Merge remote-tracking branch 'airlied/drm-next' into drm-intel-next-queued

[karo-tx-linux.git] / security / apparmor / Kconfig

diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
index 232469baa94f2f17e686f2cf702a56424eda8176..be5e9414a29574c80aca1cd9cab242a99ce77508 100644 (file)
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -31,13 +31,26 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
          If you are unsure how to answer this question, answer 1.
 
 config SECURITY_APPARMOR_HASH
-       bool "SHA1 hash of loaded profiles"
+       bool "Enable introspection of sha1 hashes for loaded profiles"
        depends on SECURITY_APPARMOR
        select CRYPTO
        select CRYPTO_SHA1
        default y
 
        help
-         This option selects whether sha1 hashing is done against loaded
-          profiles and exported for inspection to user space via the apparmor
-          filesystem.
+         This option selects whether introspection of loaded policy
+         is available to userspace via the apparmor filesystem.
+
+config SECURITY_APPARMOR_HASH_DEFAULT
+       bool "Enable policy hash introspection by default"
+       depends on SECURITY_APPARMOR_HASH
+       default y
+
+       help
+         This option selects whether sha1 hashing of loaded policy
+        is enabled by default. The generation of sha1 hashes for
+        loaded policy provide system administrators a quick way
+        to verify that policy in the kernel matches what is expected,
+        however it can slow down policy load on some devices. In
+        these cases policy hashing can be disabled by default and
+        enabled only if needed.