1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 |
- config SECURITY_TOMOYO
- bool "TOMOYO Linux Support"
- depends on SECURITY
- depends on NET
- select SECURITYFS
- select SECURITY_PATH
- select SECURITY_NETWORK
- select SRCU
- select BUILD_BIN2C
- default n
- help
- This selects TOMOYO Linux, pathname-based access control.
- Required userspace tools and further information may be
- found at <http://tomoyo.sourceforge.jp/>.
- If you are unsure how to answer this question, answer N.
- config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY
- int "Default maximal count for learning mode"
- default 2048
- range 0 2147483647
- depends on SECURITY_TOMOYO
- help
- This is the default value for maximal ACL entries
- that are automatically appended into policy at "learning mode".
- Some programs access thousands of objects, so running
- such programs in "learning mode" dulls the system response
- and consumes much memory.
- This is the safeguard for such programs.
- config SECURITY_TOMOYO_MAX_AUDIT_LOG
- int "Default maximal count for audit log"
- default 1024
- range 0 2147483647
- depends on SECURITY_TOMOYO
- help
- This is the default value for maximal entries for
- audit logs that the kernel can hold on memory.
- You can read the log via /sys/kernel/security/tomoyo/audit.
- If you don't need audit logs, you may set this value to 0.
- config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
- bool "Activate without calling userspace policy loader."
- default n
- depends on SECURITY_TOMOYO
- ---help---
- Say Y here if you want to activate access control as soon as built-in
- policy was loaded. This option will be useful for systems where
- operations which can lead to the hijacking of the boot sequence are
- needed before loading the policy. For example, you can activate
- immediately after loading the fixed part of policy which will allow
- only operations needed for mounting a partition which contains the
- variant part of policy and verifying (e.g. running GPG check) and
- loading the variant part of policy. Since you can start using
- enforcing mode from the beginning, you can reduce the possibility of
- hijacking the boot sequence.
- config SECURITY_TOMOYO_POLICY_LOADER
- string "Location of userspace policy loader"
- default "/sbin/tomoyo-init"
- depends on SECURITY_TOMOYO
- depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
- ---help---
- This is the default pathname of policy loader which is called before
- activation. You can override this setting via TOMOYO_loader= kernel
- command line option.
- config SECURITY_TOMOYO_ACTIVATION_TRIGGER
- string "Trigger for calling userspace policy loader"
- default "/sbin/init"
- depends on SECURITY_TOMOYO
- depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
- ---help---
- This is the default pathname of activation trigger.
- You can override this setting via TOMOYO_trigger= kernel command line
- option. For example, if you pass init=/bin/systemd option, you may
- want to also pass TOMOYO_trigger=/bin/systemd option.
|