-01-16 00:42:27 -0800 | [diff] [blame] | 40 | |
| 41 | config SECURITY_APPARMOR_DEBUG |
| 42 | bool "Build AppArmor with debug code" |
| 43 | depends on SECURITY_APPARMOR |
| 44 | default n |
| 45 | help |
| 46 | Build apparmor with debugging logic in apparmor. Not all |
| 47 | debugging logic will necessarily be enabled. A submenu will |
| 48 | provide fine grained control of the debug options that are |
| 49 | available. |
| 50 | |
| 51 | config SECURITY_APPARMOR_DEBUG_ASSERTS |
| 52 | bool "Build AppArmor with debugging asserts" |
| 53 | depends on SECURITY_APPARMOR_DEBUG |
| 54 | default y |
| 55 | help |
| 56 | Enable code assertions made with AA_BUG. These are primarily |
| 57 | function entry preconditions but also exist at other key |
| 58 | points. If the assert is triggered it will trigger a WARN |
| 59 | message. |
| 60 | |
| 61 | config SECURITY_APPARMOR_DEBUG_MESSAGES |
| 62 | bool "Debug messages enabled by default" |
| 63 | depends on SECURITY_APPARMOR_DEBUG |
| 64 | default n |
| 65 | help |
| 66 | Set the default value of the apparmor.debug kernel parameter. |
| 67 | When enabled, various debug messages will be logged to |
| 68 | the kernel message buffer. |