OSCL-LXR linux-6.0.1/​security/​apparmor/​Kconfig	Source navigation Diff markup Identifier search General search
	Version: linux-6.0.1 spark-3.0.0 hadoop-3.2.0-src hadoop-3.3.0-src spark-2.4.7 linux-4.15.13 hadoop-2.7.4-src Revert   Change

 # SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_APPARMOR
         bool "AppArmor support"
         depends on SECURITY && NET
         select AUDIT
         select SECURITY_PATH
         select SECURITYFS
         select SECURITY_NETWORK
         default n
         help
           This enables the AppArmor security module.
           Required userspace tools (if they are not included in your
           distribution) and further information may be found at
           http://apparmor.wiki.kernel.org
 
           If you are unsure how to answer this question, answer N.
 
 config SECURITY_APPARMOR_DEBUG
         bool "Build AppArmor with debug code"
         depends on SECURITY_APPARMOR
         default n
         help
           Build apparmor with debugging logic in apparmor. Not all
           debugging logic will necessarily be enabled. A submenu will
           provide fine grained control of the debug options that are
           available.
 
 config SECURITY_APPARMOR_DEBUG_ASSERTS
         bool "Build AppArmor with debugging asserts"
         depends on SECURITY_APPARMOR_DEBUG
         default y
         help
           Enable code assertions made with AA_BUG. These are primarily
           function entry preconditions but also exist at other key
           points. If the assert is triggered it will trigger a WARN
           message.
 
 config SECURITY_APPARMOR_DEBUG_MESSAGES
         bool "Debug messages enabled by default"
         depends on SECURITY_APPARMOR_DEBUG
         default n
         help
           Set the default value of the apparmor.debug kernel parameter.
           When enabled, various debug messages will be logged to
           the kernel message buffer.
 
 config SECURITY_APPARMOR_INTROSPECT_POLICY
         bool "Allow loaded policy to be introspected"
         depends on SECURITY_APPARMOR
         default y
         help
           This option selects whether introspection of loaded policy
           is available to userspace via the apparmor filesystem. This
           adds to kernel memory usage. It is required for introspection
           of loaded policy, and check point and restore support. It
           can be disabled for embedded systems where reducing memory and
           cpu is paramount.
 
 config SECURITY_APPARMOR_HASH
         bool "Enable introspection of sha1 hashes for loaded profiles"
         depends on SECURITY_APPARMOR_INTROSPECT_POLICY
         select CRYPTO
         select CRYPTO_SHA1
         default y
         help
           This option selects whether introspection of loaded policy
           hashes is available to userspace via the apparmor
           filesystem. This option provides a light weight means of
           checking loaded policy.  This option adds to policy load
           time and can be disabled for small embedded systems.
 
 config SECURITY_APPARMOR_HASH_DEFAULT
        bool "Enable policy hash introspection by default"
        depends on SECURITY_APPARMOR_HASH
        default y
        help
          This option selects whether sha1 hashing of loaded policy
          is enabled by default. The generation of sha1 hashes for
          loaded policy provide system administrators a quick way
          to verify that policy in the kernel matches what is expected,
          however it can slow down policy load on some devices. In
          these cases policy hashing can be disabled by default and
          enabled only if needed.
 
 config SECURITY_APPARMOR_EXPORT_BINARY
         bool "Allow exporting the raw binary policy"
         depends on SECURITY_APPARMOR_INTROSPECT_POLICY
         select ZLIB_INFLATE
         select ZLIB_DEFLATE
         default y
         help
           This option allows reading back binary policy as it was loaded.
           It increases the amount of kernel memory needed by policy and
           also increases policy load time. This option is required for
           checkpoint and restore support, and debugging of loaded policy.
 
 config SECURITY_APPARMOR_PARANOID_LOAD
         bool "Perform full verification of loaded policy"
         depends on SECURITY_APPARMOR
         default y
         help
           This options allows controlling whether apparmor does a full
           verification of loaded policy. This should not be disabled
           except for embedded systems where the image is read only,
           includes policy, and has some form of integrity check.
           Disabling the check will speed up policy loads.
 
 config SECURITY_APPARMOR_KUNIT_TEST
         bool "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS
         depends on KUNIT=y && SECURITY_APPARMOR
         default KUNIT_ALL_TESTS
         help
           This builds the AppArmor KUnit tests.
 
           KUnit tests run during boot and output the results to the debug log
           in TAP format (https://testanything.org/). Only useful for kernel devs
           running KUnit test harness and are not for inclusion into a
           production build.
 
           For more information on KUnit and unit tests in general please refer
           to the KUnit documentation in Documentation/dev-tools/kunit/.
 
           If unsure, say N.

This page was automatically generated by the 2.1.0 LXR engine. The LXR team