18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
28c2ecf20Sopenharmony_ciconfig SECURITY_SMACK
38c2ecf20Sopenharmony_ci	bool "Simplified Mandatory Access Control Kernel Support"
48c2ecf20Sopenharmony_ci	depends on NET
58c2ecf20Sopenharmony_ci	depends on INET
68c2ecf20Sopenharmony_ci	depends on SECURITY
78c2ecf20Sopenharmony_ci	select NETLABEL
88c2ecf20Sopenharmony_ci	select SECURITY_NETWORK
98c2ecf20Sopenharmony_ci	default n
108c2ecf20Sopenharmony_ci	help
118c2ecf20Sopenharmony_ci	  This selects the Simplified Mandatory Access Control Kernel.
128c2ecf20Sopenharmony_ci	  Smack is useful for sensitivity, integrity, and a variety
138c2ecf20Sopenharmony_ci	  of other mandatory security schemes.
148c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
158c2ecf20Sopenharmony_ci
168c2ecf20Sopenharmony_ciconfig SECURITY_SMACK_BRINGUP
178c2ecf20Sopenharmony_ci	bool "Reporting on access granted by Smack rules"
188c2ecf20Sopenharmony_ci	depends on SECURITY_SMACK
198c2ecf20Sopenharmony_ci	default n
208c2ecf20Sopenharmony_ci	help
218c2ecf20Sopenharmony_ci	  Enable the bring-up ("b") access mode in Smack rules.
228c2ecf20Sopenharmony_ci	  When access is granted by a rule with the "b" mode a
238c2ecf20Sopenharmony_ci	  message about the access requested is generated. The
248c2ecf20Sopenharmony_ci	  intention is that a process can be granted a wide set
258c2ecf20Sopenharmony_ci	  of access initially with the bringup mode set on the
268c2ecf20Sopenharmony_ci	  rules. The developer can use the information to
278c2ecf20Sopenharmony_ci	  identify which rules are necessary and what accesses
288c2ecf20Sopenharmony_ci	  may be inappropriate. The developer can reduce the
298c2ecf20Sopenharmony_ci	  access rule set once the behavior is well understood.
308c2ecf20Sopenharmony_ci	  This is a superior mechanism to the oft abused
318c2ecf20Sopenharmony_ci	  "permissive" mode of other systems.
328c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
338c2ecf20Sopenharmony_ci
348c2ecf20Sopenharmony_ciconfig SECURITY_SMACK_NETFILTER
358c2ecf20Sopenharmony_ci	bool "Packet marking using secmarks for netfilter"
368c2ecf20Sopenharmony_ci	depends on SECURITY_SMACK
378c2ecf20Sopenharmony_ci	depends on NETWORK_SECMARK
388c2ecf20Sopenharmony_ci	depends on NETFILTER
398c2ecf20Sopenharmony_ci	default n
408c2ecf20Sopenharmony_ci	help
418c2ecf20Sopenharmony_ci	  This enables security marking of network packets using
428c2ecf20Sopenharmony_ci	  Smack labels.
438c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
448c2ecf20Sopenharmony_ci
458c2ecf20Sopenharmony_ciconfig SECURITY_SMACK_APPEND_SIGNALS
468c2ecf20Sopenharmony_ci	bool "Treat delivering signals as an append operation"
478c2ecf20Sopenharmony_ci	depends on SECURITY_SMACK
488c2ecf20Sopenharmony_ci	default n
498c2ecf20Sopenharmony_ci	help
508c2ecf20Sopenharmony_ci	  Sending a signal has been treated as a write operation to the
518c2ecf20Sopenharmony_ci	  receiving process. If this option is selected, the delivery
528c2ecf20Sopenharmony_ci	  will be an append operation instead. This makes it possible
538c2ecf20Sopenharmony_ci	  to differentiate between delivering a network packet and
548c2ecf20Sopenharmony_ci	  delivering a signal in the Smack rules.
558c2ecf20Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
56