Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
e114e473 CS |
2 | config SECURITY_SMACK |
3 | bool "Simplified Mandatory Access Control Kernel Support" | |
111fe8bd CS |
4 | depends on NET |
5 | depends on INET | |
6 | depends on SECURITY | |
7 | select NETLABEL | |
8 | select SECURITY_NETWORK | |
e114e473 CS |
9 | default n |
10 | help | |
11 | This selects the Simplified Mandatory Access Control Kernel. | |
12 | Smack is useful for sensitivity, integrity, and a variety | |
13 | of other mandatory security schemes. | |
14 | If you are unsure how to answer this question, answer N. | |
15 | ||
d166c802 CS |
16 | config SECURITY_SMACK_BRINGUP |
17 | bool "Reporting on access granted by Smack rules" | |
18 | depends on SECURITY_SMACK | |
19 | default n | |
20 | help | |
21 | Enable the bring-up ("b") access mode in Smack rules. | |
22 | When access is granted by a rule with the "b" mode a | |
23 | message about the access requested is generated. The | |
24 | intention is that a process can be granted a wide set | |
25 | of access initially with the bringup mode set on the | |
26 | rules. The developer can use the information to | |
27 | identify which rules are necessary and what accesses | |
28 | may be inappropriate. The developer can reduce the | |
29 | access rule set once the behavior is well understood. | |
30 | This is a superior mechanism to the oft abused | |
31 | "permissive" mode of other systems. | |
69f287ae CS |
32 | If you are unsure how to answer this question, answer N. |
33 | ||
34 | config SECURITY_SMACK_NETFILTER | |
35 | bool "Packet marking using secmarks for netfilter" | |
36 | depends on SECURITY_SMACK | |
37 | depends on NETWORK_SECMARK | |
38 | depends on NETFILTER | |
39 | default n | |
40 | help | |
41 | This enables security marking of network packets using | |
42 | Smack labels. | |
43 | If you are unsure how to answer this question, answer N. | |
c60b9066 CS |
44 | |
45 | config SECURITY_SMACK_APPEND_SIGNALS | |
46 | bool "Treat delivering signals as an append operation" | |
47 | depends on SECURITY_SMACK | |
48 | default n | |
49 | help | |
50 | Sending a signal has been treated as a write operation to the | |
51 | receiving process. If this option is selected, the delivery | |
52 | will be an append operation instead. This makes it possible | |
53 | to differentiate between delivering a network packet and | |
54 | delivering a signal in the Smack rules. | |
55 | If you are unsure how to answer this question, answer N. |