"Serge E. Hallyn" <serue@xxxxxxxxxx> writes: >> diff --git a/security/snet/Kconfig b/security/snet/Kconfig >> new file mode 100644 >> index 0000000..e1516a1 >> --- /dev/null >> +++ b/security/snet/Kconfig >> @@ -0,0 +1,22 @@ >> +# >> +# snet >> +# >> + >> +config SECURITY_SNET >> + bool "snet - Security for NETwork syscalls" >> + depends on SECURITY_NETWORK && IPV6 > > Why depend on IPV6? right, no need. > >> + default n >> + ---help--- >> + Provide a generic netlink that reports networking's syscalls >> + to userspace > > And also wait for userspace to decide whether to authorize the > syscall, right? 'report on' is very different. I'm proposing this patch, which applies on top of previous diff --git a/security/snet/Kconfig b/security/snet/Kconfig index e1516a1..8ac7778 100644 --- a/security/snet/Kconfig +++ b/security/snet/Kconfig @@ -4,11 +4,11 @@ config SECURITY_SNET bool "snet - Security for NETwork syscalls" - depends on SECURITY_NETWORK && IPV6 + depends on SECURITY_NETWORK default n ---help--- - Provide a generic netlink that reports networking's syscalls - to userspace + If this option is enabled, the kernel will include support for reporting + networking's syscalls to userspace and wait for a verdict config SECURITY_SNET_DEBUG bool "snet debug messages" -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html