xref: /OK3568_Linux_fs/kernel/security/selinux/Kconfig (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0-only
2*4882a593Smuzhiyunconfig SECURITY_SELINUX
3*4882a593Smuzhiyun	bool "NSA SELinux Support"
4*4882a593Smuzhiyun	depends on SECURITY_NETWORK && AUDIT && NET && INET
5*4882a593Smuzhiyun	select NETWORK_SECMARK
6*4882a593Smuzhiyun	default n
7*4882a593Smuzhiyun	help
8*4882a593Smuzhiyun	  This selects NSA Security-Enhanced Linux (SELinux).
9*4882a593Smuzhiyun	  You will also need a policy configuration and a labeled filesystem.
10*4882a593Smuzhiyun	  If you are unsure how to answer this question, answer N.
11*4882a593Smuzhiyun
12*4882a593Smuzhiyunconfig SECURITY_SELINUX_BOOTPARAM
13*4882a593Smuzhiyun	bool "NSA SELinux boot parameter"
14*4882a593Smuzhiyun	depends on SECURITY_SELINUX
15*4882a593Smuzhiyun	default n
16*4882a593Smuzhiyun	help
17*4882a593Smuzhiyun	  This option adds a kernel parameter 'selinux', which allows SELinux
18*4882a593Smuzhiyun	  to be disabled at boot.  If this option is selected, SELinux
19*4882a593Smuzhiyun	  functionality can be disabled with selinux=0 on the kernel
20*4882a593Smuzhiyun	  command line.  The purpose of this option is to allow a single
21*4882a593Smuzhiyun	  kernel image to be distributed with SELinux built in, but not
22*4882a593Smuzhiyun	  necessarily enabled.
23*4882a593Smuzhiyun
24*4882a593Smuzhiyun	  If you are unsure how to answer this question, answer N.
25*4882a593Smuzhiyun
26*4882a593Smuzhiyunconfig SECURITY_SELINUX_DISABLE
27*4882a593Smuzhiyun	bool "NSA SELinux runtime disable"
28*4882a593Smuzhiyun	depends on SECURITY_SELINUX
29*4882a593Smuzhiyun	select SECURITY_WRITABLE_HOOKS
30*4882a593Smuzhiyun	default n
31*4882a593Smuzhiyun	help
32*4882a593Smuzhiyun	  This option enables writing to a selinuxfs node 'disable', which
33*4882a593Smuzhiyun	  allows SELinux to be disabled at runtime prior to the policy load.
34*4882a593Smuzhiyun	  SELinux will then remain disabled until the next boot.
35*4882a593Smuzhiyun	  This option is similar to the selinux=0 boot parameter, but is to
36*4882a593Smuzhiyun	  support runtime disabling of SELinux, e.g. from /sbin/init, for
37*4882a593Smuzhiyun	  portability across platforms where boot parameters are difficult
38*4882a593Smuzhiyun	  to employ.
39*4882a593Smuzhiyun
40*4882a593Smuzhiyun	  NOTE: selecting this option will disable the '__ro_after_init'
41*4882a593Smuzhiyun	  kernel hardening feature for security hooks.   Please consider
42*4882a593Smuzhiyun	  using the selinux=0 boot parameter instead of enabling this
43*4882a593Smuzhiyun	  option.
44*4882a593Smuzhiyun
45*4882a593Smuzhiyun	  WARNING: this option is deprecated and will be removed in a future
46*4882a593Smuzhiyun	  kernel release.
47*4882a593Smuzhiyun
48*4882a593Smuzhiyun	  If you are unsure how to answer this question, answer N.
49*4882a593Smuzhiyun
50*4882a593Smuzhiyunconfig SECURITY_SELINUX_DEVELOP
51*4882a593Smuzhiyun	bool "NSA SELinux Development Support"
52*4882a593Smuzhiyun	depends on SECURITY_SELINUX
53*4882a593Smuzhiyun	default y
54*4882a593Smuzhiyun	help
55*4882a593Smuzhiyun	  This enables the development support option of NSA SELinux,
56*4882a593Smuzhiyun	  which is useful for experimenting with SELinux and developing
57*4882a593Smuzhiyun	  policies.  If unsure, say Y.  With this option enabled, the
58*4882a593Smuzhiyun	  kernel will start in permissive mode (log everything, deny nothing)
59*4882a593Smuzhiyun	  unless you specify enforcing=1 on the kernel command line.  You
60*4882a593Smuzhiyun	  can interactively toggle the kernel between enforcing mode and
61*4882a593Smuzhiyun	  permissive mode (if permitted by the policy) via
62*4882a593Smuzhiyun	  /sys/fs/selinux/enforce.
63*4882a593Smuzhiyun
64*4882a593Smuzhiyunconfig SECURITY_SELINUX_AVC_STATS
65*4882a593Smuzhiyun	bool "NSA SELinux AVC Statistics"
66*4882a593Smuzhiyun	depends on SECURITY_SELINUX
67*4882a593Smuzhiyun	default y
68*4882a593Smuzhiyun	help
69*4882a593Smuzhiyun	  This option collects access vector cache statistics to
70*4882a593Smuzhiyun	  /sys/fs/selinux/avc/cache_stats, which may be monitored via
71*4882a593Smuzhiyun	  tools such as avcstat.
72*4882a593Smuzhiyun
73*4882a593Smuzhiyunconfig SECURITY_SELINUX_CHECKREQPROT_VALUE
74*4882a593Smuzhiyun	int "NSA SELinux checkreqprot default value"
75*4882a593Smuzhiyun	depends on SECURITY_SELINUX
76*4882a593Smuzhiyun	range 0 1
77*4882a593Smuzhiyun	default 0
78*4882a593Smuzhiyun	help
79*4882a593Smuzhiyun	  This option sets the default value for the 'checkreqprot' flag
80*4882a593Smuzhiyun	  that determines whether SELinux checks the protection requested
81*4882a593Smuzhiyun	  by the application or the protection that will be applied by the
82*4882a593Smuzhiyun	  kernel (including any implied execute for read-implies-exec) for
83*4882a593Smuzhiyun	  mmap and mprotect calls.  If this option is set to 0 (zero),
84*4882a593Smuzhiyun	  SELinux will default to checking the protection that will be applied
85*4882a593Smuzhiyun	  by the kernel.  If this option is set to 1 (one), SELinux will
86*4882a593Smuzhiyun	  default to checking the protection requested by the application.
87*4882a593Smuzhiyun	  The checkreqprot flag may be changed from the default via the
88*4882a593Smuzhiyun	  'checkreqprot=' boot parameter.  It may also be changed at runtime
89*4882a593Smuzhiyun	  via /sys/fs/selinux/checkreqprot if authorized by policy.
90*4882a593Smuzhiyun
91*4882a593Smuzhiyun	  WARNING: this option is deprecated and will be removed in a future
92*4882a593Smuzhiyun	  kernel release.
93*4882a593Smuzhiyun
94*4882a593Smuzhiyun	  If you are unsure how to answer this question, answer 0.
95*4882a593Smuzhiyun
96*4882a593Smuzhiyunconfig SECURITY_SELINUX_SIDTAB_HASH_BITS
97*4882a593Smuzhiyun	int "NSA SELinux sidtab hashtable size"
98*4882a593Smuzhiyun	depends on SECURITY_SELINUX
99*4882a593Smuzhiyun	range 8 13
100*4882a593Smuzhiyun	default 9
101*4882a593Smuzhiyun	help
102*4882a593Smuzhiyun	  This option sets the number of buckets used in the sidtab hashtable
103*4882a593Smuzhiyun	  to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
104*4882a593Smuzhiyun	  collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
105*4882a593Smuzhiyun	  chain lengths are high (e.g. > 20) then selecting a higher value here
106*4882a593Smuzhiyun	  will ensure that lookups times are short and stable.
107*4882a593Smuzhiyun
108*4882a593Smuzhiyunconfig SECURITY_SELINUX_SID2STR_CACHE_SIZE
109*4882a593Smuzhiyun	int "NSA SELinux SID to context string translation cache size"
110*4882a593Smuzhiyun	depends on SECURITY_SELINUX
111*4882a593Smuzhiyun	default 256
112*4882a593Smuzhiyun	help
113*4882a593Smuzhiyun	  This option defines the size of the internal SID -> context string
114*4882a593Smuzhiyun	  cache, which improves the performance of context to string
115*4882a593Smuzhiyun	  conversion.  Setting this option to 0 disables the cache completely.
116*4882a593Smuzhiyun
117*4882a593Smuzhiyun	  If unsure, keep the default value.
118