xref: /linux/security/apparmor/Kconfig (revision 680cd62e910d7b7e3c1fcde6ba67c6ca770c2286) 
1016d825fSJohn Johansenconfig SECURITY_APPARMOR
2016d825fSJohn Johansen	bool "AppArmor support"
306c22dadSRandy Dunlap	depends on SECURITY && NET
4016d825fSJohn Johansen	select AUDIT
5016d825fSJohn Johansen	select SECURITY_PATH
6016d825fSJohn Johansen	select SECURITYFS
7016d825fSJohn Johansen	select SECURITY_NETWORK
8016d825fSJohn Johansen	default n
9016d825fSJohn Johansen	help
10016d825fSJohn Johansen	  This enables the AppArmor security module.
11016d825fSJohn Johansen	  Required userspace tools (if they are not included in your
12016d825fSJohn Johansen	  distribution) and further information may be found at
13016d825fSJohn Johansen	  http://apparmor.wiki.kernel.org
14016d825fSJohn Johansen
15016d825fSJohn Johansen	  If you are unsure how to answer this question, answer N.
16016d825fSJohn Johansen
17016d825fSJohn Johansenconfig SECURITY_APPARMOR_BOOTPARAM_VALUE
18016d825fSJohn Johansen	int "AppArmor boot parameter default value"
19016d825fSJohn Johansen	depends on SECURITY_APPARMOR
20016d825fSJohn Johansen	range 0 1
21016d825fSJohn Johansen	default 1
22016d825fSJohn Johansen	help
23016d825fSJohn Johansen	  This option sets the default value for the kernel parameter
24016d825fSJohn Johansen	  'apparmor', which allows AppArmor to be enabled or disabled
25016d825fSJohn Johansen          at boot.  If this option is set to 0 (zero), the AppArmor
26016d825fSJohn Johansen	  kernel parameter will default to 0, disabling AppArmor at
27016d825fSJohn Johansen	  boot.  If this option is set to 1 (one), the AppArmor
28016d825fSJohn Johansen	  kernel parameter will default to 1, enabling AppArmor at
29016d825fSJohn Johansen	  boot.
30016d825fSJohn Johansen
31016d825fSJohn Johansen	  If you are unsure how to answer this question, answer 1.
32f8eb8a13SJohn Johansen
33f8eb8a13SJohn Johansenconfig SECURITY_APPARMOR_HASH
346059f71fSJohn Johansen	bool "Enable introspection of sha1 hashes for loaded profiles"
35f8eb8a13SJohn Johansen	depends on SECURITY_APPARMOR
36083c1290SArnd Bergmann	select CRYPTO
37f8eb8a13SJohn Johansen	select CRYPTO_SHA1
38f8eb8a13SJohn Johansen	default y
39f8eb8a13SJohn Johansen	help
406059f71fSJohn Johansen	  This option selects whether introspection of loaded policy
416059f71fSJohn Johansen	  is available to userspace via the apparmor filesystem.
426059f71fSJohn Johansen
436059f71fSJohn Johansenconfig SECURITY_APPARMOR_HASH_DEFAULT
446059f71fSJohn Johansen       bool "Enable policy hash introspection by default"
456059f71fSJohn Johansen       depends on SECURITY_APPARMOR_HASH
466059f71fSJohn Johansen       default y
476059f71fSJohn Johansen       help
486059f71fSJohn Johansen         This option selects whether sha1 hashing of loaded policy
496059f71fSJohn Johansen	 is enabled by default. The generation of sha1 hashes for
506059f71fSJohn Johansen	 loaded policy provide system administrators a quick way
516059f71fSJohn Johansen	 to verify that policy in the kernel matches what is expected,
526059f71fSJohn Johansen	 however it can slow down policy load on some devices. In
536059f71fSJohn Johansen	 these cases policy hashing can be disabled by default and
546059f71fSJohn Johansen	 enabled only if needed.
55*680cd62eSJohn Johansen
56*680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG
57*680cd62eSJohn Johansen	bool "Build AppArmor with debug code"
58*680cd62eSJohn Johansen	depends on SECURITY_APPARMOR
59*680cd62eSJohn Johansen	default n
60*680cd62eSJohn Johansen	help
61*680cd62eSJohn Johansen	  Build apparmor with debugging logic in apparmor. Not all
62*680cd62eSJohn Johansen	  debugging logic will necessarily be enabled. A submenu will
63*680cd62eSJohn Johansen	  provide fine grained control of the debug options that are
64*680cd62eSJohn Johansen	  available.
65*680cd62eSJohn Johansen
66*680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG_ASSERTS
67*680cd62eSJohn Johansen	bool "Build AppArmor with debugging asserts"
68*680cd62eSJohn Johansen	depends on SECURITY_APPARMOR_DEBUG
69*680cd62eSJohn Johansen	default y
70*680cd62eSJohn Johansen	help
71*680cd62eSJohn Johansen	  Enable code assertions made with AA_BUG. These are primarily
72*680cd62eSJohn Johansen	  function entry preconditions but also exist at other key
73*680cd62eSJohn Johansen	  points. If the assert is triggered it will trigger a WARN
74*680cd62eSJohn Johansen	  message.
75*680cd62eSJohn Johansen
76*680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG_MESSAGES
77*680cd62eSJohn Johansen	bool "Debug messages enabled by default"
78*680cd62eSJohn Johansen	depends on SECURITY_APPARMOR_DEBUG
79*680cd62eSJohn Johansen	default n
80*680cd62eSJohn Johansen	help
81*680cd62eSJohn Johansen	  Set the default value of the apparmor.debug kernel parameter.
82*680cd62eSJohn Johansen	  When enabled, various debug messages will be logged to
83*680cd62eSJohn Johansen	  the kernel message buffer.
84