Mickaël Salaün | 9094544 | 2021-04-22 17:41:11 +0200 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| 2 | |
| 3 | config SECURITY_LANDLOCK |
| 4 | bool "Landlock support" |
Mickaël Salaün | cb2c7d1 | 2021-04-22 17:41:17 +0200 | [diff] [blame] | 5 | depends on SECURITY && !ARCH_EPHEMERAL_INODES |
Mickaël Salaün | 9094544 | 2021-04-22 17:41:11 +0200 | [diff] [blame] | 6 | select SECURITY_PATH |
| 7 | help |
| 8 | Landlock is a sandboxing mechanism that enables processes to restrict |
| 9 | themselves (and their future children) by gradually enforcing |
| 10 | tailored access control policies. A Landlock security policy is a |
| 11 | set of access rights (e.g. open a file in read-only, make a |
| 12 | directory, etc.) tied to a file hierarchy. Such policy can be |
| 13 | configured and enforced by any processes for themselves using the |
| 14 | dedicated system calls: landlock_create_ruleset(), |
| 15 | landlock_add_rule(), and landlock_restrict_self(). |
| 16 | |
| 17 | See Documentation/userspace-api/landlock.rst for further information. |
| 18 | |
| 19 | If you are unsure how to answer this question, answer N. Otherwise, |
| 20 | you should also prepend "landlock," to the content of CONFIG_LSM to |
| 21 | enable Landlock at boot time. |