security/apparmor/Kconfig

Source file repositories/reference/linux-study-clean/security/apparmor/Kconfig

File Facts

System
Linux kernel
Corpus path
security/apparmor/Kconfig
Extension
[no extension]
Size
4432 bytes
Lines
123
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: build/configuration rule
Status
atlas-only

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

# SPDX-License-Identifier: GPL-2.0-only
config SECURITY_APPARMOR
	bool "AppArmor support"
	depends on SECURITY && NET
	select AUDIT
	select SECURITY_PATH
	select SECURITYFS
	select SECURITY_NETWORK
	default n
	help
	  This enables the AppArmor security module.
	  Required userspace tools (if they are not included in your
	  distribution) and further information may be found at
	  http://apparmor.wiki.kernel.org

	  If you are unsure how to answer this question, answer N.

config SECURITY_APPARMOR_DEBUG
	bool "Build AppArmor with debug code"
	depends on SECURITY_APPARMOR
	default n
	help
	  Build apparmor with debugging logic in apparmor. Not all
	  debugging logic will necessarily be enabled. A submenu will
	  provide fine grained control of the debug options that are
	  available.

config SECURITY_APPARMOR_DEBUG_ASSERTS
	bool "Build AppArmor with debugging asserts"
	depends on SECURITY_APPARMOR_DEBUG
	default y
	help
	  Enable code assertions made with AA_BUG. These are primarily
	  function entry preconditions but also exist at other key
	  points. If the assert is triggered it will trigger a WARN
	  message.

config SECURITY_APPARMOR_DEBUG_MESSAGES
	bool "Debug messages enabled by default"
	depends on SECURITY_APPARMOR_DEBUG
	default n
	help
	  Set the default value of the apparmor.debug kernel parameter.
	  When enabled, various debug messages will be logged to
	  the kernel message buffer.

config SECURITY_APPARMOR_INTROSPECT_POLICY
	bool "Allow loaded policy to be introspected"
	depends on SECURITY_APPARMOR
	default y
	help
	  This option selects whether introspection of loaded policy
	  is available to userspace via the apparmor filesystem. This
	  adds to kernel memory usage. It is required for introspection
	  of loaded policy, and check point and restore support. It
	  can be disabled for embedded systems where reducing memory and
	  cpu is paramount.

config SECURITY_APPARMOR_HASH
	bool "Enable introspection of sha256 hashes for loaded profiles"
	depends on SECURITY_APPARMOR_INTROSPECT_POLICY
	select CRYPTO_LIB_SHA256
	default y
	help
	  This option selects whether introspection of loaded policy
	  hashes is available to userspace via the apparmor
	  filesystem. This option provides a light weight means of
	  checking loaded policy.  This option adds to policy load
	  time and can be disabled for small embedded systems.

Annotation

Implementation Notes