security/apparmor/Kconfig
Source file repositories/reference/linux-study-clean/security/apparmor/Kconfig
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/Kconfig- Extension
[no extension]- Size
- 4432 bytes
- Lines
- 123
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: build/configuration rule
- Status
- atlas-only
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
- No top-level syscall, struct, function, initcall, or export declaration detected by the generator.
Annotated Snippet
# SPDX-License-Identifier: GPL-2.0-only
config SECURITY_APPARMOR
bool "AppArmor support"
depends on SECURITY && NET
select AUDIT
select SECURITY_PATH
select SECURITYFS
select SECURITY_NETWORK
default n
help
This enables the AppArmor security module.
Required userspace tools (if they are not included in your
distribution) and further information may be found at
http://apparmor.wiki.kernel.org
If you are unsure how to answer this question, answer N.
config SECURITY_APPARMOR_DEBUG
bool "Build AppArmor with debug code"
depends on SECURITY_APPARMOR
default n
help
Build apparmor with debugging logic in apparmor. Not all
debugging logic will necessarily be enabled. A submenu will
provide fine grained control of the debug options that are
available.
config SECURITY_APPARMOR_DEBUG_ASSERTS
bool "Build AppArmor with debugging asserts"
depends on SECURITY_APPARMOR_DEBUG
default y
help
Enable code assertions made with AA_BUG. These are primarily
function entry preconditions but also exist at other key
points. If the assert is triggered it will trigger a WARN
message.
config SECURITY_APPARMOR_DEBUG_MESSAGES
bool "Debug messages enabled by default"
depends on SECURITY_APPARMOR_DEBUG
default n
help
Set the default value of the apparmor.debug kernel parameter.
When enabled, various debug messages will be logged to
the kernel message buffer.
config SECURITY_APPARMOR_INTROSPECT_POLICY
bool "Allow loaded policy to be introspected"
depends on SECURITY_APPARMOR
default y
help
This option selects whether introspection of loaded policy
is available to userspace via the apparmor filesystem. This
adds to kernel memory usage. It is required for introspection
of loaded policy, and check point and restore support. It
can be disabled for embedded systems where reducing memory and
cpu is paramount.
config SECURITY_APPARMOR_HASH
bool "Enable introspection of sha256 hashes for loaded profiles"
depends on SECURITY_APPARMOR_INTROSPECT_POLICY
select CRYPTO_LIB_SHA256
default y
help
This option selects whether introspection of loaded policy
hashes is available to userspace via the apparmor
filesystem. This option provides a light weight means of
checking loaded policy. This option adds to policy load
time and can be disabled for small embedded systems.
Annotation
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.