nfsd4: document lease/grace-period limits

[safe/jmp/linux-2.6] / security / Kconfig

diff --git a/security/Kconfig b/security/Kconfig
index edc7cbd..226b955 100644 (file)
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -91,31 +91,9 @@ config SECURITY_PATH
          implement pathname based access controls.
          If you are unsure how to answer this question, answer N.
 
          implement pathname based access controls.
          If you are unsure how to answer this question, answer N.
 

-config SECURITY_FILE_CAPABILITIES
-       bool "File POSIX Capabilities"
-       default n
-       help
-         This enables filesystem capabilities, allowing you to give
-         binaries a subset of root's powers without using setuid 0.
-
-         If in doubt, answer N.
-
-config SECURITY_ROOTPLUG
-       bool "Root Plug Support"
-       depends on USB=y && SECURITY
-       help
-         This is a sample LSM module that should only be used as such.
-         It prevents any programs running with egid == 0 if a specific
-         USB device is not present in the system.
-
-         See <http://www.linuxjournal.com/article.php?sid=6279> for
-         more information about this module.
-
-         If you are unsure how to answer this question, answer N.
-

 config INTEL_TXT
        bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
 config INTEL_TXT
        bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"

-       depends on EXPERIMENTAL && X86 && DMAR && ACPI
+       depends on HAVE_INTEL_TXT

        help
          This option enables support for booting the kernel with the
          Trusted Boot (tboot) module. This will utilize
        help
          This option enables support for booting the kernel with the
          Trusted Boot (tboot) module. This will utilize


@@ -123,7 +101,7 @@ config INTEL_TXT
          of the kernel. If the system does not support Intel(R) TXT, this
          will have no effect.
 
          of the kernel. If the system does not support Intel(R) TXT, this
          will have no effect.
 

-         Intel TXT will provide higher assurance of sysem configuration and
+         Intel TXT will provide higher assurance of system configuration and

          initial state as well as data reset protection.  This is used to
          create a robust initial kernel measurement and verification, which
          helps to ensure that kernel security mechanisms are functioning
          initial state as well as data reset protection.  This is used to
          create a robust initial kernel measurement and verification, which
          helps to ensure that kernel security mechanisms are functioning


@@ -132,7 +110,7 @@ config INTEL_TXT
 
          Intel TXT also helps solve real end user concerns about having
          confidence that their hardware is running the VMM or kernel that
 
          Intel TXT also helps solve real end user concerns about having
          confidence that their hardware is running the VMM or kernel that

-         it was conigured with, especially since they may be responsible for
+         it was configured with, especially since they may be responsible for

          providing such assurances to VMs and services running on it.
 
          See <http://www.intel.com/technology/security/> for more information
          providing such assurances to VMs and services running on it.
 
          See <http://www.intel.com/technology/security/> for more information


@@ -143,11 +121,59 @@ config INTEL_TXT
 
          If you are unsure as to whether this is required, answer N.
 
 
          If you are unsure as to whether this is required, answer N.
 

+config LSM_MMAP_MIN_ADDR
+       int "Low address space for LSM to protect from user allocation"
+       depends on SECURITY && SECURITY_SELINUX
+       default 65536
+       help
+         This is the portion of low virtual memory which should be protected
+         from userspace allocation.  Keeping a user from writing to low pages
+         can help reduce the impact of kernel NULL pointer bugs.
+
+         For most ia64, ppc64 and x86 users with lots of address space
+         a value of 65536 is reasonable and should cause no problems.
+         On arm and other archs it should not be higher than 32768.
+         Programs which use vm86 functionality or have some need to map
+         this low address space will need the permission specific to the
+         systems running LSM.
+

 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
 
 source security/integrity/ima/Kconfig
 
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
 
 source security/integrity/ima/Kconfig
 

+choice
+       prompt "Default security module"
+       default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
+       default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
+       default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
+       default DEFAULT_SECURITY_DAC
+
+       help
+         Select the security module that will be used by default if the
+         kernel parameter security= is not specified.
+
+       config DEFAULT_SECURITY_SELINUX
+               bool "SELinux" if SECURITY_SELINUX=y
+
+       config DEFAULT_SECURITY_SMACK
+               bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+
+       config DEFAULT_SECURITY_TOMOYO
+               bool "TOMOYO" if SECURITY_TOMOYO=y
+
+       config DEFAULT_SECURITY_DAC
+               bool "Unix Discretionary Access Controls"
+
+endchoice
+
+config DEFAULT_SECURITY
+       string
+       default "selinux" if DEFAULT_SECURITY_SELINUX
+       default "smack" if DEFAULT_SECURITY_SMACK
+       default "tomoyo" if DEFAULT_SECURITY_TOMOYO
+       default "" if DEFAULT_SECURITY_DAC
+

 endmenu
 
 endmenu