Commit | Line | Data |
---|---|---|
00d7d6f8 KT |
1 | config SECURITY_TOMOYO |
2 | bool "TOMOYO Linux Support" | |
3 | depends on SECURITY | |
059d84db | 4 | depends on NET |
00d7d6f8 KT |
5 | select SECURITYFS |
6 | select SECURITY_PATH | |
059d84db | 7 | select SECURITY_NETWORK |
00d7d6f8 KT |
8 | default n |
9 | help | |
10 | This selects TOMOYO Linux, pathname-based access control. | |
11 | Required userspace tools and further information may be | |
12 | found at <http://tomoyo.sourceforge.jp/>. | |
13 | If you are unsure how to answer this question, answer N. | |
0e4ae0e0 TH |
14 | |
15 | config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY | |
16 | int "Default maximal count for learning mode" | |
17 | default 2048 | |
18 | range 0 2147483647 | |
19 | depends on SECURITY_TOMOYO | |
20 | help | |
21 | This is the default value for maximal ACL entries | |
22 | that are automatically appended into policy at "learning mode". | |
23 | Some programs access thousands of objects, so running | |
24 | such programs in "learning mode" dulls the system response | |
25 | and consumes much memory. | |
26 | This is the safeguard for such programs. | |
27 | ||
28 | config SECURITY_TOMOYO_MAX_AUDIT_LOG | |
29 | int "Default maximal count for audit log" | |
30 | default 1024 | |
31 | range 0 2147483647 | |
32 | depends on SECURITY_TOMOYO | |
33 | help | |
34 | This is the default value for maximal entries for | |
35 | audit logs that the kernel can hold on memory. | |
36 | You can read the log via /sys/kernel/security/tomoyo/audit. | |
37 | If you don't need audit logs, you may set this value to 0. | |
38 | ||
39 | config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
40 | bool "Activate without calling userspace policy loader." | |
41 | default n | |
42 | depends on SECURITY_TOMOYO | |
43 | ---help--- | |
44 | Say Y here if you want to activate access control as soon as built-in | |
45 | policy was loaded. This option will be useful for systems where | |
46 | operations which can lead to the hijacking of the boot sequence are | |
47 | needed before loading the policy. For example, you can activate | |
48 | immediately after loading the fixed part of policy which will allow | |
49 | only operations needed for mounting a partition which contains the | |
50 | variant part of policy and verifying (e.g. running GPG check) and | |
51 | loading the variant part of policy. Since you can start using | |
52 | enforcing mode from the beginning, you can reduce the possibility of | |
53 | hijacking the boot sequence. | |
54 | ||
55 | config SECURITY_TOMOYO_POLICY_LOADER | |
56 | string "Location of userspace policy loader" | |
57 | default "/sbin/tomoyo-init" | |
58 | depends on SECURITY_TOMOYO | |
59 | depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
60 | ---help--- | |
61 | This is the default pathname of policy loader which is called before | |
62 | activation. You can override this setting via TOMOYO_loader= kernel | |
63 | command line option. | |
64 | ||
65 | config SECURITY_TOMOYO_ACTIVATION_TRIGGER | |
66 | string "Trigger for calling userspace policy loader" | |
67 | default "/sbin/init" | |
68 | depends on SECURITY_TOMOYO | |
69 | depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER | |
70 | ---help--- | |
71 | This is the default pathname of activation trigger. | |
72 | You can override this setting via TOMOYO_trigger= kernel command line | |
73 | option. For example, if you pass init=/bin/systemd option, you may | |
74 | want to also pass TOMOYO_trigger=/bin/systemd option. |