aboutsummaryrefslogtreecommitdiff
path: root/security/smack/Kconfig
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2016-08-30 10:31:39 -0700
committerCasey Schaufler <casey@schaufler-ca.com>2016-09-08 13:22:56 -0700
commitc60b906673eebb4f65840fa9dc204401caf276ea (patch)
tree0ccaf8637751e3183918c3249af3ab465481245f /security/smack/Kconfig
parent63e24c497158c066583b9c06378d89ace694265a (diff)
downloadlinux-c60b906673eebb4f65840fa9dc204401caf276ea.tar.gz
Smack: Signal delivery as an append operation
Under a strict subject/object security policy delivering a signal or delivering network IPC could be considered either a write or an append operation. The original choice to make both write operations leads to an issue where IPC delivery is desired under policy, but delivery of signals is not. This patch provides the option of making signal delivery an append operation, allowing Smack rules that deny signal delivery while allowing IPC. This was requested for Tizen. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/Kconfig')
-rw-r--r--security/smack/Kconfig12
1 files changed, 12 insertions, 0 deletions
diff --git a/security/smack/Kconfig b/security/smack/Kconfig
index 271adae81796..923b120e0fa5 100644
--- a/security/smack/Kconfig
+++ b/security/smack/Kconfig
@@ -40,3 +40,15 @@ config SECURITY_SMACK_NETFILTER
This enables security marking of network packets using
Smack labels.
If you are unsure how to answer this question, answer N.
+
+config SECURITY_SMACK_APPEND_SIGNALS
+ bool "Treat delivering signals as an append operation"
+ depends on SECURITY_SMACK
+ default n
+ help
+ Sending a signal has been treated as a write operation to the
+ receiving process. If this option is selected, the delivery
+ will be an append operation instead. This makes it possible
+ to differentiate between delivering a network packet and
+ delivering a signal in the Smack rules.
+ If you are unsure how to answer this question, answer N.