#
# grecurity configuration
#

menu "Grsecurity"

config GRKERNSEC
	bool "Grsecurity"
	select CRYPTO
	select CRYPTO_SHA256
	help
	  If you say Y here, you will be able to configure many features
	  that will enhance the security of your system.  It is highly
	  recommended that you say Y here and read through the help
	  for each option so that you fully understand the features and
	  can evaluate their usefulness for your machine.

menu "Filesystem Protections"
depends on GRKERNSEC

config GRKERNSEC_PROC
	bool "Proc restrictions"
	help
	  If you say Y here, the permissions of the /proc filesystem
	  will be altered to enhance system security and privacy.  You MUST
  	  choose either a user only restriction or a user and group restriction.
	  Depending upon the option you choose, you can either restrict users to
	  see only the processes they themselves run, or choose a group that can
	  view all processes and files normally restricted to root if you choose
	  the "restrict to user only" option.  NOTE: If you're running identd as
	  a non-root user, you will have to run it as the group you specify here.

config GRKERNSEC_PROC_USER
	bool "Restrict /proc to user only"
	depends on GRKERNSEC_PROC
	help
	  If you say Y here, non-root users will only be able to view their own
	  processes, and restricts them from viewing network-related information,
	  and viewing kernel symbol and module information.

config GRKERNSEC_PROC_USERGROUP
	bool "Allow special group"
	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
	help
	  If you say Y here, you will be able to select a group that will be
	  able to view all processes, network-related information, and
	  kernel and symbol information.  This option is useful if you want
	  to run identd as a non-root user.

config GRKERNSEC_PROC_GID
	int "GID for special group"
	depends on GRKERNSEC_PROC_USERGROUP
	default 1001

config GRKERNSEC_PROC_ADD
	bool "Additional restrictions"
	depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
	help
	  If you say Y here, additional restrictions will be placed on
	  /proc that keep normal users from viewing device information and 
	  slabinfo information that could be useful for exploits.

config GRKERNSEC_LINK
	bool "Linking restrictions"
	help
	  If you say Y here, /tmp race exploits will be prevented, since users
	  will no longer be able to follow symlinks owned by other users in
	  world-writable +t directories (i.e. /tmp), unless the owner of the
	  symlink is the owner of the directory. users will also not be
	  able to hardlink to files they do not own.  If the sysctl option is
	  enabled, a sysctl option with name "linking_restrictions" is created.

config GRKERNSEC_FIFO
	bool "FIFO restrictions"
	help
	  If you say Y here, users will not be able to write to FIFOs they don't
	  own in world-writable +t directories (i.e. /tmp), unless the owner of
	  the FIFO is the same owner of the directory it's held in.  If the sysctl
	  option is enabled, a sysctl option with name "fifo_restrictions" is
	  created.

endmenu

config GRKERNSEC_PROC_IPADDR
	depends on GRKERNSEC
	bool "/proc/<pid>/ipaddr support"
	help
	  If you say Y here, a new entry will be added to each /proc/<pid>
	  directory that contains the IP address of the person using the task.
	  The IP is carried across local TCP and AF_UNIX stream sockets.
	  This information can be useful for IDS/IPSes to perform remote response
	  to a local attack.  The entry is readable by only the owner of the
	  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
	  the RBAC system), and thus does not create privacy concerns.

config GRKERNSEC_SHM
	depends on GRKERNSEC
	bool "Destroy unused shared memory"
	depends on SYSVIPC
	help
	  If you say Y here, shared memory will be destroyed when no one is
	  attached to it.  Otherwise, resources involved with the shared
	  memory can be used up and not be associated with any process (as the
	  shared memory still exists, and the creating process has exited).  If
	  the sysctl option is enabled, a sysctl option with name
	  "destroy_unused_shm" is created.

config GRKERNSEC_SYSCTL
	depends on GRKERNSEC && SYSCTL
	bool "Sysctl support"
	help
	  If you say Y here, you will be able to change the options that
	  grsecurity runs with at bootup, without having to recompile your
	  kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
	  to enable (1) or disable (0) various features.  All the sysctl entries
	  are mutable until the "grsec_lock" entry is set to a non-zero value.
	  All features enabled in the kernel configuration are disabled at boot
	  if you do not say Y to the "Turn on features by default" option.
	  All options should be set at startup, and the grsec_lock entry should
	  be set to a non-zero value after all the options are set.
	  *THIS IS EXTREMELY IMPORTANT*

config GRKERNSEC_SYSCTL_ON
	bool "Turn on features by default"
	depends on GRKERNSEC_SYSCTL
	help
	  If you say Y here, instead of having all features enabled in the
	  kernel configuration disabled at boot time, the features will be
	  enabled at boot time.  It is recommended you say Y here unless
	  there is some reason you would want all sysctl-tunable features to
	  be disabled by default.  As mentioned elsewhere, it is important
	  to enable the grsec_lock entry once you have finished modifying
	  the sysctl entries.

endmenu
