79 lines
2.5 KiB
Plaintext
79 lines
2.5 KiB
Plaintext
config SECURITY_APPARMOR
|
|
bool "AppArmor support"
|
|
depends on SECURITY && NET
|
|
select AUDIT
|
|
select SECURITY_PATH
|
|
select SECURITYFS
|
|
select SECURITY_NETWORK
|
|
default n
|
|
help
|
|
This enables the AppArmor security module.
|
|
Required userspace tools (if they are not included in your
|
|
distribution) and further information may be found at
|
|
http://apparmor.wiki.kernel.org
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_APPARMOR_BOOTPARAM_VALUE
|
|
int "AppArmor boot parameter default value"
|
|
depends on SECURITY_APPARMOR
|
|
range 0 1
|
|
default 1
|
|
help
|
|
This option sets the default value for the kernel parameter
|
|
'apparmor', which allows AppArmor to be enabled or disabled
|
|
at boot. If this option is set to 0 (zero), the AppArmor
|
|
kernel parameter will default to 0, disabling AppArmor at
|
|
boot. If this option is set to 1 (one), the AppArmor
|
|
kernel parameter will default to 1, enabling AppArmor at
|
|
boot.
|
|
|
|
If you are unsure how to answer this question, answer 1.
|
|
|
|
config SECURITY_APPARMOR_STATS
|
|
bool "enable debug statistics"
|
|
depends on SECURITY_APPARMOR
|
|
select APPARMOR_LABEL_STATS
|
|
default n
|
|
help
|
|
This enables keeping statistics on various internal structures
|
|
and functions in apparmor.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_APPARMOR_UNCONFINED_INIT
|
|
bool "Set init to unconfined on boot"
|
|
depends on SECURITY_APPARMOR
|
|
default y
|
|
help
|
|
This option determines policy behavior during early boot by
|
|
placing the init process in the unconfined state, or the
|
|
'default' profile.
|
|
|
|
This option determines policy behavior during early boot by
|
|
placing the init process in the unconfined state, or the
|
|
'default' profile.
|
|
|
|
'Y' means init and its children are not confined, unless the
|
|
init process is re-execed after a policy load; loaded policy
|
|
will only apply to processes started after the load.
|
|
|
|
'N' means init and its children are confined in a profile
|
|
named 'default', which can be replaced later and thus
|
|
provide for confinement for processes started early at boot,
|
|
though not confined during early boot.
|
|
|
|
If you are unsure how to answer this question, answer Y.
|
|
|
|
config SECURITY_APPARMOR_HASH
|
|
bool "SHA1 hash of loaded profiles"
|
|
depends on SECURITY_APPARMOR
|
|
depends on CRYPTO
|
|
select CRYPTO_SHA1
|
|
default y
|
|
|
|
help
|
|
This option selects whether sha1 hashing is done against loaded
|
|
profiles and exported for inspection to user space via the apparmor
|
|
filesystem.
|