Commit | Line | Data |
---|---|---|
00d7d6f8 KT |
1 | config SECURITY_TOMOYO |
2 | bool "TOMOYO Linux Support" | |
3 | depends on SECURITY | |
4 | select SECURITYFS | |
5 | select SECURITY_PATH | |
6 | default n | |
7 | help | |
8 | This selects TOMOYO Linux, pathname-based access control. | |
9 | Required userspace tools and further information may be | |
10 | found at <http://tomoyo.sourceforge.jp/>. | |
11 | If you are unsure how to answer this question, answer N. | |
0e4ae0e0 TH |
12 | |
13 | config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY | |
14 | int "Default maximal count for learning mode" | |
15 | default 2048 | |
16 | range 0 2147483647 | |
17 | depends on SECURITY_TOMOYO | |
18 | help | |
19 | This is the default value for maximal ACL entries | |
20 | that are automatically appended into policy at "learning mode". | |
21 | Some programs access thousands of objects, so running | |
22 | such programs in "learning mode" dulls the system response | |
23 | and consumes much memory. | |
24 | This is the safeguard for such programs. | |
25 | ||
26 | config SECURITY_TOMOYO_MAX_AUDIT_LOG | |
27 | int "Default maximal count for audit log" | |
28 | default 1024 | |
29 | range 0 2147483647 | |
30 | depends on SECURITY_TOMOYO | |
31 | help | |
32 | This is the default value for maximal entries for | |
33 | audit logs that the kernel can hold on memory. | |
34 | You can read the log via /sys/kernel/security/tomoyo/audit. | |
35 | If you don't need audit logs, you may set this value to 0. | |
36 | ||
37 | config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
38 | bool "Activate without calling userspace policy loader." | |
39 | default n | |
40 | depends on SECURITY_TOMOYO | |
41 | ---help--- | |
42 | Say Y here if you want to activate access control as soon as built-in | |
43 | policy was loaded. This option will be useful for systems where | |
44 | operations which can lead to the hijacking of the boot sequence are | |
45 | needed before loading the policy. For example, you can activate | |
46 | immediately after loading the fixed part of policy which will allow | |
47 | only operations needed for mounting a partition which contains the | |
48 | variant part of policy and verifying (e.g. running GPG check) and | |
49 | loading the variant part of policy. Since you can start using | |
50 | enforcing mode from the beginning, you can reduce the possibility of | |
51 | hijacking the boot sequence. | |
52 | ||
53 | config SECURITY_TOMOYO_POLICY_LOADER | |
54 | string "Location of userspace policy loader" | |
55 | default "/sbin/tomoyo-init" | |
56 | depends on SECURITY_TOMOYO | |
57 | depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
58 | ---help--- | |
59 | This is the default pathname of policy loader which is called before | |
60 | activation. You can override this setting via TOMOYO_loader= kernel | |
61 | command line option. | |
62 | ||
63 | config SECURITY_TOMOYO_ACTIVATION_TRIGGER | |
64 | string "Trigger for calling userspace policy loader" | |
65 | default "/sbin/init" | |
66 | depends on SECURITY_TOMOYO | |
67 | depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
68 | ---help--- | |
69 | This is the default pathname of activation trigger. | |
70 | You can override this setting via TOMOYO_trigger= kernel command line | |
71 | option. For example, if you pass init=/bin/systemd option, you may | |
72 | want to also pass TOMOYO_trigger=/bin/systemd option. |