c6993e4ac0
Unconditionally call Yama when CONFIG_SECURITY_YAMA_STACKED is selected, no matter what LSM module is primary. Ubuntu and Chrome OS already carry patches to do this, and Fedora has voiced interest in doing this as well. Instead of having multiple distributions (or LSM authors) carrying these patches, just allow Yama to be called unconditionally when selected by the new CONFIG. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by: Eric Paris <eparis@redhat.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
21 lines
656 B
Text
21 lines
656 B
Text
config SECURITY_YAMA
|
|
bool "Yama support"
|
|
depends on SECURITY
|
|
select SECURITYFS
|
|
select SECURITY_PATH
|
|
default n
|
|
help
|
|
This selects Yama, which extends DAC support with additional
|
|
system-wide security settings beyond regular Linux discretionary
|
|
access controls. Currently available is ptrace scope restriction.
|
|
Further information can be found in Documentation/security/Yama.txt.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_YAMA_STACKED
|
|
bool "Yama stacked with other LSMs"
|
|
depends on SECURITY_YAMA
|
|
default n
|
|
help
|
|
When Yama is built into the kernel, force it to stack with the
|
|
selected primary LSM.
|