~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/Kconfig (Version linux-6.12-rc7) and /security/Kconfig (Version linux-2.6.0)


  1 # SPDX-License-Identifier: GPL-2.0-only        << 
  2 #                                                   1 #
  3 # Security configuration                            2 # Security configuration
  4 #                                                   3 #
  5                                                     4 
  6 menu "Security options"                             5 menu "Security options"
  7                                                     6 
  8 source "security/keys/Kconfig"                 << 
  9                                                << 
 10 config SECURITY_DMESG_RESTRICT                 << 
 11         bool "Restrict unprivileged access to  << 
 12         default n                              << 
 13         help                                   << 
 14           This enforces restrictions on unpriv << 
 15           syslog via dmesg(8).                 << 
 16                                                << 
 17           If this option is not selected, no r << 
 18           unless the dmesg_restrict sysctl is  << 
 19                                                << 
 20           If you are unsure how to answer this << 
 21                                                << 
 22 choice                                         << 
 23         prompt "Allow /proc/pid/mem access ove << 
 24         default PROC_MEM_ALWAYS_FORCE          << 
 25         help                                   << 
 26           Traditionally /proc/pid/mem allows u << 
 27           permissions for users like ptrace, a << 
 28           capability.                          << 
 29                                                << 
 30           This allows people to limit that - e << 
 31           require actual active ptrace attachm << 
 32                                                << 
 33           Defaults to the traditional behavior << 
 34                                                << 
 35 config PROC_MEM_ALWAYS_FORCE                   << 
 36         bool "Traditional /proc/pid/mem behavi << 
 37         help                                   << 
 38           This allows /proc/pid/mem accesses t << 
 39           permissions if you have ptrace acces << 
 40                                                << 
 41 config PROC_MEM_FORCE_PTRACE                   << 
 42         bool "Require active ptrace() use for  << 
 43         help                                   << 
 44           This allows /proc/pid/mem accesses t << 
 45           permissions for active ptracers like << 
 46                                                << 
 47 config PROC_MEM_NO_FORCE                       << 
 48         bool "Never"                           << 
 49         help                                   << 
 50           Never override memory mapping permis << 
 51                                                << 
 52 endchoice                                      << 
 53                                                << 
 54 config SECURITY                                     7 config SECURITY
 55         bool "Enable different security models      8         bool "Enable different security models"
 56         depends on SYSFS                       << 
 57         depends on MULTIUSER                   << 
 58         help                                        9         help
 59           This allows you to choose different      10           This allows you to choose different security modules to be
 60           configured into your kernel.             11           configured into your kernel.
 61                                                    12 
 62           If this option is not selected, the      13           If this option is not selected, the default Linux security
 63           model will be used.                      14           model will be used.
 64                                                    15 
 65           If you are unsure how to answer this     16           If you are unsure how to answer this question, answer N.
 66                                                    17 
 67 config SECURITYFS                              << 
 68         bool "Enable the securityfs filesystem << 
 69         help                                   << 
 70           This will build the securityfs files << 
 71           various security modules (AppArmor,  << 
 72                                                << 
 73           If you are unsure how to answer this << 
 74                                                << 
 75 config SECURITY_NETWORK                            18 config SECURITY_NETWORK
 76         bool "Socket and Networking Security H     19         bool "Socket and Networking Security Hooks"
 77         depends on SECURITY                        20         depends on SECURITY
 78         help                                       21         help
 79           This enables the socket and networki     22           This enables the socket and networking security hooks.
 80           If enabled, a security module can us     23           If enabled, a security module can use these hooks to
 81           implement socket and networking acce     24           implement socket and networking access controls.
 82           If you are unsure how to answer this     25           If you are unsure how to answer this question, answer N.
 83                                                    26 
 84 config SECURITY_INFINIBAND                     !!  27 config SECURITY_CAPABILITIES
 85         bool "Infiniband Security Hooks"       !!  28         tristate "Default Linux Capabilities"
 86         depends on SECURITY && INFINIBAND      !!  29         depends on SECURITY!=n
 87         help                                       30         help
 88           This enables the Infiniband security !!  31           This enables the "default" Linux capabilities functionality.
 89           If enabled, a security module can us !!  32           If you are unsure how to answer this question, answer Y.
 90           implement Infiniband access controls << 
 91           If you are unsure how to answer this << 
 92                                                    33 
 93 config SECURITY_NETWORK_XFRM                   !!  34 config SECURITY_ROOTPLUG
 94         bool "XFRM (IPSec) Networking Security !!  35         tristate "Root Plug Support"
 95         depends on XFRM && SECURITY_NETWORK    !!  36         depends on USB && SECURITY!=n
 96         help                                       37         help
 97           This enables the XFRM (IPSec) networ !!  38           This is a sample LSM module that should only be used as such.
 98           If enabled, a security module can us !!  39           It prevents any programs running with egid == 0 if a specific
 99           implement per-packet access controls !!  40           USB device is not present in the system.
100           derived from IPSec policy.  Non-IPSe << 
101           designated as unlabelled, and only s << 
102           to communicate unlabelled data can s << 
103           IPSec.                               << 
104           If you are unsure how to answer this << 
105                                                    41 
106 config SECURITY_PATH                           !!  42           See <http://www.linuxjournal.com/article.php?sid=6279> for
107         bool "Security hooks for pathname base !!  43           more information about this module.
108         depends on SECURITY                    !!  44           
109         help                                   << 
110           This enables the security hooks for  << 
111           If enabled, a security module can us << 
112           implement pathname based access cont << 
113           If you are unsure how to answer this     45           If you are unsure how to answer this question, answer N.
114                                                    46 
115 config INTEL_TXT                               !!  47 source security/selinux/Kconfig
116         bool "Enable Intel(R) Trusted Executio << 
117         depends on HAVE_INTEL_TXT              << 
118         help                                   << 
119           This option enables support for boot << 
120           Trusted Boot (tboot) module. This wi << 
121           Intel(R) Trusted Execution Technolog << 
122           of the kernel. If the system does no << 
123           will have no effect.                 << 
124                                                << 
125           Intel TXT will provide higher assura << 
126           initial state as well as data reset  << 
127           create a robust initial kernel measu << 
128           helps to ensure that kernel security << 
129           correctly. This level of protection  << 
130           of the kernel itself.                << 
131                                                << 
132           Intel TXT also helps solve real end  << 
133           confidence that their hardware is ru << 
134           it was configured with, especially s << 
135           providing such assurances to VMs and << 
136                                                << 
137           See <https://www.intel.com/technolog << 
138           about Intel(R) TXT.                  << 
139           See <http://tboot.sourceforge.net> f << 
140           See Documentation/arch/x86/intel_txt << 
141           Intel TXT support in a kernel boot.  << 
142                                                << 
143           If you are unsure as to whether this << 
144                                                << 
145 config LSM_MMAP_MIN_ADDR                       << 
146         int "Low address space for LSM to prot << 
147         depends on SECURITY && SECURITY_SELINU << 
148         default 32768 if ARM || (ARM64 && COMP << 
149         default 65536                          << 
150         help                                   << 
151           This is the portion of low virtual m << 
152           from userspace allocation.  Keeping  << 
153           can help reduce the impact of kernel << 
154                                                << 
155           For most ia64, ppc64 and x86 users w << 
156           a value of 65536 is reasonable and s << 
157           On arm and other archs it should not << 
158           Programs which use vm86 functionalit << 
159           this low address space will need the << 
160           systems running LSM.                 << 
161                                                << 
162 config HARDENED_USERCOPY                       << 
163         bool "Harden memory copies between ker << 
164         imply STRICT_DEVMEM                    << 
165         help                                   << 
166           This option checks for obviously wro << 
167           copying memory to/from the kernel (v << 
168           copy_from_user() functions) by rejec << 
169           are larger than the specified heap o << 
170           separately allocated pages, are not  << 
171           or are part of the kernel text. This << 
172           of heap overflow exploits and simila << 
173                                                << 
174 config FORTIFY_SOURCE                          << 
175         bool "Harden common str/mem functions  << 
176         depends on ARCH_HAS_FORTIFY_SOURCE     << 
177         # https://github.com/llvm/llvm-project << 
178         depends on !CC_IS_CLANG || !X86_32     << 
179         help                                   << 
180           Detect overflows of buffers in commo << 
181           where the compiler can determine and << 
182                                                << 
183 config STATIC_USERMODEHELPER                   << 
184         bool "Force all usermode helper calls  << 
185         help                                   << 
186           By default, the kernel can call many << 
187           binary programs through the "usermod << 
188           interface.  Some of these binaries a << 
189           either in the kernel code itself, or << 
190           option.  However, some of these are  << 
191           runtime, or can be modified after th << 
192           To provide an additional layer of se << 
193           calls through a single executable th << 
194           changed.                             << 
195                                                << 
196           Note, it is up to this single binary << 
197           "real" usermode helper binary, based << 
198           passed to it.  If desired, this prog << 
199           and choose what real programs are ca << 
200                                                << 
201           If you wish for all usermode helper  << 
202           disabled, choose this option and the << 
203           STATIC_USERMODEHELPER_PATH to an emp << 
204                                                << 
205 config STATIC_USERMODEHELPER_PATH              << 
206         string "Path to the static usermode he << 
207         depends on STATIC_USERMODEHELPER       << 
208         default "/sbin/usermode-helper"        << 
209         help                                   << 
210           The binary called by the kernel when << 
211           program is wish to be run.  The "rea << 
212           be in the first argument passed to t << 
213           line.                                << 
214                                                << 
215           If you wish for all usermode helper  << 
216           specify an empty string here (i.e. " << 
217                                                << 
218 source "security/selinux/Kconfig"              << 
219 source "security/smack/Kconfig"                << 
220 source "security/tomoyo/Kconfig"               << 
221 source "security/apparmor/Kconfig"             << 
222 source "security/loadpin/Kconfig"              << 
223 source "security/yama/Kconfig"                 << 
224 source "security/safesetid/Kconfig"            << 
225 source "security/lockdown/Kconfig"             << 
226 source "security/landlock/Kconfig"             << 
227 source "security/ipe/Kconfig"                  << 
228                                                << 
229 source "security/integrity/Kconfig"            << 
230                                                << 
231 choice                                         << 
232         prompt "First legacy 'major LSM' to be << 
233         default DEFAULT_SECURITY_SELINUX if SE << 
234         default DEFAULT_SECURITY_SMACK if SECU << 
235         default DEFAULT_SECURITY_TOMOYO if SEC << 
236         default DEFAULT_SECURITY_APPARMOR if S << 
237         default DEFAULT_SECURITY_DAC           << 
238                                                << 
239         help                                   << 
240           This choice is there only for conver << 
241           in old kernel configs to CONFIG_LSM  << 
242           change this choice unless you are cr << 
243           for this choice will be ignored afte << 
244                                                << 
245           Selects the legacy "major security m << 
246           initialized first. Overridden by non << 
247                                                << 
248         config DEFAULT_SECURITY_SELINUX        << 
249                 bool "SELinux" if SECURITY_SEL << 
250                                                << 
251         config DEFAULT_SECURITY_SMACK          << 
252                 bool "Simplified Mandatory Acc << 
253                                                << 
254         config DEFAULT_SECURITY_TOMOYO         << 
255                 bool "TOMOYO" if SECURITY_TOMO << 
256                                                << 
257         config DEFAULT_SECURITY_APPARMOR       << 
258                 bool "AppArmor" if SECURITY_AP << 
259                                                << 
260         config DEFAULT_SECURITY_DAC            << 
261                 bool "Unix Discretionary Acces << 
262                                                << 
263 endchoice                                      << 
264                                                << 
265 config LSM                                     << 
266         string "Ordered list of enabled LSMs"  << 
267         default "landlock,lockdown,yama,loadpi << 
268         default "landlock,lockdown,yama,loadpi << 
269         default "landlock,lockdown,yama,loadpi << 
270         default "landlock,lockdown,yama,loadpi << 
271         default "landlock,lockdown,yama,loadpi << 
272         help                                   << 
273           A comma-separated list of LSMs, in i << 
274           Any LSMs left off this list, except  << 
275           LSM_ORDER_FIRST and LSM_ORDER_LAST,  << 
276           if selected in the kernel configurat << 
277           This can be controlled at boot with  << 
278                                                << 
279           If unsure, leave this as the default << 
280                                                << 
281 source "security/Kconfig.hardening"            << 
282                                                << 
283 source "security/ccsecurity/Kconfig"           << 
284                                                    48 
285 endmenu                                            49 endmenu
286                                                    50 
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php