config CAITSITH
	bool "CaitSith support"
	default y
	help
	  Say Y here to support CaitSith.
	  http://caitsith.osdn.jp/

config CAITSITH_LKM
	bool "Compile as loadable kernel module"
	default n
	depends on CAITSITH && MODULES
	help
	  CaitSith depends on patching the kernel source in order
	  to insert some hooks which LSM does not provide. Therefore,
	  recompiling the kernel is inevitable. But if you want to keep
	  vmlinux's size as small as possible, you can compile most part of
	  CaitSith as a loadable kernel module by saying Y here.

config CAITSITH_DISABLE_BY_DEFAULT
	bool "Disable by default"
	default n
	depends on CAITSITH
	help
	  Say Y here if you want CaitSith disabled by default.
	  To enable CaitSith, pass caitsith=on to kernel command line.
	  To disable CaitSith, pass caitsith=off to kernel command line.

config CAITSITH_USE_EXTERNAL_TASK_SECURITY
	bool "Do not modify 'struct task_struct' in order to keep KABI"
	default n
	depends on CAITSITH
	help
	  Say Y here if you want to keep KABI for prebuilt kernel modules
	  unchanged. CaitSith needs "struct cs_domain_info *" and "u32" for
	  each "struct task_struct". But embedding these variables into
	  "struct task_struct" breaks KABI for prebuilt kernel modules (which
	  means that you will need to rebuild prebuilt kernel modules).
	  If you say Y here, these variables are managed outside
	  "struct task_struct" rather than embedding into "struct task_struct",
	  but accessing these variables becomes slower because lookup operation
	  is performed every time the current thread needs to access them.

config CAITSITH_OMIT_USERSPACE_LOADER
	bool "Activate without calling userspace policy loader."
	default n
	depends on CAITSITH
	---help---
	  Say Y here if you want to activate access control as soon as built-in
	  policy was loaded. This option will be useful for systems where
	  operations which can lead to the hijacking of the boot sequence are
	  needed before loading the policy. For example, you can activate
	  immediately after loading the fixed part of policy which will allow
	  only operations needed for mounting a partition which contains the
	  variant part of policy and verifying (e.g. running GPG check) and
	  loading the variant part of policy. Since you can start using
	  enforcing mode from the beginning, you can reduce the possibility of
	  hijacking the boot sequence.

	  If you say Y to both "Compile as loadable kernel module" option and
	  "Activate without calling userspace policy loader." option, be sure
	  to excplicitly load the kernel module from the userspace, for
	  the kernel will not call /sbin/caitsith-init when /sbin/init starts.

config CAITSITH_POLICY_LOADER
	string "Location of userspace policy loader"
	default "/sbin/caitsith-init"
	depends on CAITSITH
	depends on !CAITSITH_OMIT_USERSPACE_LOADER
	---help---
	  This is the default pathname of policy loader which is called before
	  activation. You can override this setting via CS_loader= kernel
	  command line option.

config CAITSITH_ACTIVATION_TRIGGER
	string "Trigger for calling userspace policy loader"
	default "/sbin/init"
	depends on CAITSITH
	depends on !CAITSITH_OMIT_USERSPACE_LOADER
	---help---
	  This is the default pathname of activation trigger.
	  You can override this setting via CS_trigger= kernel command line
	  option. For example, if you pass init=/bin/systemd option, you may
	  want to also pass CS_trigger=/bin/systemd option.

	  Say Y here if you want to enable only specific functionality in order
	  to reduce object file size.

config CAITSITH_READDIR
	bool "Enable readdir operation restriction."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable restriction of opening directories
	  for reading. Reading directory entries is a commonly requested
	  operation and damage caused by not restricting it might be acceptable
	  for you.

config CAITSITH_GETATTR
	bool "Enable getattr operation restriction."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable restriction of getting information
	  of files. Getting file's information is a commonly requested
	  operation and damage caused by not restricting it might be acceptable
	  for you.

config CAITSITH_NETWORK
	bool "Enable socket operation restriction."
	default y
	depends on NET
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable restriction of INET/INET6/UNIX
	  socket's operations.

config CAITSITH_CAPABILITY
	bool "Enable non-POSIX capability operation restriction."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable restriction of non-POSIX
	  capabilities.

config CAITSITH_PTRACE
	bool "Enable ptrace operation restriction."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable restriction of ptrace() operation.

config CAITSITH_SIGNAL
	bool "Enable kill operation restriction."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable restriction of kill() operation.

config CAITSITH_ENVIRON
	bool "Enable environment variable names/values restriction."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable restriction of environment variable
	  names/values passed upon program execution request.

config CAITSITH_EXECUTE_HANDLER
	bool "Enable execute handler functionality."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable execute handler functionality.

config CAITSITH_MANUAL_DOMAIN_TRANSITION
	bool "Enable domain transition without program execution request."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable domain transition without involving
	  program execution request.

config CAITSITH_AUTO_DOMAIN_TRANSITION
	bool "Enable automatic domain transition."
	default y
	depends on CAITSITH
	---help---
	  Say Y here if you want to enable automatic domain transition when
	  conditions are met.

config CAITSITH_NETWORK_RECVMSG
	def_bool CAITSITH_NETWORK
