config SECURITY_KYSEC
        bool "Kylin security enhanced plug-ins"
        depends on SECURITY && SECURITYFS && AUDITSYSCALL
        default y
        help
          Add kylin security enhanced plug-ins .It will add
          execute control and data protect .

config SECURITY_KYSEC_STATUS_BOOTPARAM
        bool "Kylin Security boot parameter"
        depends on SECURITY_KYSEC
        default n
        help
          This option adds a kernel parameter 'kysec_status', which allows to change KySec
          status at boot.  If this option is selected, KySec
          status can be changed with kysec_status= on the kernel
          command line.  The purpose of this option is to allow a single
          kernel image to be distributed with KySec built in, but not
          necessarily enabled.

          If you are unsure how to answer this question, answer N.

config SECURITY_KYSEC_STATUS_DEFAULT
        int "Kylin Security default status"
        depends on SECURITY_KYSEC
        range 0 4
        default 2
        help
          This option sets the default value for the KySec status.
          2 means 'enforcing' or 'normal', untrusted files can not
          be executed. 4 means 'softmode', untrusted files are allowed
          to execute but the execution will be logged. 0 means
          'disabled'

          If you are unsure how to answer this question, answer 2.

config SECURITY_KYSEC_AUTHENTICATION
        bool "Enable Kylin Security Authentication function"
        depends on SECURITY_KYSEC
        default n
        help
          This option enable kysec authentication function.

          If you are unsure how to answer this question, answer n.

config SECURITY_KYSEC_AUTH_PATH
        string "Path of authentication program"
        depends on SECURITY_KYSEC_AUTHENTICATION
        default "/sbin/kysec_auth"
        help
          This is the default pathname of authentication program which
          is called when the illegal programs are accessed.

config SECURITY_KYFILE_PROTECT
        bool "Enable File protect support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable protection for file. If it is enabled,
          you can set specified file to be readonly, which means that nobody can
          modify, rename or delete it.

          If you are unsure how to answer this question, answer n.

config SECURITY_KYEXEC_CONTROL
        bool "Enable File execute control support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable control for file execution and dynamic
          libraries loading. Both binary files and scripts are with in the range of
          control. if it is enabled, only trusted files are allowed to be executed
          and trusted libraries are allowed to be loaded.

          If you are unsure how to answer this question, answer n.

config SECURITY_USB_EXECTL
        bool "Deny the execution of files on usb disks"
        depends on SECURITY_KYEXEC_CONTROL
        default n
        help
          This option denies the execution of files on usb block devices. If enabled,
		  the execution of files on usb block devices will be denied when kysec is in
		  enforce mode.

          If you are unsure how to answer this question, answer N.

config SECURITY_KYMOD_PROTECT
        bool "Enable Kernel module protect support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable protection for both kernel module loading
          and unloading. If it is enabled, only trusted modules can be loaded into kernel,
          and specified modules can not be unloaded.

          If you are unsure how to answer this question, answer n.

config SECURITY_3ADMIN
        bool "Enable Three admins separation support"
        depends on SECURITY_KYSEC
        default n
        help
          This option sets whether to enable separation for three admins.
          If it is enabled, there will be three admins as three users to
          replace root, otherwise, there are only root as admin.

          If you are unsure how to answer this question, answer n.

config SECURITY_3ADMIN_STATE_DEFAULT
        int "Default state of three admins separation"
        depends on SECURITY_3ADMIN
        range 0 1
        default 0
        help
          This option sets the default value for the 3adm status.
          1 means 'enabled', privileges will be distributed to secadm, root
          and auditadm. 0 means 'disabled', root is system administrator.

          If you are unsure how to answer this question, answer 2.

config SECURITY_KYSEC_DEBUG
        int "Kylin Security debug info"
        depends on SECURITY_KYSEC
        range 0 1
        default 0
        help
          This option sets whether to enbale the debug info.
