1 config CCSECURITY 1 config CCSECURITY 2 bool "CCSecurity support" 2 bool "CCSecurity support" 3 default y 3 default y 4 help 4 help 5 Say Y here to support non-LSM versio 5 Say Y here to support non-LSM version of TOMOYO Linux. 6 https://tomoyo.sourceforge.net/ !! 6 https://tomoyo.osdn.jp/ 7 7 8 config CCSECURITY_LKM 8 config CCSECURITY_LKM 9 bool "Compile as loadable kernel modul 9 bool "Compile as loadable kernel module" 10 default n 10 default n 11 depends on CCSECURITY && MODULES 11 depends on CCSECURITY && MODULES 12 help 12 help 13 This version of TOMOYO depends on pa 13 This version of TOMOYO depends on patching the kernel source in order 14 to insert some hooks which LSM does 14 to insert some hooks which LSM does not provide. Therefore, 15 recompiling the kernel is inevitable 15 recompiling the kernel is inevitable. But if you want to keep 16 vmlinux's size as small as possible, 16 vmlinux's size as small as possible, you can compile most part of 17 TOMOYO as a loadable kernel module b 17 TOMOYO as a loadable kernel module by saying Y here. 18 18 19 config CCSECURITY_DISABLE_BY_DEFAULT 19 config CCSECURITY_DISABLE_BY_DEFAULT 20 bool "Disable by default" 20 bool "Disable by default" 21 default n 21 default n 22 depends on CCSECURITY 22 depends on CCSECURITY 23 help 23 help 24 Say Y here if you want TOMOYO disabl 24 Say Y here if you want TOMOYO disabled by default. 25 To enable TOMOYO, pass ccsecurity=on 25 To enable TOMOYO, pass ccsecurity=on to kernel command line. 26 To disable TOMOYO, pass ccsecurity=o 26 To disable TOMOYO, pass ccsecurity=off to kernel command line. 27 27 28 config CCSECURITY_USE_EXTERNAL_TASK_SECURITY 28 config CCSECURITY_USE_EXTERNAL_TASK_SECURITY 29 bool "Do not modify 'struct task_struc 29 bool "Do not modify 'struct task_struct' in order to keep KABI" 30 default n 30 default n 31 depends on CCSECURITY 31 depends on CCSECURITY 32 help 32 help 33 Say Y here if you want to keep KABI 33 Say Y here if you want to keep KABI for prebuilt kernel modules 34 unchanged. TOMOYO needs "struct ccs_ 34 unchanged. TOMOYO needs "struct ccs_domain_info *" and "u32" for each 35 "struct task_struct". But embedding 35 "struct task_struct". But embedding these variables into 36 "struct task_struct" breaks KABI for 36 "struct task_struct" breaks KABI for prebuilt kernel modules (which 37 means that you will need to rebuild 37 means that you will need to rebuild prebuilt kernel modules). 38 If you say Y here, these variables a 38 If you say Y here, these variables are managed outside 39 "struct task_struct" rather than emb 39 "struct task_struct" rather than embedding into "struct task_struct", 40 but accessing these variables become 40 but accessing these variables becomes slower because lookup operation 41 is performed every time the current 41 is performed every time the current thread needs to access them. 42 42 43 config CCSECURITY_MAX_ACCEPT_ENTRY 43 config CCSECURITY_MAX_ACCEPT_ENTRY 44 int "Default maximal count for learnin 44 int "Default maximal count for learning mode" 45 default 2048 45 default 2048 46 range 0 2147483647 46 range 0 2147483647 47 depends on CCSECURITY 47 depends on CCSECURITY 48 help 48 help 49 This is the default value for maxima 49 This is the default value for maximal ACL entries 50 that are automatically appended into 50 that are automatically appended into policy at "learning mode". 51 Some programs access thousands of ob 51 Some programs access thousands of objects, so running 52 such programs in "learning mode" dul 52 such programs in "learning mode" dulls the system response 53 and consumes much memory. 53 and consumes much memory. 54 This is the safeguard for such progr 54 This is the safeguard for such programs. 55 55 56 config CCSECURITY_MAX_AUDIT_LOG 56 config CCSECURITY_MAX_AUDIT_LOG 57 int "Default maximal count for audit l 57 int "Default maximal count for audit log" 58 default 1024 58 default 1024 59 range 0 2147483647 59 range 0 2147483647 60 depends on CCSECURITY 60 depends on CCSECURITY 61 help 61 help 62 This is the default value for maxima 62 This is the default value for maximal entries for 63 audit logs that the kernel can hold 63 audit logs that the kernel can hold on memory. 64 You can read the log via /proc/ccs/a 64 You can read the log via /proc/ccs/audit. 65 If you don't need audit logs, you ma 65 If you don't need audit logs, you may set this value to 0. 66 66 67 config CCSECURITY_OMIT_USERSPACE_LOADER 67 config CCSECURITY_OMIT_USERSPACE_LOADER 68 bool "Activate without calling userspa 68 bool "Activate without calling userspace policy loader." 69 default n 69 default n 70 depends on CCSECURITY 70 depends on CCSECURITY 71 help !! 71 ---help--- 72 Say Y here if you want to activate a 72 Say Y here if you want to activate access control as soon as built-in 73 policy was loaded. This option will 73 policy was loaded. This option will be useful for systems where 74 operations which can lead to the hij 74 operations which can lead to the hijacking of the boot sequence are 75 needed before loading the policy. Fo 75 needed before loading the policy. For example, you can activate 76 immediately after loading the fixed 76 immediately after loading the fixed part of policy which will allow 77 only operations needed for mounting 77 only operations needed for mounting a partition which contains the 78 variant part of policy and verifying 78 variant part of policy and verifying (e.g. running GPG check) and 79 loading the variant part of policy. 79 loading the variant part of policy. Since you can start using 80 enforcing mode from the beginning, y 80 enforcing mode from the beginning, you can reduce the possibility of 81 hijacking the boot sequence. 81 hijacking the boot sequence. 82 82 83 If you say Y to both "Compile as loa 83 If you say Y to both "Compile as loadable kernel module" option and 84 "Activate without calling userspace 84 "Activate without calling userspace policy loader." option, be sure 85 to excplicitly load the kernel modul 85 to excplicitly load the kernel module from the userspace, for 86 the kernel will not call /sbin/ccs-i 86 the kernel will not call /sbin/ccs-init when /sbin/init starts. 87 87 88 config CCSECURITY_POLICY_LOADER 88 config CCSECURITY_POLICY_LOADER 89 string "Location of userspace policy l 89 string "Location of userspace policy loader" 90 default "/sbin/ccs-init" 90 default "/sbin/ccs-init" 91 depends on CCSECURITY 91 depends on CCSECURITY 92 depends on !CCSECURITY_OMIT_USERSPACE_ 92 depends on !CCSECURITY_OMIT_USERSPACE_LOADER 93 help !! 93 ---help--- 94 This is the default pathname of poli 94 This is the default pathname of policy loader which is called before 95 activation. You can override this se 95 activation. You can override this setting via CCS_loader= kernel 96 command line option. 96 command line option. 97 97 98 config CCSECURITY_ACTIVATION_TRIGGER 98 config CCSECURITY_ACTIVATION_TRIGGER 99 string "Trigger for calling userspace 99 string "Trigger for calling userspace policy loader" 100 default "/sbin/init" 100 default "/sbin/init" 101 depends on CCSECURITY 101 depends on CCSECURITY 102 depends on !CCSECURITY_OMIT_USERSPACE_ 102 depends on !CCSECURITY_OMIT_USERSPACE_LOADER 103 help !! 103 ---help--- 104 This is the default pathname of acti 104 This is the default pathname of activation trigger. 105 You can override this setting via CC 105 You can override this setting via CCS_trigger= kernel command line 106 option. For example, if you pass ini 106 option. For example, if you pass init=/bin/systemd option, you may 107 want to also pass CCS_trigger=/bin/s 107 want to also pass CCS_trigger=/bin/systemd option. 108 108 109 Say Y here if you want to enable onl 109 Say Y here if you want to enable only specific functionality in order 110 to reduce object file size. 110 to reduce object file size. 111 111 112 config CCSECURITY_FILE_READDIR 112 config CCSECURITY_FILE_READDIR 113 bool "Enable readdir operation restric 113 bool "Enable readdir operation restriction." 114 default y 114 default y 115 depends on CCSECURITY 115 depends on CCSECURITY 116 help !! 116 ---help--- 117 Say Y here if you want to enable ana 117 Say Y here if you want to enable analysis/restriction of opening 118 directories for reading. Reading dir 118 directories for reading. Reading directory entries is a commonly 119 requested operation and damage cause 119 requested operation and damage caused by not restricting it as MAC 120 might be acceptable for you. 120 might be acceptable for you. 121 121 122 config CCSECURITY_FILE_GETATTR 122 config CCSECURITY_FILE_GETATTR 123 bool "Enable getattr operation restric 123 bool "Enable getattr operation restriction." 124 default y 124 default y 125 depends on CCSECURITY 125 depends on CCSECURITY 126 help !! 126 ---help--- 127 Say Y here if you want to enable ana 127 Say Y here if you want to enable analysis/restriction of getting 128 information of files. Getting file's 128 information of files. Getting file's information is a commonly 129 requested operation and damage cause 129 requested operation and damage caused by not restricting it as MAC 130 might be acceptable for you. 130 might be acceptable for you. 131 131 132 config CCSECURITY_NETWORK 132 config CCSECURITY_NETWORK 133 bool "Enable socket operation restrict 133 bool "Enable socket operation restriction." 134 default y 134 default y 135 depends on NET 135 depends on NET 136 depends on CCSECURITY 136 depends on CCSECURITY 137 help !! 137 ---help--- 138 Say Y here if you want to enable ana 138 Say Y here if you want to enable analysis/restriction of INET and 139 UNIX domain socket's operations. 139 UNIX domain socket's operations. 140 140 141 config CCSECURITY_CAPABILITY 141 config CCSECURITY_CAPABILITY 142 bool "Enable non-POSIX capability oper 142 bool "Enable non-POSIX capability operation restriction." 143 default y 143 default y 144 depends on CCSECURITY 144 depends on CCSECURITY 145 help !! 145 ---help--- 146 Say Y here if you want to enable ana 146 Say Y here if you want to enable analysis/restriction of non-POSIX 147 capabilities. 147 capabilities. 148 148 149 config CCSECURITY_IPC 149 config CCSECURITY_IPC 150 bool "Enable IPC operation restriction 150 bool "Enable IPC operation restriction." 151 default y 151 default y 152 depends on CCSECURITY 152 depends on CCSECURITY 153 help !! 153 ---help--- 154 Say Y here if you want to enable ana 154 Say Y here if you want to enable analysis/restriction of sending 155 signals. 155 signals. 156 156 157 config CCSECURITY_MISC 157 config CCSECURITY_MISC 158 bool "Enable environment variable name 158 bool "Enable environment variable names restriction." 159 default y 159 default y 160 depends on CCSECURITY 160 depends on CCSECURITY 161 help !! 161 ---help--- 162 Say Y here if you want to enable ana 162 Say Y here if you want to enable analysis/restriction of environment 163 variable names passed upon program e 163 variable names passed upon program execution request. 164 164 165 config CCSECURITY_TASK_EXECUTE_HANDLER 165 config CCSECURITY_TASK_EXECUTE_HANDLER 166 bool "Enable execute handler functiona 166 bool "Enable execute handler functionality." 167 default y 167 default y 168 depends on CCSECURITY 168 depends on CCSECURITY 169 help !! 169 ---help--- 170 Say Y here if you want to enable exe 170 Say Y here if you want to enable execute handler functionality. 171 171 172 config CCSECURITY_TASK_DOMAIN_TRANSITION 172 config CCSECURITY_TASK_DOMAIN_TRANSITION 173 bool "Enable domain transition without 173 bool "Enable domain transition without program execution request." 174 default y 174 default y 175 depends on CCSECURITY 175 depends on CCSECURITY 176 help !! 176 ---help--- 177 Say Y here if you want to enable dom 177 Say Y here if you want to enable domain transition without involving 178 program execution request. 178 program execution request. 179 179 180 config CCSECURITY_PORTRESERVE 180 config CCSECURITY_PORTRESERVE 181 bool "Enable local port reserver." 181 bool "Enable local port reserver." 182 default y 182 default y 183 depends on NET 183 depends on NET 184 depends on CCSECURITY 184 depends on CCSECURITY 185 help !! 185 ---help--- 186 Say Y here if you want to implement 186 Say Y here if you want to implement 187 /proc/sys/net/ipv4/ip_local_reserved_ 187 /proc/sys/net/ipv4/ip_local_reserved_ports as a MAC policy. 188 188 189 config CCSECURITY_NETWORK_RECVMSG 189 config CCSECURITY_NETWORK_RECVMSG 190 def_bool CCSECURITY_NETWORK 190 def_bool CCSECURITY_NETWORK
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.