config SECURITY_KYSEC
        bool "Kylin security enhanced plug-ins"
        depends on SECURITY && SECURITYFS && AUDITSYSCALL
        default y
        help
          Add kylin security enhanced plug-ins .It will add
          execute control and data protect .

config SECURITY_KYSEC_STATUS_BOOTPARAM
        bool "Kylin Security boot parameter"
        depends on SECURITY_KYSEC
        default n
        help
          This option adds a kernel parameter 'kysec_status', which allows to change KySec
          status at boot.  If this option is selected, KySec
          status can be changed with kysec_status= on the kernel
          command line.  The purpose of this option is to allow a single
          kernel image to be distributed with KySec built in, but not
          necessarily enabled.

          If you are unsure how to answer this question, answer N.

config SECURITY_KYSEC_STATUS_DEFAULT
        int "Kylin Security default status"
        depends on SECURITY_KYSEC
        range 0 4
        default 2
        help
          This option sets the default value for the KySec status.
          2 means 'enforcing' or 'normal', untrusted files can not
          be executed. 4 means 'softmode', untrusted files are allowed
          to execute but the execution will be logged. 0 means
          'disabled'

          If you are unsure how to answer this question, answer 2.

config SECURITY_KYSEC_AUTHENTICATION
        bool "Enable Kylin Security Authentication function"
        depends on SECURITY_KYSEC
        default n
        help
          This option enable kysec authentication function.

          If you are unsure how to answer this question, answer n.

config SECURITY_KYSEC_AUTH_PATH
        string "Path of authentication program"
        depends on SECURITY_KYSEC_AUTHENTICATION
        default "/sbin/kysec_auth"
        help
          This is the default pathname of authentication program which
          is called when the illegal programs are accessed.

config SECURITY_KYFILE_PROTECT
        bool "Enable File protect support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable protection for file. If it is enabled,
          you can set specified file to be readonly, which means that nobody can
          modify, rename or delete it.

          If you are unsure how to answer this question, answer n.

config SECURITY_KYEXEC_CONTROL
        bool "Enable File execute control support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable control for file execution and dynamic
          libraries loading. Both binary files and scripts are with in the range of
          control. if it is enabled, only trusted files are allowed to be executed
          and trusted libraries are allowed to be loaded.

          If you are unsure how to answer this question, answer n.

config SECURITY_KYEXEC_STATUS_DEFAULT
        int "Default status of file execute control"
        depends on SECURITY_KYEXEC_CONTROL
        range 0 2
        default 1
        help
          This option sets the default value for the file exectl status.
          1 means 'denied', untrusted files can not be executed.
          2 means 'warning', untrusted files executing need to authenticate.
          0 means 'disabled', close file execute control function.

          If you are unsure how to answer this question, answer 1.

config SECURITY_USB_EXECTL
        bool "Deny the execution of files on usb disks"
        depends on SECURITY_KYEXEC_CONTROL
        default n
        help
          This option denies the execution of files on usb block devices.
          If enabled, the execution of files on usb block devices will
          be denied when kysec is in enforce mode.

          If you are unsure how to answer this question, answer N.

config SECURITY_KYMOD_PROTECT
        bool "Enable Kernel module protect support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable protection for both kernel module loading
          and unloading. If it is enabled, only trusted modules can be loaded into kernel,
          and specified modules can not be unloaded.

          If you are unsure how to answer this question, answer n.

config SECURITY_3ADMIN
        bool "Enable Three admins separation support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable separation for three admins.
          If it is enabled, there will be three admins as three users to
          replace root, otherwise, there are only root as admin.

          If you are unsure how to answer this question, answer n.

config SECURITY_3ADMIN_STATE_DEFAULT
        int "Default state of three admins separation"
        depends on SECURITY_3ADMIN
        range 0 1
        default 0
        help
          This option sets the default value for the 3adm status.
          1 means 'enabled', privileges will be distributed to secadm, root
          and auditadm. 0 means 'disabled', root is system administrator.

          If you are unsure how to answer this question, answer 2.

config SECURITY_KYSEC_NETWORK_CONTROL
        bool "Enable program network control support"
        depends on SECURITY_KYSEC && SECURITY_NETWORK && PROC_FS
        default n
        help
          This option sets whether to enable program network control.
          If it is enabled, all programs access network will be controlled,
          otherwise, do not control programs access network.

          If you are unsure how to answer this question, answer n.

config SECURITY_NETCTL_STATUS_DEFAULT
        int "Default status of program network control"
        depends on SECURITY_KYSEC_NETWORK_CONTROL
        range 0 2
        default 1
        help
          This option sets default value for the program network control.
          0 means 'disabled', disable program network control function.
          1 means 'denied', untrusted programs will be denied to connect
          network. 2 means 'warning', untrusted programs connect network
          need to authenticate.

          If you are unsure how to answer this question, answer 1.

config SECURITY_KYSEC_PROCESS_PROTECT
        bool "Enable process protection support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable process protection.
          If it is enabled, all processes in protect-list will be protected,
          otherwise, do not protect process, which will can be killed.

          If you are unsure how to answer this question, answer n.

config SECURITY_KYSEC_PPRO_MONITOR_PATH
        string "Path of monitor program"
        depends on SECURITY_KYSEC_PROCESS_PROTECT
        default "/usr/sbin/kysec_monitor"
        help
          This is the default pathname of monitor program which
          is called when the process exit status are changed.

config SECURITY_PPRO_STATUS_DEFAULT
        int "Default status of process protection"
        depends on SECURITY_KYSEC_PROCESS_PROTECT
        range 0 1
        default 1
        help
          This option sets default value for the process protection.
          0 means 'disabled', disable process protection function.
          1 means 'enabled', enable process protection function.

          If you are unsure how to answer this question, answer 1.

config SECURITY_KYSEC_DEBUG
        int "Kylin Security debug info"
        depends on SECURITY_KYSEC
        range 0 1
        default 0
        help
          This option sets whether to enbale the debug info.
