1 # SPDX-License-Identifier: GPL-2.0-only <<
2 # 1 #
3 # Security configuration 2 # Security configuration
4 # 3 #
5 4
6 menu "Security options" 5 menu "Security options"
7 6
8 source "security/keys/Kconfig" !! 7 config KEYS
9 !! 8 bool "Enable access key retention support"
10 config SECURITY_DMESG_RESTRICT <<
11 bool "Restrict unprivileged access to <<
12 default n <<
13 help <<
14 This enforces restrictions on unpriv <<
15 syslog via dmesg(8). <<
16 <<
17 If this option is not selected, no r <<
18 unless the dmesg_restrict sysctl is <<
19 <<
20 If you are unsure how to answer this <<
21 <<
22 choice <<
23 prompt "Allow /proc/pid/mem access ove <<
24 default PROC_MEM_ALWAYS_FORCE <<
25 help 9 help
26 Traditionally /proc/pid/mem allows u !! 10 This option provides support for retaining authentication tokens and
27 permissions for users like ptrace, a !! 11 access keys in the kernel.
28 capability. <<
29 12
30 This allows people to limit that - e !! 13 It also includes provision of methods by which such keys might be
31 require actual active ptrace attachm !! 14 associated with a process so that network filesystems, encryption
>> 15 support and the like can find them.
>> 16
>> 17 Furthermore, a special type of key is available that acts as keyring:
>> 18 a searchable sequence of keys. Each process is equipped with access
>> 19 to five standard keyrings: UID-specific, GID-specific, session,
>> 20 process and thread.
32 21
33 Defaults to the traditional behavior !! 22 If you are unsure as to whether this is required, answer N.
34 23
35 config PROC_MEM_ALWAYS_FORCE !! 24 config KEYS_DEBUG_PROC_KEYS
36 bool "Traditional /proc/pid/mem behavi !! 25 bool "Enable the /proc/keys file by which keys may be viewed"
37 help !! 26 depends on KEYS
38 This allows /proc/pid/mem accesses t !! 27 help
39 permissions if you have ptrace acces !! 28 This option turns on support for the /proc/keys file - through which
>> 29 can be listed all the keys on the system that are viewable by the
>> 30 reading process.
>> 31
>> 32 The only keys included in the list are those that grant View
>> 33 permission to the reading process whether or not it possesses them.
>> 34 Note that LSM security checks are still performed, and may further
>> 35 filter out keys that the current process is not authorised to view.
40 36
41 config PROC_MEM_FORCE_PTRACE !! 37 Only key attributes are listed here; key payloads are not included in
42 bool "Require active ptrace() use for !! 38 the resulting table.
43 help <<
44 This allows /proc/pid/mem accesses t <<
45 permissions for active ptracers like <<
46 39
47 config PROC_MEM_NO_FORCE !! 40 If you are unsure as to whether this is required, answer N.
48 bool "Never" <<
49 help <<
50 Never override memory mapping permis <<
51 <<
52 endchoice <<
53 41
54 config SECURITY 42 config SECURITY
55 bool "Enable different security models 43 bool "Enable different security models"
56 depends on SYSFS 44 depends on SYSFS
57 depends on MULTIUSER <<
58 help 45 help
59 This allows you to choose different 46 This allows you to choose different security modules to be
60 configured into your kernel. 47 configured into your kernel.
61 48
62 If this option is not selected, the 49 If this option is not selected, the default Linux security
63 model will be used. 50 model will be used.
64 51
65 If you are unsure how to answer this 52 If you are unsure how to answer this question, answer N.
66 53
67 config SECURITYFS 54 config SECURITYFS
68 bool "Enable the securityfs filesystem 55 bool "Enable the securityfs filesystem"
69 help 56 help
70 This will build the securityfs files 57 This will build the securityfs filesystem. It is currently used by
71 various security modules (AppArmor, !! 58 the TPM bios character driver and IMA, an integrity provider. It is
>> 59 not used by SELinux or SMACK.
72 60
73 If you are unsure how to answer this 61 If you are unsure how to answer this question, answer N.
74 62
75 config SECURITY_NETWORK 63 config SECURITY_NETWORK
76 bool "Socket and Networking Security H 64 bool "Socket and Networking Security Hooks"
77 depends on SECURITY 65 depends on SECURITY
78 help 66 help
79 This enables the socket and networki 67 This enables the socket and networking security hooks.
80 If enabled, a security module can us 68 If enabled, a security module can use these hooks to
81 implement socket and networking acce 69 implement socket and networking access controls.
82 If you are unsure how to answer this 70 If you are unsure how to answer this question, answer N.
83 71
84 config SECURITY_INFINIBAND <<
85 bool "Infiniband Security Hooks" <<
86 depends on SECURITY && INFINIBAND <<
87 help <<
88 This enables the Infiniband security <<
89 If enabled, a security module can us <<
90 implement Infiniband access controls <<
91 If you are unsure how to answer this <<
92 <<
93 config SECURITY_NETWORK_XFRM 72 config SECURITY_NETWORK_XFRM
94 bool "XFRM (IPSec) Networking Security 73 bool "XFRM (IPSec) Networking Security Hooks"
95 depends on XFRM && SECURITY_NETWORK 74 depends on XFRM && SECURITY_NETWORK
96 help 75 help
97 This enables the XFRM (IPSec) networ 76 This enables the XFRM (IPSec) networking security hooks.
98 If enabled, a security module can us 77 If enabled, a security module can use these hooks to
99 implement per-packet access controls 78 implement per-packet access controls based on labels
100 derived from IPSec policy. Non-IPSe 79 derived from IPSec policy. Non-IPSec communications are
101 designated as unlabelled, and only s 80 designated as unlabelled, and only sockets authorized
102 to communicate unlabelled data can s 81 to communicate unlabelled data can send without using
103 IPSec. 82 IPSec.
104 If you are unsure how to answer this 83 If you are unsure how to answer this question, answer N.
105 84
106 config SECURITY_PATH 85 config SECURITY_PATH
107 bool "Security hooks for pathname base 86 bool "Security hooks for pathname based access control"
108 depends on SECURITY 87 depends on SECURITY
109 help 88 help
110 This enables the security hooks for 89 This enables the security hooks for pathname based access control.
111 If enabled, a security module can us 90 If enabled, a security module can use these hooks to
112 implement pathname based access cont 91 implement pathname based access controls.
113 If you are unsure how to answer this 92 If you are unsure how to answer this question, answer N.
114 93
>> 94 config SECURITY_FILE_CAPABILITIES
>> 95 bool "File POSIX Capabilities"
>> 96 default n
>> 97 help
>> 98 This enables filesystem capabilities, allowing you to give
>> 99 binaries a subset of root's powers without using setuid 0.
>> 100
>> 101 If in doubt, answer N.
>> 102
>> 103 config SECURITY_ROOTPLUG
>> 104 bool "Root Plug Support"
>> 105 depends on USB=y && SECURITY
>> 106 help
>> 107 This is a sample LSM module that should only be used as such.
>> 108 It prevents any programs running with egid == 0 if a specific
>> 109 USB device is not present in the system.
>> 110
>> 111 See <http://www.linuxjournal.com/article.php?sid=6279> for
>> 112 more information about this module.
>> 113
>> 114 If you are unsure how to answer this question, answer N.
>> 115
115 config INTEL_TXT 116 config INTEL_TXT
116 bool "Enable Intel(R) Trusted Executio 117 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
117 depends on HAVE_INTEL_TXT 118 depends on HAVE_INTEL_TXT
118 help 119 help
119 This option enables support for boot 120 This option enables support for booting the kernel with the
120 Trusted Boot (tboot) module. This wi 121 Trusted Boot (tboot) module. This will utilize
121 Intel(R) Trusted Execution Technolog 122 Intel(R) Trusted Execution Technology to perform a measured launch
122 of the kernel. If the system does no 123 of the kernel. If the system does not support Intel(R) TXT, this
123 will have no effect. 124 will have no effect.
124 125
125 Intel TXT will provide higher assura 126 Intel TXT will provide higher assurance of system configuration and
126 initial state as well as data reset 127 initial state as well as data reset protection. This is used to
127 create a robust initial kernel measu 128 create a robust initial kernel measurement and verification, which
128 helps to ensure that kernel security 129 helps to ensure that kernel security mechanisms are functioning
129 correctly. This level of protection 130 correctly. This level of protection requires a root of trust outside
130 of the kernel itself. 131 of the kernel itself.
131 132
132 Intel TXT also helps solve real end 133 Intel TXT also helps solve real end user concerns about having
133 confidence that their hardware is ru 134 confidence that their hardware is running the VMM or kernel that
134 it was configured with, especially s 135 it was configured with, especially since they may be responsible for
135 providing such assurances to VMs and 136 providing such assurances to VMs and services running on it.
136 137
137 See <https://www.intel.com/technolog !! 138 See <http://www.intel.com/technology/security/> for more information
138 about Intel(R) TXT. 139 about Intel(R) TXT.
139 See <http://tboot.sourceforge.net> f 140 See <http://tboot.sourceforge.net> for more information about tboot.
140 See Documentation/arch/x86/intel_txt !! 141 See Documentation/intel_txt.txt for a description of how to enable
141 Intel TXT support in a kernel boot. 142 Intel TXT support in a kernel boot.
142 143
143 If you are unsure as to whether this 144 If you are unsure as to whether this is required, answer N.
144 145
145 config LSM_MMAP_MIN_ADDR 146 config LSM_MMAP_MIN_ADDR
146 int "Low address space for LSM to prot 147 int "Low address space for LSM to protect from user allocation"
147 depends on SECURITY && SECURITY_SELINU 148 depends on SECURITY && SECURITY_SELINUX
148 default 32768 if ARM || (ARM64 && COMP <<
149 default 65536 149 default 65536
150 help 150 help
151 This is the portion of low virtual m 151 This is the portion of low virtual memory which should be protected
152 from userspace allocation. Keeping 152 from userspace allocation. Keeping a user from writing to low pages
153 can help reduce the impact of kernel 153 can help reduce the impact of kernel NULL pointer bugs.
154 154
155 For most ia64, ppc64 and x86 users w 155 For most ia64, ppc64 and x86 users with lots of address space
156 a value of 65536 is reasonable and s 156 a value of 65536 is reasonable and should cause no problems.
157 On arm and other archs it should not 157 On arm and other archs it should not be higher than 32768.
158 Programs which use vm86 functionalit 158 Programs which use vm86 functionality or have some need to map
159 this low address space will need the 159 this low address space will need the permission specific to the
160 systems running LSM. 160 systems running LSM.
161 161
162 config HARDENED_USERCOPY !! 162 source security/selinux/Kconfig
163 bool "Harden memory copies between ker !! 163 source security/smack/Kconfig
164 imply STRICT_DEVMEM !! 164 source security/tomoyo/Kconfig
165 help <<
166 This option checks for obviously wro <<
167 copying memory to/from the kernel (v <<
168 copy_from_user() functions) by rejec <<
169 are larger than the specified heap o <<
170 separately allocated pages, are not <<
171 or are part of the kernel text. This <<
172 of heap overflow exploits and simila <<
173 <<
174 config FORTIFY_SOURCE <<
175 bool "Harden common str/mem functions <<
176 depends on ARCH_HAS_FORTIFY_SOURCE <<
177 # https://github.com/llvm/llvm-project <<
178 depends on !CC_IS_CLANG || !X86_32 <<
179 help <<
180 Detect overflows of buffers in commo <<
181 where the compiler can determine and <<
182 <<
183 config STATIC_USERMODEHELPER <<
184 bool "Force all usermode helper calls <<
185 help <<
186 By default, the kernel can call many <<
187 binary programs through the "usermod <<
188 interface. Some of these binaries a <<
189 either in the kernel code itself, or <<
190 option. However, some of these are <<
191 runtime, or can be modified after th <<
192 To provide an additional layer of se <<
193 calls through a single executable th <<
194 changed. <<
195 <<
196 Note, it is up to this single binary <<
197 "real" usermode helper binary, based <<
198 passed to it. If desired, this prog <<
199 and choose what real programs are ca <<
200 <<
201 If you wish for all usermode helper <<
202 disabled, choose this option and the <<
203 STATIC_USERMODEHELPER_PATH to an emp <<
204 <<
205 config STATIC_USERMODEHELPER_PATH <<
206 string "Path to the static usermode he <<
207 depends on STATIC_USERMODEHELPER <<
208 default "/sbin/usermode-helper" <<
209 help <<
210 The binary called by the kernel when <<
211 program is wish to be run. The "rea <<
212 be in the first argument passed to t <<
213 line. <<
214 <<
215 If you wish for all usermode helper <<
216 specify an empty string here (i.e. " <<
217 <<
218 source "security/selinux/Kconfig" <<
219 source "security/smack/Kconfig" <<
220 source "security/tomoyo/Kconfig" <<
221 source "security/apparmor/Kconfig" <<
222 source "security/loadpin/Kconfig" <<
223 source "security/yama/Kconfig" <<
224 source "security/safesetid/Kconfig" <<
225 source "security/lockdown/Kconfig" <<
226 source "security/landlock/Kconfig" <<
227 source "security/ipe/Kconfig" <<
228 <<
229 source "security/integrity/Kconfig" <<
230 <<
231 choice <<
232 prompt "First legacy 'major LSM' to be <<
233 default DEFAULT_SECURITY_SELINUX if SE <<
234 default DEFAULT_SECURITY_SMACK if SECU <<
235 default DEFAULT_SECURITY_TOMOYO if SEC <<
236 default DEFAULT_SECURITY_APPARMOR if S <<
237 default DEFAULT_SECURITY_DAC <<
238 <<
239 help <<
240 This choice is there only for conver <<
241 in old kernel configs to CONFIG_LSM <<
242 change this choice unless you are cr <<
243 for this choice will be ignored afte <<
244 <<
245 Selects the legacy "major security m <<
246 initialized first. Overridden by non <<
247 <<
248 config DEFAULT_SECURITY_SELINUX <<
249 bool "SELinux" if SECURITY_SEL <<
250 <<
251 config DEFAULT_SECURITY_SMACK <<
252 bool "Simplified Mandatory Acc <<
253 <<
254 config DEFAULT_SECURITY_TOMOYO <<
255 bool "TOMOYO" if SECURITY_TOMO <<
256 <<
257 config DEFAULT_SECURITY_APPARMOR <<
258 bool "AppArmor" if SECURITY_AP <<
259 <<
260 config DEFAULT_SECURITY_DAC <<
261 bool "Unix Discretionary Acces <<
262 <<
263 endchoice <<
264 <<
265 config LSM <<
266 string "Ordered list of enabled LSMs" <<
267 default "landlock,lockdown,yama,loadpi <<
268 default "landlock,lockdown,yama,loadpi <<
269 default "landlock,lockdown,yama,loadpi <<
270 default "landlock,lockdown,yama,loadpi <<
271 default "landlock,lockdown,yama,loadpi <<
272 help <<
273 A comma-separated list of LSMs, in i <<
274 Any LSMs left off this list, except <<
275 LSM_ORDER_FIRST and LSM_ORDER_LAST, <<
276 if selected in the kernel configurat <<
277 This can be controlled at boot with <<
278 <<
279 If unsure, leave this as the default <<
280 165
281 source "security/Kconfig.hardening" !! 166 source security/integrity/ima/Kconfig
282 167
283 source "security/ccsecurity/Kconfig" !! 168 source security/ccsecurity/Kconfig
284 169
285 endmenu 170 endmenu
286 171
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.