xref: /openbmc/linux/security/apparmor/Kconfig (revision ba61bb17)
1config SECURITY_APPARMOR
2	bool "AppArmor support"
3	depends on SECURITY && NET
4	select AUDIT
5	select SECURITY_PATH
6	select SECURITYFS
7	select SECURITY_NETWORK
8	default n
9	help
10	  This enables the AppArmor security module.
11	  Required userspace tools (if they are not included in your
12	  distribution) and further information may be found at
13	  http://apparmor.wiki.kernel.org
14
15	  If you are unsure how to answer this question, answer N.
16
17config SECURITY_APPARMOR_BOOTPARAM_VALUE
18	int "AppArmor boot parameter default value"
19	depends on SECURITY_APPARMOR
20	range 0 1
21	default 1
22	help
23	  This option sets the default value for the kernel parameter
24	  'apparmor', which allows AppArmor to be enabled or disabled
25          at boot.  If this option is set to 0 (zero), the AppArmor
26	  kernel parameter will default to 0, disabling AppArmor at
27	  boot.  If this option is set to 1 (one), the AppArmor
28	  kernel parameter will default to 1, enabling AppArmor at
29	  boot.
30
31	  If you are unsure how to answer this question, answer 1.
32
33config SECURITY_APPARMOR_HASH
34	bool "Enable introspection of sha1 hashes for loaded profiles"
35	depends on SECURITY_APPARMOR
36	select CRYPTO
37	select CRYPTO_SHA1
38	default y
39	help
40	  This option selects whether introspection of loaded policy
41	  is available to userspace via the apparmor filesystem.
42
43config SECURITY_APPARMOR_HASH_DEFAULT
44       bool "Enable policy hash introspection by default"
45       depends on SECURITY_APPARMOR_HASH
46       default y
47       help
48         This option selects whether sha1 hashing of loaded policy
49	 is enabled by default. The generation of sha1 hashes for
50	 loaded policy provide system administrators a quick way
51	 to verify that policy in the kernel matches what is expected,
52	 however it can slow down policy load on some devices. In
53	 these cases policy hashing can be disabled by default and
54	 enabled only if needed.
55
56config SECURITY_APPARMOR_DEBUG
57	bool "Build AppArmor with debug code"
58	depends on SECURITY_APPARMOR
59	default n
60	help
61	  Build apparmor with debugging logic in apparmor. Not all
62	  debugging logic will necessarily be enabled. A submenu will
63	  provide fine grained control of the debug options that are
64	  available.
65
66config SECURITY_APPARMOR_DEBUG_ASSERTS
67	bool "Build AppArmor with debugging asserts"
68	depends on SECURITY_APPARMOR_DEBUG
69	default y
70	help
71	  Enable code assertions made with AA_BUG. These are primarily
72	  function entry preconditions but also exist at other key
73	  points. If the assert is triggered it will trigger a WARN
74	  message.
75
76config SECURITY_APPARMOR_DEBUG_MESSAGES
77	bool "Debug messages enabled by default"
78	depends on SECURITY_APPARMOR_DEBUG
79	default n
80	help
81	  Set the default value of the apparmor.debug kernel parameter.
82	  When enabled, various debug messages will be logged to
83	  the kernel message buffer.
84