config SECURITY_CHROMIUMOS
	bool "Chromium OS Security Module"
	depends on SECURITY
	help
	  The purpose of the Chromium OS security module is to reduce attacking
	  surface by preventing access to general purpose access modes not
	  required by Chromium OS. Currently: the mount operation is
	  restricted by requiring a mount point path without symbolic links,
	  and loading modules is limited to only the root filesystem. This
	  LSM is stacked ahead of any primary "full" LSM.

config SECURITY_CHROMIUMOS_NO_SYMLINK_MOUNT
	bool "Chromium OS Security: prohibit mount to symlinked target"
	depends on SECURITY_CHROMIUMOS
	default y
	help
	  When enabled mount() syscall will return ELOOP whenever target path
	  contains any symlinks.

config SECURITY_CHROMIUMOS_DEVICE_JAIL
	bool "Chromium OS Security: device jail sandbox"
	depends on USB=y
	default y
	help
	  When enabled, the kernel device_jail interface will be enabled,
	  allowing further sandboxing of USB devices.

config ALT_SYSCALL_CHROMIUMOS
	tristate "Chromium OS Alt-Syscall Tables"
	depends on ALT_SYSCALL
	help
	  Register restricted, alternate syscall tables used by Chromium OS
	  using the alt-syscall infrastructure.  Alternate syscall tables
	  can be selected with prctl(PR_ALT_SYSCALL).
