162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ciconfig SECURITY_SMACK 362306a36Sopenharmony_ci bool "Simplified Mandatory Access Control Kernel Support" 462306a36Sopenharmony_ci depends on NET 562306a36Sopenharmony_ci depends on INET 662306a36Sopenharmony_ci depends on SECURITY 762306a36Sopenharmony_ci select NETLABEL 862306a36Sopenharmony_ci select SECURITY_NETWORK 962306a36Sopenharmony_ci default n 1062306a36Sopenharmony_ci help 1162306a36Sopenharmony_ci This selects the Simplified Mandatory Access Control Kernel. 1262306a36Sopenharmony_ci Smack is useful for sensitivity, integrity, and a variety 1362306a36Sopenharmony_ci of other mandatory security schemes. 1462306a36Sopenharmony_ci If you are unsure how to answer this question, answer N. 1562306a36Sopenharmony_ci 1662306a36Sopenharmony_ciconfig SECURITY_SMACK_BRINGUP 1762306a36Sopenharmony_ci bool "Reporting on access granted by Smack rules" 1862306a36Sopenharmony_ci depends on SECURITY_SMACK 1962306a36Sopenharmony_ci default n 2062306a36Sopenharmony_ci help 2162306a36Sopenharmony_ci Enable the bring-up ("b") access mode in Smack rules. 2262306a36Sopenharmony_ci When access is granted by a rule with the "b" mode a 2362306a36Sopenharmony_ci message about the access requested is generated. The 2462306a36Sopenharmony_ci intention is that a process can be granted a wide set 2562306a36Sopenharmony_ci of access initially with the bringup mode set on the 2662306a36Sopenharmony_ci rules. The developer can use the information to 2762306a36Sopenharmony_ci identify which rules are necessary and what accesses 2862306a36Sopenharmony_ci may be inappropriate. The developer can reduce the 2962306a36Sopenharmony_ci access rule set once the behavior is well understood. 3062306a36Sopenharmony_ci This is a superior mechanism to the oft abused 3162306a36Sopenharmony_ci "permissive" mode of other systems. 3262306a36Sopenharmony_ci If you are unsure how to answer this question, answer N. 3362306a36Sopenharmony_ci 3462306a36Sopenharmony_ciconfig SECURITY_SMACK_NETFILTER 3562306a36Sopenharmony_ci bool "Packet marking using secmarks for netfilter" 3662306a36Sopenharmony_ci depends on SECURITY_SMACK 3762306a36Sopenharmony_ci depends on NETWORK_SECMARK 3862306a36Sopenharmony_ci depends on NETFILTER 3962306a36Sopenharmony_ci default n 4062306a36Sopenharmony_ci help 4162306a36Sopenharmony_ci This enables security marking of network packets using 4262306a36Sopenharmony_ci Smack labels. 4362306a36Sopenharmony_ci If you are unsure how to answer this question, answer N. 4462306a36Sopenharmony_ci 4562306a36Sopenharmony_ciconfig SECURITY_SMACK_APPEND_SIGNALS 4662306a36Sopenharmony_ci bool "Treat delivering signals as an append operation" 4762306a36Sopenharmony_ci depends on SECURITY_SMACK 4862306a36Sopenharmony_ci default n 4962306a36Sopenharmony_ci help 5062306a36Sopenharmony_ci Sending a signal has been treated as a write operation to the 5162306a36Sopenharmony_ci receiving process. If this option is selected, the delivery 5262306a36Sopenharmony_ci will be an append operation instead. This makes it possible 5362306a36Sopenharmony_ci to differentiate between delivering a network packet and 5462306a36Sopenharmony_ci delivering a signal in the Smack rules. 5562306a36Sopenharmony_ci If you are unsure how to answer this question, answer N. 56