1 # 2 # Mandatory Access Control configuration 3 # 4 mainmenu_option next_comment 5 comment 'Security options' 6 7 [ -z "$CONFIG_CCSECURITY" ] && define_bool CONFIG_CCSECURITY y 8 bool 'CCSecurity support' CONFIG_CCSECURITY 9 10 if [ "$CONFIG_CCSECURITY" = "y" ]; then 11 12 [ -z "$CONFIG_CCSECURITY_LKM" ] && define_bool CONFIG_CCSECURITY_LKM n 13 bool 'Compile as loadable kernel module' CONFIG_CCSECURITY_LKM 14 15 [ -z "$CONFIG_CCSECURITY_DISABLE_BY_DEFAULT" ] && define_bool CONFIG_CCSECURITY_DISABLE_BY_DEFAULT n 16 bool 'Disable by default' CONFIG_CCSECURITY_DISABLE_BY_DEFAULT 17 18 [ -z "$CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY" ] && define_int CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY 2048 19 [ $CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY -lt 0 ] && define_int CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY 0 20 int 'Default maximal count for learning mode' CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY 21 22 [ -z "$CONFIG_CCSECURITY_MAX_AUDIT_LOG" ] && define_int CONFIG_CCSECURITY_MAX_AUDIT_LOG 1024 23 [ $CONFIG_CCSECURITY_MAX_AUDIT_LOG -lt 0 ] && define_int CONFIG_CCSECURITY_MAX_AUDIT_LOG 0 24 int 'Default maximal count for audit log' CONFIG_CCSECURITY_MAX_AUDIT_LOG 25 26 [ -z "$CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER" ] && define_bool CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER n 27 bool 'Activate without calling userspace policy loader.' CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER 28 29 if [ "$CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER" = "n" ]; then 30 31 define_string CONFIG_CCSECURITY_POLICY_LOADER "/sbin/ccs-init" 32 string 'Location of userspace policy loader' CONFIG_CCSECURITY_POLICY_LOADER "/sbin/ccs-init" 33 34 define_string CONFIG_CCSECURITY_ACTIVATION_TRIGGER "/sbin/init" 35 string 'Trigger for calling userspace policy loader' CONFIG_CCSECURITY_ACTIVATION_TRIGGER "/sbin/init" 36 37 fi 38 39 [ -z "$CONFIG_CCSECURITY_FILE_READDIR" ] && define_bool CONFIG_CCSECURITY_FILE_READDIR y 40 bool "Enable readdir operation restriction." CONFIG_CCSECURITY_FILE_READDIR 41 42 [ -z "$CONFIG_CCSECURITY_FILE_GETATTR" ] && define_bool CONFIG_CCSECURITY_FILE_GETATTR y 43 bool "Enable getattr operation restriction." CONFIG_CCSECURITY_FILE_GETATTR 44 45 if [ "$CONFIG_NET" = "y" ]; then 46 47 [ -z "$CONFIG_CCSECURITY_NETWORK" ] && define_bool CONFIG_CCSECURITY_NETWORK y 48 bool "Enable socket operation restriction." CONFIG_CCSECURITY_NETWORK 49 50 if [ "$CONFIG_CCSECURITY_NETWORK" = "y" ]; then 51 52 #[ -z "$CONFIG_CCSECURITY_NETWORK_RECVMSG" ] && 53 define_bool CONFIG_CCSECURITY_NETWORK_RECVMSG y 54 55 fi 56 57 fi 58 59 [ -z "$CONFIG_CCSECURITY_CAPABILITY" ] && define_bool CONFIG_CCSECURITY_CAPABILITY y 60 bool "Enable non-POSIX capability operation restriction." CONFIG_CCSECURITY_CAPABILITY 61 62 [ -z "$CONFIG_CCSECURITY_IPC" ] && define_bool CONFIG_CCSECURITY_IPC y 63 bool "Enable IPC operation restriction." CONFIG_CCSECURITY_IPC 64 65 [ -z "$CONFIG_CCSECURITY_MISC" ] && define_bool CONFIG_CCSECURITY_MISC y 66 bool "Enable environment variable names restriction." CONFIG_CCSECURITY_MISC 67 68 [ -z "$CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER" ] && define_bool CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER y 69 bool "Enable execute handler functionality." CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER 70 71 [ -z "$CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION" ] && define_bool CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION y 72 bool "Enable domain transition without program execution request." CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION 73 74 if [ "$CONFIG_NET" = "y" ]; then 75 76 [ -z "$CONFIG_CCSECURITY_PORTRESERVE" ] && define_bool CONFIG_CCSECURITY_PORTRESERVE y 77 bool "Enable local port reserver." CONFIG_CCSECURITY_PORTRESERVE 78 79 fi 80 81 fi 82 83 endmenu
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.