| Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2 | config SECURITY_SMACK |
| 3 | bool "Simplified Mandatory Access Control Kernel Support" |
| Casey Schaufler | 111fe8b | 2012-11-02 11:28:11 -0700 | [diff] [blame] | 4 | depends on NET |
| 5 | depends on INET |
| 6 | depends on SECURITY |
| 7 | select NETLABEL |
| 8 | select SECURITY_NETWORK |
| Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 9 | default n |
| 10 | help |
| 11 | This selects the Simplified Mandatory Access Control Kernel. |
| 12 | Smack is useful for sensitivity, integrity, and a variety |
| 13 | of other mandatory security schemes. |
| 14 | If you are unsure how to answer this question, answer N. |
| 15 | |
| Casey Schaufler | d166c80 | 2014-08-27 14:51:27 -0700 | [diff] [blame] | 16 | config SECURITY_SMACK_BRINGUP |
| 17 | bool "Reporting on access granted by Smack rules" |
| 18 | depends on SECURITY_SMACK |
| 19 | default n |
| 20 | help |
| 21 | Enable the bring-up ("b") access mode in Smack rules. |
| 22 | When access is granted by a rule with the "b" mode a |
| 23 | message about the access requested is generated. The |
| 24 | intention is that a process can be granted a wide set |
| 25 | of access initially with the bringup mode set on the |
| 26 | rules. The developer can use the information to |
| 27 | identify which rules are necessary and what accesses |
| 28 | may be inappropriate. The developer can reduce the |
| 29 | access rule set once the behavior is well understood. |
| 30 | This is a superior mechanism to the oft abused |
| 31 | "permissive" mode of other systems. |
| Casey Schaufler | 69f287a | 2014-12-12 17:08:40 -0800 | [diff] [blame] | 32 | If you are unsure how to answer this question, answer N. |
| 33 | |
| 34 | config SECURITY_SMACK_NETFILTER |
| 35 | bool "Packet marking using secmarks for netfilter" |
| 36 | depends on SECURITY_SMACK |
| 37 | depends on NETWORK_SECMARK |
| 38 | depends on NETFILTER |
| 39 | default n |
| 40 | help |
| 41 | This enables security marking of network packets using |
| 42 | Smack labels. |
| 43 | If you are unsure how to answer this question, answer N. |
| Casey Schaufler | c60b906 | 2016-08-30 10:31:39 -0700 | [diff] [blame] | 44 | |
| 45 | config SECURITY_SMACK_APPEND_SIGNALS |
| 46 | bool "Treat delivering signals as an append operation" |
| 47 | depends on SECURITY_SMACK |
| 48 | default n |
| 49 | help |
| 50 | Sending a signal has been treated as a write operation to the |
| 51 | receiving process. If this option is selected, the delivery |
| 52 | will be an append operation instead. This makes it possible |
| 53 | to differentiate between delivering a network packet and |
| 54 | delivering a signal in the Smack rules. |
| 55 | If you are unsure how to answer this question, answer N. |