80 |
enforcing mode from the beginning, you can reduce the possibility of |
enforcing mode from the beginning, you can reduce the possibility of |
81 |
hijacking the boot sequence. |
hijacking the boot sequence. |
82 |
|
|
83 |
|
If you say Y to both "Compile as loadable kernel module" option and |
84 |
|
"Activate without calling userspace policy loader." option, be sure |
85 |
|
to excplicitly load the kernel module from the userspace, for |
86 |
|
the kernel will not call /sbin/ccs-init when /sbin/init starts. |
87 |
|
|
88 |
config CCSECURITY_POLICY_LOADER |
config CCSECURITY_POLICY_LOADER |
89 |
string "Location of userspace policy loader" |
string "Location of userspace policy loader" |
90 |
default "/sbin/ccs-init" |
default "/sbin/ccs-init" |
91 |
depends on CCSECURITY |
depends on CCSECURITY |
92 |
depends on !CCSECURITY_OMIT_USERSPACE_LOADER |
depends on !CCSECURITY_OMIT_USERSPACE_LOADER |
93 |
---help--- |
---help--- |
94 |
This is the pathname of policy loader which is called before |
This is the default pathname of policy loader which is called before |
95 |
activation. |
activation. You can override this setting via CCS_loader= kernel |
96 |
|
command line option. |
97 |
|
|
98 |
config CCSECURITY_ACTIVATION_TRIGGER |
config CCSECURITY_ACTIVATION_TRIGGER |
99 |
string "Trigger for calling userspace policy loader" |
string "Trigger for calling userspace policy loader" |
101 |
depends on CCSECURITY |
depends on CCSECURITY |
102 |
depends on !CCSECURITY_OMIT_USERSPACE_LOADER |
depends on !CCSECURITY_OMIT_USERSPACE_LOADER |
103 |
---help--- |
---help--- |
104 |
Some environments do not have /sbin/init . In such environments, |
This is the default pathname of activation trigger. |
105 |
we need to use different program's pathname (e.g. /init or /linuxrc ) |
You can override this setting via CCS_trigger= kernel command line |
106 |
as activation trigger. |
option. For example, if you pass init=/bin/systemd option, you may |
107 |
|
want to also pass CCS_trigger=/bin/systemd option. |