1*ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2016d825fSJohn Johansenconfig SECURITY_APPARMOR 3016d825fSJohn Johansen bool "AppArmor support" 406c22dadSRandy Dunlap depends on SECURITY && NET 5016d825fSJohn Johansen select AUDIT 6016d825fSJohn Johansen select SECURITY_PATH 7016d825fSJohn Johansen select SECURITYFS 8016d825fSJohn Johansen select SECURITY_NETWORK 9016d825fSJohn Johansen default n 10016d825fSJohn Johansen help 11016d825fSJohn Johansen This enables the AppArmor security module. 12016d825fSJohn Johansen Required userspace tools (if they are not included in your 13016d825fSJohn Johansen distribution) and further information may be found at 14016d825fSJohn Johansen http://apparmor.wiki.kernel.org 15016d825fSJohn Johansen 16016d825fSJohn Johansen If you are unsure how to answer this question, answer N. 17016d825fSJohn Johansen 18f8eb8a13SJohn Johansenconfig SECURITY_APPARMOR_HASH 196059f71fSJohn Johansen bool "Enable introspection of sha1 hashes for loaded profiles" 20f8eb8a13SJohn Johansen depends on SECURITY_APPARMOR 21083c1290SArnd Bergmann select CRYPTO 22f8eb8a13SJohn Johansen select CRYPTO_SHA1 23f8eb8a13SJohn Johansen default y 24f8eb8a13SJohn Johansen help 256059f71fSJohn Johansen This option selects whether introspection of loaded policy 266059f71fSJohn Johansen is available to userspace via the apparmor filesystem. 276059f71fSJohn Johansen 286059f71fSJohn Johansenconfig SECURITY_APPARMOR_HASH_DEFAULT 296059f71fSJohn Johansen bool "Enable policy hash introspection by default" 306059f71fSJohn Johansen depends on SECURITY_APPARMOR_HASH 316059f71fSJohn Johansen default y 326059f71fSJohn Johansen help 336059f71fSJohn Johansen This option selects whether sha1 hashing of loaded policy 346059f71fSJohn Johansen is enabled by default. The generation of sha1 hashes for 356059f71fSJohn Johansen loaded policy provide system administrators a quick way 366059f71fSJohn Johansen to verify that policy in the kernel matches what is expected, 376059f71fSJohn Johansen however it can slow down policy load on some devices. In 386059f71fSJohn Johansen these cases policy hashing can be disabled by default and 396059f71fSJohn Johansen enabled only if needed. 40680cd62eSJohn Johansen 41680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG 42680cd62eSJohn Johansen bool "Build AppArmor with debug code" 43680cd62eSJohn Johansen depends on SECURITY_APPARMOR 44680cd62eSJohn Johansen default n 45680cd62eSJohn Johansen help 46680cd62eSJohn Johansen Build apparmor with debugging logic in apparmor. Not all 47680cd62eSJohn Johansen debugging logic will necessarily be enabled. A submenu will 48680cd62eSJohn Johansen provide fine grained control of the debug options that are 49680cd62eSJohn Johansen available. 50680cd62eSJohn Johansen 51680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG_ASSERTS 52680cd62eSJohn Johansen bool "Build AppArmor with debugging asserts" 53680cd62eSJohn Johansen depends on SECURITY_APPARMOR_DEBUG 54680cd62eSJohn Johansen default y 55680cd62eSJohn Johansen help 56680cd62eSJohn Johansen Enable code assertions made with AA_BUG. These are primarily 57680cd62eSJohn Johansen function entry preconditions but also exist at other key 58680cd62eSJohn Johansen points. If the assert is triggered it will trigger a WARN 59680cd62eSJohn Johansen message. 60680cd62eSJohn Johansen 61680cd62eSJohn Johansenconfig SECURITY_APPARMOR_DEBUG_MESSAGES 62680cd62eSJohn Johansen bool "Debug messages enabled by default" 63680cd62eSJohn Johansen depends on SECURITY_APPARMOR_DEBUG 64680cd62eSJohn Johansen default n 65680cd62eSJohn Johansen help 66680cd62eSJohn Johansen Set the default value of the apparmor.debug kernel parameter. 67680cd62eSJohn Johansen When enabled, various debug messages will be logged to 68680cd62eSJohn Johansen the kernel message buffer. 69