]>
Commit | Line | Data |
---|---|---|
00d7d6f8 KT |
1 | config SECURITY_TOMOYO |
2 | bool "TOMOYO Linux Support" | |
3 | depends on SECURITY | |
059d84db | 4 | depends on NET |
00d7d6f8 KT |
5 | select SECURITYFS |
6 | select SECURITY_PATH | |
059d84db | 7 | select SECURITY_NETWORK |
83fe27ea | 8 | select SRCU |
00d7d6f8 KT |
9 | default n |
10 | help | |
11 | This selects TOMOYO Linux, pathname-based access control. | |
12 | Required userspace tools and further information may be | |
13 | found at <http://tomoyo.sourceforge.jp/>. | |
14 | If you are unsure how to answer this question, answer N. | |
0e4ae0e0 TH |
15 | |
16 | config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY | |
17 | int "Default maximal count for learning mode" | |
18 | default 2048 | |
19 | range 0 2147483647 | |
20 | depends on SECURITY_TOMOYO | |
21 | help | |
22 | This is the default value for maximal ACL entries | |
23 | that are automatically appended into policy at "learning mode". | |
24 | Some programs access thousands of objects, so running | |
25 | such programs in "learning mode" dulls the system response | |
26 | and consumes much memory. | |
27 | This is the safeguard for such programs. | |
28 | ||
29 | config SECURITY_TOMOYO_MAX_AUDIT_LOG | |
30 | int "Default maximal count for audit log" | |
31 | default 1024 | |
32 | range 0 2147483647 | |
33 | depends on SECURITY_TOMOYO | |
34 | help | |
35 | This is the default value for maximal entries for | |
36 | audit logs that the kernel can hold on memory. | |
37 | You can read the log via /sys/kernel/security/tomoyo/audit. | |
38 | If you don't need audit logs, you may set this value to 0. | |
39 | ||
40 | config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
41 | bool "Activate without calling userspace policy loader." | |
42 | default n | |
43 | depends on SECURITY_TOMOYO | |
44 | ---help--- | |
45 | Say Y here if you want to activate access control as soon as built-in | |
46 | policy was loaded. This option will be useful for systems where | |
47 | operations which can lead to the hijacking of the boot sequence are | |
48 | needed before loading the policy. For example, you can activate | |
49 | immediately after loading the fixed part of policy which will allow | |
50 | only operations needed for mounting a partition which contains the | |
51 | variant part of policy and verifying (e.g. running GPG check) and | |
52 | loading the variant part of policy. Since you can start using | |
53 | enforcing mode from the beginning, you can reduce the possibility of | |
54 | hijacking the boot sequence. | |
55 | ||
56 | config SECURITY_TOMOYO_POLICY_LOADER | |
57 | string "Location of userspace policy loader" | |
58 | default "/sbin/tomoyo-init" | |
59 | depends on SECURITY_TOMOYO | |
60 | depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
61 | ---help--- | |
62 | This is the default pathname of policy loader which is called before | |
63 | activation. You can override this setting via TOMOYO_loader= kernel | |
64 | command line option. | |
65 | ||
66 | config SECURITY_TOMOYO_ACTIVATION_TRIGGER | |
67 | string "Trigger for calling userspace policy loader" | |
68 | default "/sbin/init" | |
69 | depends on SECURITY_TOMOYO | |
70 | depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
71 | ---help--- | |
72 | This is the default pathname of activation trigger. | |
73 | You can override this setting via TOMOYO_trigger= kernel command line | |
74 | option. For example, if you pass init=/bin/systemd option, you may | |
75 | want to also pass TOMOYO_trigger=/bin/systemd option. |