6059f71f1e
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
57 lines
1.8 KiB
Plaintext
57 lines
1.8 KiB
Plaintext
config SECURITY_APPARMOR
|
|
bool "AppArmor support"
|
|
depends on SECURITY && NET
|
|
select AUDIT
|
|
select SECURITY_PATH
|
|
select SECURITYFS
|
|
select SECURITY_NETWORK
|
|
default n
|
|
help
|
|
This enables the AppArmor security module.
|
|
Required userspace tools (if they are not included in your
|
|
distribution) and further information may be found at
|
|
http://apparmor.wiki.kernel.org
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_APPARMOR_BOOTPARAM_VALUE
|
|
int "AppArmor boot parameter default value"
|
|
depends on SECURITY_APPARMOR
|
|
range 0 1
|
|
default 1
|
|
help
|
|
This option sets the default value for the kernel parameter
|
|
'apparmor', which allows AppArmor to be enabled or disabled
|
|
at boot. If this option is set to 0 (zero), the AppArmor
|
|
kernel parameter will default to 0, disabling AppArmor at
|
|
boot. If this option is set to 1 (one), the AppArmor
|
|
kernel parameter will default to 1, enabling AppArmor at
|
|
boot.
|
|
|
|
If you are unsure how to answer this question, answer 1.
|
|
|
|
config SECURITY_APPARMOR_HASH
|
|
bool "Enable introspection of sha1 hashes for loaded profiles"
|
|
depends on SECURITY_APPARMOR
|
|
select CRYPTO
|
|
select CRYPTO_SHA1
|
|
default y
|
|
|
|
help
|
|
This option selects whether introspection of loaded policy
|
|
is available to userspace via the apparmor filesystem.
|
|
|
|
config SECURITY_APPARMOR_HASH_DEFAULT
|
|
bool "Enable policy hash introspection by default"
|
|
depends on SECURITY_APPARMOR_HASH
|
|
default y
|
|
|
|
help
|
|
This option selects whether sha1 hashing of loaded policy
|
|
is enabled by default. The generation of sha1 hashes for
|
|
loaded policy provide system administrators a quick way
|
|
to verify that policy in the kernel matches what is expected,
|
|
however it can slow down policy load on some devices. In
|
|
these cases policy hashing can be disabled by default and
|
|
enabled only if needed.
|