1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0-only 2*4882a593Smuzhiyunconfig SECURITY_SMACK 3*4882a593Smuzhiyun bool "Simplified Mandatory Access Control Kernel Support" 4*4882a593Smuzhiyun depends on NET 5*4882a593Smuzhiyun depends on INET 6*4882a593Smuzhiyun depends on SECURITY 7*4882a593Smuzhiyun select NETLABEL 8*4882a593Smuzhiyun select SECURITY_NETWORK 9*4882a593Smuzhiyun default n 10*4882a593Smuzhiyun help 11*4882a593Smuzhiyun This selects the Simplified Mandatory Access Control Kernel. 12*4882a593Smuzhiyun Smack is useful for sensitivity, integrity, and a variety 13*4882a593Smuzhiyun of other mandatory security schemes. 14*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 15*4882a593Smuzhiyun 16*4882a593Smuzhiyunconfig SECURITY_SMACK_BRINGUP 17*4882a593Smuzhiyun bool "Reporting on access granted by Smack rules" 18*4882a593Smuzhiyun depends on SECURITY_SMACK 19*4882a593Smuzhiyun default n 20*4882a593Smuzhiyun help 21*4882a593Smuzhiyun Enable the bring-up ("b") access mode in Smack rules. 22*4882a593Smuzhiyun When access is granted by a rule with the "b" mode a 23*4882a593Smuzhiyun message about the access requested is generated. The 24*4882a593Smuzhiyun intention is that a process can be granted a wide set 25*4882a593Smuzhiyun of access initially with the bringup mode set on the 26*4882a593Smuzhiyun rules. The developer can use the information to 27*4882a593Smuzhiyun identify which rules are necessary and what accesses 28*4882a593Smuzhiyun may be inappropriate. The developer can reduce the 29*4882a593Smuzhiyun access rule set once the behavior is well understood. 30*4882a593Smuzhiyun This is a superior mechanism to the oft abused 31*4882a593Smuzhiyun "permissive" mode of other systems. 32*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 33*4882a593Smuzhiyun 34*4882a593Smuzhiyunconfig SECURITY_SMACK_NETFILTER 35*4882a593Smuzhiyun bool "Packet marking using secmarks for netfilter" 36*4882a593Smuzhiyun depends on SECURITY_SMACK 37*4882a593Smuzhiyun depends on NETWORK_SECMARK 38*4882a593Smuzhiyun depends on NETFILTER 39*4882a593Smuzhiyun default n 40*4882a593Smuzhiyun help 41*4882a593Smuzhiyun This enables security marking of network packets using 42*4882a593Smuzhiyun Smack labels. 43*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 44*4882a593Smuzhiyun 45*4882a593Smuzhiyunconfig SECURITY_SMACK_APPEND_SIGNALS 46*4882a593Smuzhiyun bool "Treat delivering signals as an append operation" 47*4882a593Smuzhiyun depends on SECURITY_SMACK 48*4882a593Smuzhiyun default n 49*4882a593Smuzhiyun help 50*4882a593Smuzhiyun Sending a signal has been treated as a write operation to the 51*4882a593Smuzhiyun receiving process. If this option is selected, the delivery 52*4882a593Smuzhiyun will be an append operation instead. This makes it possible 53*4882a593Smuzhiyun to differentiate between delivering a network packet and 54*4882a593Smuzhiyun delivering a signal in the Smack rules. 55*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 56