summaryrefslogtreecommitdiff
path: root/security/apparmor/Kconfig
blob: be5e9414a29574c80aca1cd9cab242a99ce77508 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
config SECURITY_APPARMOR
	bool "AppArmor support"
	depends on SECURITY && NET
	select AUDIT
	select SECURITY_PATH
	select SECURITYFS
	select SECURITY_NETWORK
	default n
	help
	  This enables the AppArmor security module.
	  Required userspace tools (if they are not included in your
	  distribution) and further information may be found at
	  http://apparmor.wiki.kernel.org

	  If you are unsure how to answer this question, answer N.

config SECURITY_APPARMOR_BOOTPARAM_VALUE
	int "AppArmor boot parameter default value"
	depends on SECURITY_APPARMOR
	range 0 1
	default 1
	help
	  This option sets the default value for the kernel parameter
	  'apparmor', which allows AppArmor to be enabled or disabled
          at boot.  If this option is set to 0 (zero), the AppArmor
	  kernel parameter will default to 0, disabling AppArmor at
	  boot.  If this option is set to 1 (one), the AppArmor
	  kernel parameter will default to 1, enabling AppArmor at
	  boot.

	  If you are unsure how to answer this question, answer 1.

config SECURITY_APPARMOR_HASH
	bool "Enable introspection of sha1 hashes for loaded profiles"
	depends on SECURITY_APPARMOR
	select CRYPTO
	select CRYPTO_SHA1
	default y

	help
	  This option selects whether introspection of loaded policy
	  is available to userspace via the apparmor filesystem.

config SECURITY_APPARMOR_HASH_DEFAULT
       bool "Enable policy hash introspection by default"
       depends on SECURITY_APPARMOR_HASH
       default y

       help
         This option selects whether sha1 hashing of loaded policy
	 is enabled by default. The generation of sha1 hashes for
	 loaded policy provide system administrators a quick way
	 to verify that policy in the kernel matches what is expected,
	 however it can slow down policy load on some devices. In
	 these cases policy hashing can be disabled by default and
	 enabled only if needed.