linux_dsm_epyc7002/security/smack/Kconfig
Casey Schaufler 69f287ae6f Smack: secmark support for netfilter
Smack uses CIPSO to label internet packets and thus provide
for access control on delivery of packets. The netfilter facility
was not used to allow for Smack to work properly without netfilter
configuration. Smack does not need netfilter, however there are
cases where it would be handy.

As a side effect, the labeling of local IPv4 packets can be optimized
and the handling of local IPv6 packets is just all out better.

The best part is that the netfilter tools use "contexts" that
are just strings, and they work just as well for Smack as they
do for SELinux.

All of the conditional compilation for IPv6 was implemented
by Rafal Krypa <r.krypa@samsung.com>

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2015-01-20 16:34:25 -08:00

43 lines
1.5 KiB
Plaintext

config SECURITY_SMACK
bool "Simplified Mandatory Access Control Kernel Support"
depends on NET
depends on INET
depends on SECURITY
select NETLABEL
select SECURITY_NETWORK
default n
help
This selects the Simplified Mandatory Access Control Kernel.
Smack is useful for sensitivity, integrity, and a variety
of other mandatory security schemes.
If you are unsure how to answer this question, answer N.
config SECURITY_SMACK_BRINGUP
bool "Reporting on access granted by Smack rules"
depends on SECURITY_SMACK
default n
help
Enable the bring-up ("b") access mode in Smack rules.
When access is granted by a rule with the "b" mode a
message about the access requested is generated. The
intention is that a process can be granted a wide set
of access initially with the bringup mode set on the
rules. The developer can use the information to
identify which rules are necessary and what accesses
may be inappropriate. The developer can reduce the
access rule set once the behavior is well understood.
This is a superior mechanism to the oft abused
"permissive" mode of other systems.
If you are unsure how to answer this question, answer N.
config SECURITY_SMACK_NETFILTER
bool "Packet marking using secmarks for netfilter"
depends on SECURITY_SMACK
depends on NETWORK_SECMARK
depends on NETFILTER
default n
help
This enables security marking of network packets using
Smack labels.
If you are unsure how to answer this question, answer N.