blob: 099e1fb3569934c7b277c57d8ba27236ede9f3d8 [file] [log] [blame]
config SECURITY_CHROMIUMOS
bool "Chromium OS Security Module"
depends on SECURITY
help
The purpose of the Chromium OS security module is to reduce attacking
surface by preventing access to general purpose access modes not
required by Chromium OS. Currently: the mount operation is
restricted by requiring a mount point path without symbolic links,
and loading modules is limited to only the root filesystem. This
LSM is stacked ahead of any primary "full" LSM.
config SECURITY_CHROMIUMOS_NO_SYMLINK_MOUNT
bool "Chromium OS Security: prohibit mount to symlinked target"
depends on SECURITY_CHROMIUMOS
default y
help
When enabled mount() syscall will return ELOOP whenever target path
contains any symlinks.
config SECURITY_CHROMIUMOS_DEVICE_JAIL
bool "Chromium OS Security: device jail sandbox"
depends on USB=y
default y
help
When enabled, the kernel device_jail interface will be enabled,
allowing further sandboxing of USB devices.
config ALT_SYSCALL_CHROMIUMOS
tristate "Chromium OS Alt-Syscall Tables"
depends on ALT_SYSCALL
help
Register restricted, alternate syscall tables used by Chromium OS
using the alt-syscall infrastructure. Alternate syscall tables
can be selected with prctl(PR_ALT_SYSCALL).