Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/security/tomoyo/Kconfig 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) # SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) config SECURITY_TOMOYO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) 	bool "TOMOYO Linux Support"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 	depends on SECURITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) 	depends on NET
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) 	select SECURITYFS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) 	select SECURITY_PATH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) 	select SECURITY_NETWORK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) 	select SRCU
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) 	select BUILD_BIN2C
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) 	default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) 	  This selects TOMOYO Linux, pathname-based access control.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) 	  Required userspace tools and further information may be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) 	  found at <http://tomoyo.sourceforge.jp/>.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) 	  If you are unsure how to answer this question, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) 	int "Default maximal count for learning mode"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) 	default 2048
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 	range 0 2147483647
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) 	depends on SECURITY_TOMOYO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 	  This is the default value for maximal ACL entries
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) 	  that are automatically appended into policy at "learning mode".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) 	  Some programs access thousands of objects, so running
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) 	  such programs in "learning mode" dulls the system response
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) 	  and consumes much memory.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) 	  This is the safeguard for such programs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) config SECURITY_TOMOYO_MAX_AUDIT_LOG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) 	int "Default maximal count for audit log"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) 	default 1024
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) 	range 0 2147483647
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) 	depends on SECURITY_TOMOYO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) 	  This is the default value for maximal entries for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) 	  audit logs that the kernel can hold on memory.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) 	  You can read the log via /sys/kernel/security/tomoyo/audit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) 	  If you don't need audit logs, you may set this value to 0.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) 	bool "Activate without calling userspace policy loader."
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) 	default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) 	depends on SECURITY_TOMOYO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) 	  Say Y here if you want to activate access control as soon as built-in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 	  policy was loaded. This option will be useful for systems where
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) 	  operations which can lead to the hijacking of the boot sequence are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 	  needed before loading the policy. For example, you can activate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) 	  immediately after loading the fixed part of policy which will allow
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) 	  only operations needed for mounting a partition which contains the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) 	  variant part of policy and verifying (e.g. running GPG check) and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) 	  loading the variant part of policy. Since you can start using
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) 	  enforcing mode from the beginning, you can reduce the possibility of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) 	  hijacking the boot sequence.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) config SECURITY_TOMOYO_POLICY_LOADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) 	string "Location of userspace policy loader"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) 	default "/sbin/tomoyo-init"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) 	depends on SECURITY_TOMOYO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) 	depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) 	  This is the default pathname of policy loader which is called before
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) 	  activation. You can override this setting via TOMOYO_loader= kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) 	  command line option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) config SECURITY_TOMOYO_ACTIVATION_TRIGGER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) 	string "Trigger for calling userspace policy loader"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) 	default "/sbin/init"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) 	depends on SECURITY_TOMOYO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) 	depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) 	  This is the default pathname of activation trigger.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) 	  You can override this setting via TOMOYO_trigger= kernel command line
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) 	  option. For example, if you pass init=/bin/systemd option, you may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) 	  want to also pass TOMOYO_trigger=/bin/systemd option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) config SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) 	bool "Use insecure built-in settings for fuzzing tests."
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) 	default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) 	depends on SECURITY_TOMOYO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) 	select SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) 	  Enabling this option forces minimal built-in policy and disables
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) 	  domain/program checks for run-time policy modifications. Please enable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) 	  this option only if this kernel is built for doing fuzzing tests.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.