1*ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2e114e473SCasey Schauflerconfig SECURITY_SMACK 3e114e473SCasey Schaufler bool "Simplified Mandatory Access Control Kernel Support" 4111fe8bdSCasey Schaufler depends on NET 5111fe8bdSCasey Schaufler depends on INET 6111fe8bdSCasey Schaufler depends on SECURITY 7111fe8bdSCasey Schaufler select NETLABEL 8111fe8bdSCasey Schaufler select SECURITY_NETWORK 9e114e473SCasey Schaufler default n 10e114e473SCasey Schaufler help 11e114e473SCasey Schaufler This selects the Simplified Mandatory Access Control Kernel. 12e114e473SCasey Schaufler Smack is useful for sensitivity, integrity, and a variety 13e114e473SCasey Schaufler of other mandatory security schemes. 14e114e473SCasey Schaufler If you are unsure how to answer this question, answer N. 15e114e473SCasey Schaufler 16d166c802SCasey Schauflerconfig SECURITY_SMACK_BRINGUP 17d166c802SCasey Schaufler bool "Reporting on access granted by Smack rules" 18d166c802SCasey Schaufler depends on SECURITY_SMACK 19d166c802SCasey Schaufler default n 20d166c802SCasey Schaufler help 21d166c802SCasey Schaufler Enable the bring-up ("b") access mode in Smack rules. 22d166c802SCasey Schaufler When access is granted by a rule with the "b" mode a 23d166c802SCasey Schaufler message about the access requested is generated. The 24d166c802SCasey Schaufler intention is that a process can be granted a wide set 25d166c802SCasey Schaufler of access initially with the bringup mode set on the 26d166c802SCasey Schaufler rules. The developer can use the information to 27d166c802SCasey Schaufler identify which rules are necessary and what accesses 28d166c802SCasey Schaufler may be inappropriate. The developer can reduce the 29d166c802SCasey Schaufler access rule set once the behavior is well understood. 30d166c802SCasey Schaufler This is a superior mechanism to the oft abused 31d166c802SCasey Schaufler "permissive" mode of other systems. 3269f287aeSCasey Schaufler If you are unsure how to answer this question, answer N. 3369f287aeSCasey Schaufler 3469f287aeSCasey Schauflerconfig SECURITY_SMACK_NETFILTER 3569f287aeSCasey Schaufler bool "Packet marking using secmarks for netfilter" 3669f287aeSCasey Schaufler depends on SECURITY_SMACK 3769f287aeSCasey Schaufler depends on NETWORK_SECMARK 3869f287aeSCasey Schaufler depends on NETFILTER 3969f287aeSCasey Schaufler default n 4069f287aeSCasey Schaufler help 4169f287aeSCasey Schaufler This enables security marking of network packets using 4269f287aeSCasey Schaufler Smack labels. 4369f287aeSCasey Schaufler If you are unsure how to answer this question, answer N. 44c60b9066SCasey Schaufler 45c60b9066SCasey Schauflerconfig SECURITY_SMACK_APPEND_SIGNALS 46c60b9066SCasey Schaufler bool "Treat delivering signals as an append operation" 47c60b9066SCasey Schaufler depends on SECURITY_SMACK 48c60b9066SCasey Schaufler default n 49c60b9066SCasey Schaufler help 50c60b9066SCasey Schaufler Sending a signal has been treated as a write operation to the 51c60b9066SCasey Schaufler receiving process. If this option is selected, the delivery 52c60b9066SCasey Schaufler will be an append operation instead. This makes it possible 53c60b9066SCasey Schaufler to differentiate between delivering a network packet and 54c60b9066SCasey Schaufler delivering a signal in the Smack rules. 55c60b9066SCasey Schaufler If you are unsure how to answer this question, answer N. 56