linux-hardened/security/apparmor/Kconfig
John Johansen 680cd62e91 apparmor: add debug assert AA_BUG and Kconfig to control debug info
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16 01:18:24 -08:00

83 lines
2.8 KiB
Text

config SECURITY_APPARMOR
bool "AppArmor support"
depends on SECURITY && NET
select AUDIT
select SECURITY_PATH
select SECURITYFS
select SECURITY_NETWORK
default n
help
This enables the AppArmor security module.
Required userspace tools (if they are not included in your
distribution) and further information may be found at
http://apparmor.wiki.kernel.org
If you are unsure how to answer this question, answer N.
config SECURITY_APPARMOR_BOOTPARAM_VALUE
int "AppArmor boot parameter default value"
depends on SECURITY_APPARMOR
range 0 1
default 1
help
This option sets the default value for the kernel parameter
'apparmor', which allows AppArmor to be enabled or disabled
at boot. If this option is set to 0 (zero), the AppArmor
kernel parameter will default to 0, disabling AppArmor at
boot. If this option is set to 1 (one), the AppArmor
kernel parameter will default to 1, enabling AppArmor at
boot.
If you are unsure how to answer this question, answer 1.
config SECURITY_APPARMOR_HASH
bool "Enable introspection of sha1 hashes for loaded profiles"
depends on SECURITY_APPARMOR
select CRYPTO
select CRYPTO_SHA1
default y
help
This option selects whether introspection of loaded policy
is available to userspace via the apparmor filesystem.
config SECURITY_APPARMOR_HASH_DEFAULT
bool "Enable policy hash introspection by default"
depends on SECURITY_APPARMOR_HASH
default y
help
This option selects whether sha1 hashing of loaded policy
is enabled by default. The generation of sha1 hashes for
loaded policy provide system administrators a quick way
to verify that policy in the kernel matches what is expected,
however it can slow down policy load on some devices. In
these cases policy hashing can be disabled by default and
enabled only if needed.
config SECURITY_APPARMOR_DEBUG
bool "Build AppArmor with debug code"
depends on SECURITY_APPARMOR
default n
help
Build apparmor with debugging logic in apparmor. Not all
debugging logic will necessarily be enabled. A submenu will
provide fine grained control of the debug options that are
available.
config SECURITY_APPARMOR_DEBUG_ASSERTS
bool "Build AppArmor with debugging asserts"
depends on SECURITY_APPARMOR_DEBUG
default y
help
Enable code assertions made with AA_BUG. These are primarily
function entry preconditions but also exist at other key
points. If the assert is triggered it will trigger a WARN
message.
config SECURITY_APPARMOR_DEBUG_MESSAGES
bool "Debug messages enabled by default"
depends on SECURITY_APPARMOR_DEBUG
default n
help
Set the default value of the apparmor.debug kernel parameter.
When enabled, various debug messages will be logged to
the kernel message buffer.