1 # SPDX-License-Identifier: GPL-2.0-only <<
2 # 1 #
3 # Security configuration 2 # Security configuration
4 # 3 #
5 4
6 menu "Security options" 5 menu "Security options"
7 6
8 source "security/keys/Kconfig" <<
9 <<
10 config SECURITY_DMESG_RESTRICT <<
11 bool "Restrict unprivileged access to <<
12 default n <<
13 help <<
14 This enforces restrictions on unpriv <<
15 syslog via dmesg(8). <<
16 <<
17 If this option is not selected, no r <<
18 unless the dmesg_restrict sysctl is <<
19 <<
20 If you are unsure how to answer this <<
21 <<
22 choice <<
23 prompt "Allow /proc/pid/mem access ove <<
24 default PROC_MEM_ALWAYS_FORCE <<
25 help <<
26 Traditionally /proc/pid/mem allows u <<
27 permissions for users like ptrace, a <<
28 capability. <<
29 <<
30 This allows people to limit that - e <<
31 require actual active ptrace attachm <<
32 <<
33 Defaults to the traditional behavior <<
34 <<
35 config PROC_MEM_ALWAYS_FORCE <<
36 bool "Traditional /proc/pid/mem behavi <<
37 help <<
38 This allows /proc/pid/mem accesses t <<
39 permissions if you have ptrace acces <<
40 <<
41 config PROC_MEM_FORCE_PTRACE <<
42 bool "Require active ptrace() use for <<
43 help <<
44 This allows /proc/pid/mem accesses t <<
45 permissions for active ptracers like <<
46 <<
47 config PROC_MEM_NO_FORCE <<
48 bool "Never" <<
49 help <<
50 Never override memory mapping permis <<
51 <<
52 endchoice <<
53 <<
54 config SECURITY 7 config SECURITY
55 bool "Enable different security models 8 bool "Enable different security models"
56 depends on SYSFS <<
57 depends on MULTIUSER <<
58 help 9 help
59 This allows you to choose different 10 This allows you to choose different security modules to be
60 configured into your kernel. 11 configured into your kernel.
61 12
62 If this option is not selected, the 13 If this option is not selected, the default Linux security
63 model will be used. 14 model will be used.
64 15
65 If you are unsure how to answer this 16 If you are unsure how to answer this question, answer N.
66 17
67 config SECURITYFS <<
68 bool "Enable the securityfs filesystem <<
69 help <<
70 This will build the securityfs files <<
71 various security modules (AppArmor, <<
72 <<
73 If you are unsure how to answer this <<
74 <<
75 config SECURITY_NETWORK 18 config SECURITY_NETWORK
76 bool "Socket and Networking Security H 19 bool "Socket and Networking Security Hooks"
77 depends on SECURITY 20 depends on SECURITY
78 help 21 help
79 This enables the socket and networki 22 This enables the socket and networking security hooks.
80 If enabled, a security module can us 23 If enabled, a security module can use these hooks to
81 implement socket and networking acce 24 implement socket and networking access controls.
82 If you are unsure how to answer this 25 If you are unsure how to answer this question, answer N.
83 26
84 config SECURITY_INFINIBAND !! 27 config SECURITY_CAPABILITIES
85 bool "Infiniband Security Hooks" !! 28 tristate "Default Linux Capabilities"
86 depends on SECURITY && INFINIBAND !! 29 depends on SECURITY!=n
87 help 30 help
88 This enables the Infiniband security !! 31 This enables the "default" Linux capabilities functionality.
89 If enabled, a security module can us !! 32 If you are unsure how to answer this question, answer Y.
90 implement Infiniband access controls <<
91 If you are unsure how to answer this <<
92 33
93 config SECURITY_NETWORK_XFRM !! 34 config SECURITY_ROOTPLUG
94 bool "XFRM (IPSec) Networking Security !! 35 tristate "Root Plug Support"
95 depends on XFRM && SECURITY_NETWORK !! 36 depends on USB && SECURITY!=n
96 help 37 help
97 This enables the XFRM (IPSec) networ !! 38 This is a sample LSM module that should only be used as such.
98 If enabled, a security module can us !! 39 It prevents any programs running with egid == 0 if a specific
99 implement per-packet access controls !! 40 USB device is not present in the system.
100 derived from IPSec policy. Non-IPSe <<
101 designated as unlabelled, and only s <<
102 to communicate unlabelled data can s <<
103 IPSec. <<
104 If you are unsure how to answer this <<
105 41
106 config SECURITY_PATH !! 42 See <http://www.linuxjournal.com/article.php?sid=6279> for
107 bool "Security hooks for pathname base !! 43 more information about this module.
108 depends on SECURITY !! 44
109 help <<
110 This enables the security hooks for <<
111 If enabled, a security module can us <<
112 implement pathname based access cont <<
113 If you are unsure how to answer this 45 If you are unsure how to answer this question, answer N.
114 46
115 config INTEL_TXT !! 47 source security/selinux/Kconfig
116 bool "Enable Intel(R) Trusted Executio <<
117 depends on HAVE_INTEL_TXT <<
118 help <<
119 This option enables support for boot <<
120 Trusted Boot (tboot) module. This wi <<
121 Intel(R) Trusted Execution Technolog <<
122 of the kernel. If the system does no <<
123 will have no effect. <<
124 <<
125 Intel TXT will provide higher assura <<
126 initial state as well as data reset <<
127 create a robust initial kernel measu <<
128 helps to ensure that kernel security <<
129 correctly. This level of protection <<
130 of the kernel itself. <<
131 <<
132 Intel TXT also helps solve real end <<
133 confidence that their hardware is ru <<
134 it was configured with, especially s <<
135 providing such assurances to VMs and <<
136 <<
137 See <https://www.intel.com/technolog <<
138 about Intel(R) TXT. <<
139 See <http://tboot.sourceforge.net> f <<
140 See Documentation/arch/x86/intel_txt <<
141 Intel TXT support in a kernel boot. <<
142 <<
143 If you are unsure as to whether this <<
144 <<
145 config LSM_MMAP_MIN_ADDR <<
146 int "Low address space for LSM to prot <<
147 depends on SECURITY && SECURITY_SELINU <<
148 default 32768 if ARM || (ARM64 && COMP <<
149 default 65536 <<
150 help <<
151 This is the portion of low virtual m <<
152 from userspace allocation. Keeping <<
153 can help reduce the impact of kernel <<
154 <<
155 For most ia64, ppc64 and x86 users w <<
156 a value of 65536 is reasonable and s <<
157 On arm and other archs it should not <<
158 Programs which use vm86 functionalit <<
159 this low address space will need the <<
160 systems running LSM. <<
161 <<
162 config HARDENED_USERCOPY <<
163 bool "Harden memory copies between ker <<
164 imply STRICT_DEVMEM <<
165 help <<
166 This option checks for obviously wro <<
167 copying memory to/from the kernel (v <<
168 copy_from_user() functions) by rejec <<
169 are larger than the specified heap o <<
170 separately allocated pages, are not <<
171 or are part of the kernel text. This <<
172 of heap overflow exploits and simila <<
173 <<
174 config FORTIFY_SOURCE <<
175 bool "Harden common str/mem functions <<
176 depends on ARCH_HAS_FORTIFY_SOURCE <<
177 # https://github.com/llvm/llvm-project <<
178 depends on !CC_IS_CLANG || !X86_32 <<
179 help <<
180 Detect overflows of buffers in commo <<
181 where the compiler can determine and <<
182 <<
183 config STATIC_USERMODEHELPER <<
184 bool "Force all usermode helper calls <<
185 help <<
186 By default, the kernel can call many <<
187 binary programs through the "usermod <<
188 interface. Some of these binaries a <<
189 either in the kernel code itself, or <<
190 option. However, some of these are <<
191 runtime, or can be modified after th <<
192 To provide an additional layer of se <<
193 calls through a single executable th <<
194 changed. <<
195 <<
196 Note, it is up to this single binary <<
197 "real" usermode helper binary, based <<
198 passed to it. If desired, this prog <<
199 and choose what real programs are ca <<
200 <<
201 If you wish for all usermode helper <<
202 disabled, choose this option and the <<
203 STATIC_USERMODEHELPER_PATH to an emp <<
204 <<
205 config STATIC_USERMODEHELPER_PATH <<
206 string "Path to the static usermode he <<
207 depends on STATIC_USERMODEHELPER <<
208 default "/sbin/usermode-helper" <<
209 help <<
210 The binary called by the kernel when <<
211 program is wish to be run. The "rea <<
212 be in the first argument passed to t <<
213 line. <<
214 <<
215 If you wish for all usermode helper <<
216 specify an empty string here (i.e. " <<
217 <<
218 source "security/selinux/Kconfig" <<
219 source "security/smack/Kconfig" <<
220 source "security/tomoyo/Kconfig" <<
221 source "security/apparmor/Kconfig" <<
222 source "security/loadpin/Kconfig" <<
223 source "security/yama/Kconfig" <<
224 source "security/safesetid/Kconfig" <<
225 source "security/lockdown/Kconfig" <<
226 source "security/landlock/Kconfig" <<
227 <<
228 source "security/integrity/Kconfig" <<
229 <<
230 choice <<
231 prompt "First legacy 'major LSM' to be <<
232 default DEFAULT_SECURITY_SELINUX if SE <<
233 default DEFAULT_SECURITY_SMACK if SECU <<
234 default DEFAULT_SECURITY_TOMOYO if SEC <<
235 default DEFAULT_SECURITY_APPARMOR if S <<
236 default DEFAULT_SECURITY_DAC <<
237 <<
238 help <<
239 This choice is there only for conver <<
240 in old kernel configs to CONFIG_LSM <<
241 change this choice unless you are cr <<
242 for this choice will be ignored afte <<
243 <<
244 Selects the legacy "major security m <<
245 initialized first. Overridden by non <<
246 <<
247 config DEFAULT_SECURITY_SELINUX <<
248 bool "SELinux" if SECURITY_SEL <<
249 <<
250 config DEFAULT_SECURITY_SMACK <<
251 bool "Simplified Mandatory Acc <<
252 <<
253 config DEFAULT_SECURITY_TOMOYO <<
254 bool "TOMOYO" if SECURITY_TOMO <<
255 <<
256 config DEFAULT_SECURITY_APPARMOR <<
257 bool "AppArmor" if SECURITY_AP <<
258 <<
259 config DEFAULT_SECURITY_DAC <<
260 bool "Unix Discretionary Acces <<
261 <<
262 endchoice <<
263 <<
264 config LSM <<
265 string "Ordered list of enabled LSMs" <<
266 default "landlock,lockdown,yama,loadpi <<
267 default "landlock,lockdown,yama,loadpi <<
268 default "landlock,lockdown,yama,loadpi <<
269 default "landlock,lockdown,yama,loadpi <<
270 default "landlock,lockdown,yama,loadpi <<
271 help <<
272 A comma-separated list of LSMs, in i <<
273 Any LSMs left off this list, except <<
274 LSM_ORDER_FIRST and LSM_ORDER_LAST, <<
275 if selected in the kernel configurat <<
276 This can be controlled at boot with <<
277 <<
278 If unsure, leave this as the default <<
279 <<
280 source "security/Kconfig.hardening" <<
281 <<
282 source "security/ccsecurity/Kconfig" <<
283 48
284 endmenu 49 endmenu
285 50
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.