162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci 362306a36Sopenharmony_ciconfig SECURITY_LANDLOCK 462306a36Sopenharmony_ci bool "Landlock support" 562306a36Sopenharmony_ci depends on SECURITY 662306a36Sopenharmony_ci select SECURITY_PATH 762306a36Sopenharmony_ci help 862306a36Sopenharmony_ci Landlock is a sandboxing mechanism that enables processes to restrict 962306a36Sopenharmony_ci themselves (and their future children) by gradually enforcing 1062306a36Sopenharmony_ci tailored access control policies. A Landlock security policy is a 1162306a36Sopenharmony_ci set of access rights (e.g. open a file in read-only, make a 1262306a36Sopenharmony_ci directory, etc.) tied to a file hierarchy. Such policy can be 1362306a36Sopenharmony_ci configured and enforced by any processes for themselves using the 1462306a36Sopenharmony_ci dedicated system calls: landlock_create_ruleset(), 1562306a36Sopenharmony_ci landlock_add_rule(), and landlock_restrict_self(). 1662306a36Sopenharmony_ci 1762306a36Sopenharmony_ci See Documentation/userspace-api/landlock.rst for further information. 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ci If you are unsure how to answer this question, answer N. Otherwise, 2062306a36Sopenharmony_ci you should also prepend "landlock," to the content of CONFIG_LSM to 2162306a36Sopenharmony_ci enable Landlock at boot time. 22