1 # SPDX-License-Identifier: GPL-2.0-only 2 # 3 # Security configuration 4 # 5 6 menu "Security options" 7 8 source "security/keys/Kconfig" 9 10 config SECURITY_DMESG_RESTRICT 11 bool "Restrict unprivileged access to 12 default n 13 help 14 This enforces restrictions on unpriv 15 syslog via dmesg(8). 16 17 If this option is not selected, no r 18 unless the dmesg_restrict sysctl is 19 20 If you are unsure how to answer this 21 22 choice 23 prompt "Allow /proc/pid/mem access ove 24 default PROC_MEM_ALWAYS_FORCE 25 help 26 Traditionally /proc/pid/mem allows u 27 permissions for users like ptrace, a 28 capability. 29 30 This allows people to limit that - e 31 require actual active ptrace attachm 32 33 Defaults to the traditional behavior 34 35 config PROC_MEM_ALWAYS_FORCE 36 bool "Traditional /proc/pid/mem behavi 37 help 38 This allows /proc/pid/mem accesses t 39 permissions if you have ptrace acces 40 41 config PROC_MEM_FORCE_PTRACE 42 bool "Require active ptrace() use for 43 help 44 This allows /proc/pid/mem accesses t 45 permissions for active ptracers like 46 47 config PROC_MEM_NO_FORCE 48 bool "Never" 49 help 50 Never override memory mapping permis 51 52 endchoice 53 54 config SECURITY 55 bool "Enable different security models 56 depends on SYSFS 57 depends on MULTIUSER 58 help 59 This allows you to choose different 60 configured into your kernel. 61 62 If this option is not selected, the 63 model will be used. 64 65 If you are unsure how to answer this 66 67 config SECURITYFS 68 bool "Enable the securityfs filesystem 69 help 70 This will build the securityfs files 71 various security modules (AppArmor, 72 73 If you are unsure how to answer this 74 75 config SECURITY_NETWORK 76 bool "Socket and Networking Security H 77 depends on SECURITY 78 help 79 This enables the socket and networki 80 If enabled, a security module can us 81 implement socket and networking acce 82 If you are unsure how to answer this 83 84 config SECURITY_INFINIBAND 85 bool "Infiniband Security Hooks" 86 depends on SECURITY && INFINIBAND 87 help 88 This enables the Infiniband security 89 If enabled, a security module can us 90 implement Infiniband access controls 91 If you are unsure how to answer this 92 93 config SECURITY_NETWORK_XFRM 94 bool "XFRM (IPSec) Networking Security 95 depends on XFRM && SECURITY_NETWORK 96 help 97 This enables the XFRM (IPSec) networ 98 If enabled, a security module can us 99 implement per-packet access controls 100 derived from IPSec policy. Non-IPSe 101 designated as unlabelled, and only s 102 to communicate unlabelled data can s 103 IPSec. 104 If you are unsure how to answer this 105 106 config SECURITY_PATH 107 bool "Security hooks for pathname base 108 depends on SECURITY 109 help 110 This enables the security hooks for 111 If enabled, a security module can us 112 implement pathname based access cont 113 If you are unsure how to answer this 114 115 config INTEL_TXT 116 bool "Enable Intel(R) Trusted Executio 117 depends on HAVE_INTEL_TXT 118 help 119 This option enables support for boot 120 Trusted Boot (tboot) module. This wi 121 Intel(R) Trusted Execution Technolog 122 of the kernel. If the system does no 123 will have no effect. 124 125 Intel TXT will provide higher assura 126 initial state as well as data reset 127 create a robust initial kernel measu 128 helps to ensure that kernel security 129 correctly. This level of protection 130 of the kernel itself. 131 132 Intel TXT also helps solve real end 133 confidence that their hardware is ru 134 it was configured with, especially s 135 providing such assurances to VMs and 136 137 See <https://www.intel.com/technolog 138 about Intel(R) TXT. 139 See <http://tboot.sourceforge.net> f 140 See Documentation/arch/x86/intel_txt 141 Intel TXT support in a kernel boot. 142 143 If you are unsure as to whether this 144 145 config LSM_MMAP_MIN_ADDR 146 int "Low address space for LSM to prot 147 depends on SECURITY && SECURITY_SELINU 148 default 32768 if ARM || (ARM64 && COMP 149 default 65536 150 help 151 This is the portion of low virtual m 152 from userspace allocation. Keeping 153 can help reduce the impact of kernel 154 155 For most ia64, ppc64 and x86 users w 156 a value of 65536 is reasonable and s 157 On arm and other archs it should not 158 Programs which use vm86 functionalit 159 this low address space will need the 160 systems running LSM. 161 162 config HARDENED_USERCOPY 163 bool "Harden memory copies between ker 164 imply STRICT_DEVMEM 165 help 166 This option checks for obviously wro 167 copying memory to/from the kernel (v 168 copy_from_user() functions) by rejec 169 are larger than the specified heap o 170 separately allocated pages, are not 171 or are part of the kernel text. This 172 of heap overflow exploits and simila 173 174 config FORTIFY_SOURCE 175 bool "Harden common str/mem functions 176 depends on ARCH_HAS_FORTIFY_SOURCE 177 # https://github.com/llvm/llvm-project 178 depends on !CC_IS_CLANG || !X86_32 179 help 180 Detect overflows of buffers in commo 181 where the compiler can determine and 182 183 config STATIC_USERMODEHELPER 184 bool "Force all usermode helper calls 185 help 186 By default, the kernel can call many 187 binary programs through the "usermod 188 interface. Some of these binaries a 189 either in the kernel code itself, or 190 option. However, some of these are 191 runtime, or can be modified after th 192 To provide an additional layer of se 193 calls through a single executable th 194 changed. 195 196 Note, it is up to this single binary 197 "real" usermode helper binary, based 198 passed to it. If desired, this prog 199 and choose what real programs are ca 200 201 If you wish for all usermode helper 202 disabled, choose this option and the 203 STATIC_USERMODEHELPER_PATH to an emp 204 205 config STATIC_USERMODEHELPER_PATH 206 string "Path to the static usermode he 207 depends on STATIC_USERMODEHELPER 208 default "/sbin/usermode-helper" 209 help 210 The binary called by the kernel when 211 program is wish to be run. The "rea 212 be in the first argument passed to t 213 line. 214 215 If you wish for all usermode helper 216 specify an empty string here (i.e. " 217 218 source "security/selinux/Kconfig" 219 source "security/smack/Kconfig" 220 source "security/tomoyo/Kconfig" 221 source "security/apparmor/Kconfig" 222 source "security/loadpin/Kconfig" 223 source "security/yama/Kconfig" 224 source "security/safesetid/Kconfig" 225 source "security/lockdown/Kconfig" 226 source "security/landlock/Kconfig" 227 source "security/ipe/Kconfig" 228 229 source "security/integrity/Kconfig" 230 231 choice 232 prompt "First legacy 'major LSM' to be 233 default DEFAULT_SECURITY_SELINUX if SE 234 default DEFAULT_SECURITY_SMACK if SECU 235 default DEFAULT_SECURITY_TOMOYO if SEC 236 default DEFAULT_SECURITY_APPARMOR if S 237 default DEFAULT_SECURITY_DAC 238 239 help 240 This choice is there only for conver 241 in old kernel configs to CONFIG_LSM 242 change this choice unless you are cr 243 for this choice will be ignored afte 244 245 Selects the legacy "major security m 246 initialized first. Overridden by non 247 248 config DEFAULT_SECURITY_SELINUX 249 bool "SELinux" if SECURITY_SEL 250 251 config DEFAULT_SECURITY_SMACK 252 bool "Simplified Mandatory Acc 253 254 config DEFAULT_SECURITY_TOMOYO 255 bool "TOMOYO" if SECURITY_TOMO 256 257 config DEFAULT_SECURITY_APPARMOR 258 bool "AppArmor" if SECURITY_AP 259 260 config DEFAULT_SECURITY_DAC 261 bool "Unix Discretionary Acces 262 263 endchoice 264 265 config LSM 266 string "Ordered list of enabled LSMs" 267 default "landlock,lockdown,yama,loadpi 268 default "landlock,lockdown,yama,loadpi 269 default "landlock,lockdown,yama,loadpi 270 default "landlock,lockdown,yama,loadpi 271 default "landlock,lockdown,yama,loadpi 272 help 273 A comma-separated list of LSMs, in i 274 Any LSMs left off this list, except 275 LSM_ORDER_FIRST and LSM_ORDER_LAST, 276 if selected in the kernel configurat 277 This can be controlled at boot with 278 279 If unsure, leave this as the default 280 281 source "security/Kconfig.hardening" 282 283 source "security/ccsecurity/Kconfig" 284 285 endmenu 286
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.