190945448SMickaël Salaün# SPDX-License-Identifier: GPL-2.0-only 290945448SMickaël Salaün 390945448SMickaël Salaünconfig SECURITY_LANDLOCK 490945448SMickaël Salaün bool "Landlock support" 5*74ce793bSMickaël Salaün depends on SECURITY 690945448SMickaël Salaün select SECURITY_PATH 790945448SMickaël Salaün help 890945448SMickaël Salaün Landlock is a sandboxing mechanism that enables processes to restrict 990945448SMickaël Salaün themselves (and their future children) by gradually enforcing 1090945448SMickaël Salaün tailored access control policies. A Landlock security policy is a 1190945448SMickaël Salaün set of access rights (e.g. open a file in read-only, make a 1290945448SMickaël Salaün directory, etc.) tied to a file hierarchy. Such policy can be 1390945448SMickaël Salaün configured and enforced by any processes for themselves using the 1490945448SMickaël Salaün dedicated system calls: landlock_create_ruleset(), 1590945448SMickaël Salaün landlock_add_rule(), and landlock_restrict_self(). 1690945448SMickaël Salaün 1790945448SMickaël Salaün See Documentation/userspace-api/landlock.rst for further information. 1890945448SMickaël Salaün 1990945448SMickaël Salaün If you are unsure how to answer this question, answer N. Otherwise, 2090945448SMickaël Salaün you should also prepend "landlock," to the content of CONFIG_LSM to 2190945448SMickaël Salaün enable Landlock at boot time. 22