| config SECURITY_APPARMOR |
| bool "AppArmor support" |
| depends on SECURITY && NET |
| select AUDIT |
| select SECURITY_PATH |
| select SECURITYFS |
| select SECURITY_NETWORK |
| default n |
| help |
| This enables the AppArmor security module. |
| Required userspace tools (if they are not included in your |
| distribution) and further information may be found at |
| http://apparmor.wiki.kernel.org |
| |
| If you are unsure how to answer this question, answer N. |
| |
| config SECURITY_APPARMOR_BOOTPARAM_VALUE |
| int "AppArmor boot parameter default value" |
| depends on SECURITY_APPARMOR |
| range 0 1 |
| default 1 |
| help |
| This option sets the default value for the kernel parameter |
| 'apparmor', which allows AppArmor to be enabled or disabled |
| at boot. If this option is set to 0 (zero), the AppArmor |
| kernel parameter will default to 0, disabling AppArmor at |
| boot. If this option is set to 1 (one), the AppArmor |
| kernel parameter will default to 1, enabling AppArmor at |
| boot. |
| |
| If you are unsure how to answer this question, answer 1. |
| |
| config SECURITY_APPARMOR_STATS |
| bool "enable debug statistics" |
| depends on SECURITY_APPARMOR |
| select APPARMOR_LABEL_STATS |
| default n |
| help |
| This enables keeping statistics on various internal structures |
| and functions in apparmor. |
| |
| If you are unsure how to answer this question, answer N. |
| |
| config SECURITY_APPARMOR_UNCONFINED_INIT |
| bool "Set init to unconfined on boot" |
| depends on SECURITY_APPARMOR |
| default y |
| help |
| This option determines policy behavior during early boot by |
| placing the init process in the unconfined state, or the |
| 'default' profile. |
| |
| This option determines policy behavior during early boot by |
| placing the init process in the unconfined state, or the |
| 'default' profile. |
| |
| 'Y' means init and its children are not confined, unless the |
| init process is re-execed after a policy load; loaded policy |
| will only apply to processes started after the load. |
| |
| 'N' means init and its children are confined in a profile |
| named 'default', which can be replaced later and thus |
| provide for confinement for processes started early at boot, |
| though not confined during early boot. |
| |
| If you are unsure how to answer this question, answer Y. |
| |
| config SECURITY_APPARMOR_HASH |
| bool "enable introspection of sha1 hashes for loaded profiles" |
| depends on SECURITY_APPARMOR |
| depends on CRYPTO |
| select CRYPTO_SHA1 |
| default y |
| |
| help |
| This option selects whether introspection of loaded policy |
| is available to userspace via the apparmor filesystem. |
| |
| config SECURITY_APPARMOR_HASH_DEFAULT |
| bool "Enable policy hash introspection by default" |
| depends on SECURITY_APPARMOR_HASH |
| default y |
| |
| help |
| This option selects whether sha1 hashing of loaded policy |
| is enabled by default. The generation of sha1 hashes for |
| loaded policy provide system administrators a quick way |
| to verify that policy in the kernel matches what is expected, |
| however it can slow down policy load on some devices. In |
| these cases policy hashing can be disabled by default and |
| enabled only if needed. |