Commit | Line | Data |
---|---|---|
00d7d6f8 KT |
1 | config SECURITY_TOMOYO |
2 | bool "TOMOYO Linux Support" | |
3 | depends on SECURITY | |
059d84db | 4 | depends on NET |
00d7d6f8 KT |
5 | select SECURITYFS |
6 | select SECURITY_PATH | |
059d84db | 7 | select SECURITY_NETWORK |
83fe27ea | 8 | select SRCU |
7e114bbf | 9 | select BUILD_BIN2C |
00d7d6f8 KT |
10 | default n |
11 | help | |
12 | This selects TOMOYO Linux, pathname-based access control. | |
13 | Required userspace tools and further information may be | |
14 | found at <http://tomoyo.sourceforge.jp/>. | |
15 | If you are unsure how to answer this question, answer N. | |
0e4ae0e0 TH |
16 | |
17 | config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY | |
18 | int "Default maximal count for learning mode" | |
19 | default 2048 | |
20 | range 0 2147483647 | |
21 | depends on SECURITY_TOMOYO | |
22 | help | |
23 | This is the default value for maximal ACL entries | |
24 | that are automatically appended into policy at "learning mode". | |
25 | Some programs access thousands of objects, so running | |
26 | such programs in "learning mode" dulls the system response | |
27 | and consumes much memory. | |
28 | This is the safeguard for such programs. | |
29 | ||
30 | config SECURITY_TOMOYO_MAX_AUDIT_LOG | |
31 | int "Default maximal count for audit log" | |
32 | default 1024 | |
33 | range 0 2147483647 | |
34 | depends on SECURITY_TOMOYO | |
35 | help | |
36 | This is the default value for maximal entries for | |
37 | audit logs that the kernel can hold on memory. | |
38 | You can read the log via /sys/kernel/security/tomoyo/audit. | |
39 | If you don't need audit logs, you may set this value to 0. | |
40 | ||
41 | config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
42 | bool "Activate without calling userspace policy loader." | |
43 | default n | |
44 | depends on SECURITY_TOMOYO | |
45 | ---help--- | |
46 | Say Y here if you want to activate access control as soon as built-in | |
47 | policy was loaded. This option will be useful for systems where | |
48 | operations which can lead to the hijacking of the boot sequence are | |
49 | needed before loading the policy. For example, you can activate | |
50 | immediately after loading the fixed part of policy which will allow | |
51 | only operations needed for mounting a partition which contains the | |
52 | variant part of policy and verifying (e.g. running GPG check) and | |
53 | loading the variant part of policy. Since you can start using | |
54 | enforcing mode from the beginning, you can reduce the possibility of | |
55 | hijacking the boot sequence. | |
56 | ||
57 | config SECURITY_TOMOYO_POLICY_LOADER | |
58 | string "Location of userspace policy loader" | |
59 | default "/sbin/tomoyo-init" | |
60 | depends on SECURITY_TOMOYO | |
61 | depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
62 | ---help--- | |
63 | This is the default pathname of policy loader which is called before | |
64 | activation. You can override this setting via TOMOYO_loader= kernel | |
65 | command line option. | |
66 | ||
67 | config SECURITY_TOMOYO_ACTIVATION_TRIGGER | |
68 | string "Trigger for calling userspace policy loader" | |
69 | default "/sbin/init" | |
70 | depends on SECURITY_TOMOYO | |
71 | depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
72 | ---help--- | |
73 | This is the default pathname of activation trigger. | |
74 | You can override this setting via TOMOYO_trigger= kernel command line | |
75 | option. For example, if you pass init=/bin/systemd option, you may | |
76 | want to also pass TOMOYO_trigger=/bin/systemd option. |