summaryrefslogtreecommitdiff
path: root/security/smack/Kconfig
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2014-12-13 04:08:40 +0300
committerCasey Schaufler <casey@schaufler-ca.com>2015-01-21 03:34:25 +0300
commit69f287ae6fc8357e0bc561353a2d585b89ee8cdc (patch)
treea717c525b47790cab2d437e0e16e11728394b97c /security/smack/Kconfig
parent5e7270a6dd14fa6e3bb10128f200305b4a75f350 (diff)
downloadlinux-69f287ae6fc8357e0bc561353a2d585b89ee8cdc.tar.xz
Smack: secmark support for netfilter
Smack uses CIPSO to label internet packets and thus provide for access control on delivery of packets. The netfilter facility was not used to allow for Smack to work properly without netfilter configuration. Smack does not need netfilter, however there are cases where it would be handy. As a side effect, the labeling of local IPv4 packets can be optimized and the handling of local IPv6 packets is just all out better. The best part is that the netfilter tools use "contexts" that are just strings, and they work just as well for Smack as they do for SELinux. All of the conditional compilation for IPv6 was implemented by Rafal Krypa <r.krypa@samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/Kconfig')
-rw-r--r--security/smack/Kconfig12
1 files changed, 12 insertions, 0 deletions
diff --git a/security/smack/Kconfig b/security/smack/Kconfig
index b065f9789418..271adae81796 100644
--- a/security/smack/Kconfig
+++ b/security/smack/Kconfig
@@ -28,3 +28,15 @@ config SECURITY_SMACK_BRINGUP
access rule set once the behavior is well understood.
This is a superior mechanism to the oft abused
"permissive" mode of other systems.
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_SMACK_NETFILTER
+ bool "Packet marking using secmarks for netfilter"
+ depends on SECURITY_SMACK
+ depends on NETWORK_SECMARK
+ depends on NETFILTER
+ default n
+ help
+ This enables security marking of network packets using
+ Smack labels.
+ If you are unsure how to answer this question, answer N.