xref: /openbmc/linux/security/apparmor/Kconfig (revision d2574c33)
1config SECURITY_APPARMOR
2	bool "AppArmor support"
3	depends on SECURITY && NET
4	select AUDIT
5	select SECURITY_PATH
6	select SECURITYFS
7	select SECURITY_NETWORK
8	default n
9	help
10	  This enables the AppArmor security module.
11	  Required userspace tools (if they are not included in your
12	  distribution) and further information may be found at
13	  http://apparmor.wiki.kernel.org
14
15	  If you are unsure how to answer this question, answer N.
16
17config SECURITY_APPARMOR_HASH
18	bool "Enable introspection of sha1 hashes for loaded profiles"
19	depends on SECURITY_APPARMOR
20	select CRYPTO
21	select CRYPTO_SHA1
22	default y
23	help
24	  This option selects whether introspection of loaded policy
25	  is available to userspace via the apparmor filesystem.
26
27config SECURITY_APPARMOR_HASH_DEFAULT
28       bool "Enable policy hash introspection by default"
29       depends on SECURITY_APPARMOR_HASH
30       default y
31       help
32         This option selects whether sha1 hashing of loaded policy
33	 is enabled by default. The generation of sha1 hashes for
34	 loaded policy provide system administrators a quick way
35	 to verify that policy in the kernel matches what is expected,
36	 however it can slow down policy load on some devices. In
37	 these cases policy hashing can be disabled by default and
38	 enabled only if needed.
39
40config SECURITY_APPARMOR_DEBUG
41	bool "Build AppArmor with debug code"
42	depends on SECURITY_APPARMOR
43	default n
44	help
45	  Build apparmor with debugging logic in apparmor. Not all
46	  debugging logic will necessarily be enabled. A submenu will
47	  provide fine grained control of the debug options that are
48	  available.
49
50config SECURITY_APPARMOR_DEBUG_ASSERTS
51	bool "Build AppArmor with debugging asserts"
52	depends on SECURITY_APPARMOR_DEBUG
53	default y
54	help
55	  Enable code assertions made with AA_BUG. These are primarily
56	  function entry preconditions but also exist at other key
57	  points. If the assert is triggered it will trigger a WARN
58	  message.
59
60config SECURITY_APPARMOR_DEBUG_MESSAGES
61	bool "Debug messages enabled by default"
62	depends on SECURITY_APPARMOR_DEBUG
63	default n
64	help
65	  Set the default value of the apparmor.debug kernel parameter.
66	  When enabled, various debug messages will be logged to
67	  the kernel message buffer.
68