Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # Security configuration | |
3 | # | |
4 | ||
5 | menu "Security options" | |
6 | ||
7 | config KEYS | |
8 | bool "Enable access key retention support" | |
9 | help | |
10 | This option provides support for retaining authentication tokens and | |
11 | access keys in the kernel. | |
12 | ||
13 | It also includes provision of methods by which such keys might be | |
14 | associated with a process so that network filesystems, encryption | |
15 | support and the like can find them. | |
16 | ||
17 | Furthermore, a special type of key is available that acts as keyring: | |
18 | a searchable sequence of keys. Each process is equipped with access | |
19 | to five standard keyrings: UID-specific, GID-specific, session, | |
20 | process and thread. | |
21 | ||
22 | If you are unsure as to whether this is required, answer N. | |
23 | ||
24 | config KEYS_DEBUG_PROC_KEYS | |
06ec7be5 | 25 | bool "Enable the /proc/keys file by which keys may be viewed" |
1da177e4 LT |
26 | depends on KEYS |
27 | help | |
06ec7be5 ML |
28 | This option turns on support for the /proc/keys file - through which |
29 | can be listed all the keys on the system that are viewable by the | |
30 | reading process. | |
1da177e4 | 31 | |
06ec7be5 ML |
32 | The only keys included in the list are those that grant View |
33 | permission to the reading process whether or not it possesses them. | |
34 | Note that LSM security checks are still performed, and may further | |
35 | filter out keys that the current process is not authorised to view. | |
36 | ||
37 | Only key attributes are listed here; key payloads are not included in | |
38 | the resulting table. | |
39 | ||
40 | If you are unsure as to whether this is required, answer N. | |
1da177e4 LT |
41 | |
42 | config SECURITY | |
43 | bool "Enable different security models" | |
2c40579b | 44 | depends on SYSFS |
1da177e4 LT |
45 | help |
46 | This allows you to choose different security modules to be | |
47 | configured into your kernel. | |
48 | ||
49 | If this option is not selected, the default Linux security | |
50 | model will be used. | |
51 | ||
52 | If you are unsure how to answer this question, answer N. | |
53 | ||
54 | config SECURITY_NETWORK | |
55 | bool "Socket and Networking Security Hooks" | |
56 | depends on SECURITY | |
57 | help | |
58 | This enables the socket and networking security hooks. | |
59 | If enabled, a security module can use these hooks to | |
60 | implement socket and networking access controls. | |
61 | If you are unsure how to answer this question, answer N. | |
df71837d TJ |
62 | |
63 | config SECURITY_NETWORK_XFRM | |
64 | bool "XFRM (IPSec) Networking Security Hooks" | |
65 | depends on XFRM && SECURITY_NETWORK | |
66 | help | |
67 | This enables the XFRM (IPSec) networking security hooks. | |
68 | If enabled, a security module can use these hooks to | |
69 | implement per-packet access controls based on labels | |
70 | derived from IPSec policy. Non-IPSec communications are | |
71 | designated as unlabelled, and only sockets authorized | |
72 | to communicate unlabelled data can send without using | |
73 | IPSec. | |
74 | If you are unsure how to answer this question, answer N. | |
1da177e4 LT |
75 | |
76 | config SECURITY_CAPABILITIES | |
20510f2f | 77 | bool "Default Linux Capabilities" |
1da177e4 LT |
78 | depends on SECURITY |
79 | help | |
80 | This enables the "default" Linux capabilities functionality. | |
81 | If you are unsure how to answer this question, answer Y. | |
82 | ||
b5376771 SH |
83 | config SECURITY_FILE_CAPABILITIES |
84 | bool "File POSIX Capabilities (EXPERIMENTAL)" | |
85 | depends on (SECURITY=n || SECURITY_CAPABILITIES!=n) && EXPERIMENTAL | |
86 | default n | |
87 | help | |
88 | This enables filesystem capabilities, allowing you to give | |
89 | binaries a subset of root's powers without using setuid 0. | |
90 | ||
91 | If in doubt, answer N. | |
92 | ||
1da177e4 | 93 | config SECURITY_ROOTPLUG |
20510f2f JM |
94 | bool "Root Plug Support" |
95 | depends on USB=y && SECURITY | |
1da177e4 LT |
96 | help |
97 | This is a sample LSM module that should only be used as such. | |
98 | It prevents any programs running with egid == 0 if a specific | |
99 | USB device is not present in the system. | |
100 | ||
101 | See <http://www.linuxjournal.com/article.php?sid=6279> for | |
102 | more information about this module. | |
103 | ||
104 | If you are unsure how to answer this question, answer N. | |
105 | ||
1da177e4 LT |
106 | source security/selinux/Kconfig |
107 | ||
108 | endmenu | |
109 |