1 config SECURITY_LOCKDOWN_LSM 1 config SECURITY_LOCKDOWN_LSM 2 bool "Basic module for enforcing kerne 2 bool "Basic module for enforcing kernel lockdown" 3 depends on SECURITY 3 depends on SECURITY 4 select MODULE_SIG if MODULES 4 select MODULE_SIG if MODULES 5 help 5 help 6 Build support for an LSM that enforc 6 Build support for an LSM that enforces a coarse kernel lockdown 7 behaviour. 7 behaviour. 8 8 9 config SECURITY_LOCKDOWN_LSM_EARLY 9 config SECURITY_LOCKDOWN_LSM_EARLY 10 bool "Enable lockdown LSM early in ini 10 bool "Enable lockdown LSM early in init" 11 depends on SECURITY_LOCKDOWN_LSM 11 depends on SECURITY_LOCKDOWN_LSM 12 help 12 help 13 Enable the lockdown LSM early in boo 13 Enable the lockdown LSM early in boot. This is necessary in order 14 to ensure that lockdown enforcement 14 to ensure that lockdown enforcement can be carried out on kernel 15 boot parameters that are otherwise p 15 boot parameters that are otherwise parsed before the security 16 subsystem is fully initialised. If e 16 subsystem is fully initialised. If enabled, lockdown will 17 unconditionally be called before any 17 unconditionally be called before any other LSMs. 18 18 19 choice 19 choice 20 prompt "Kernel default lockdown mode" 20 prompt "Kernel default lockdown mode" 21 default LOCK_DOWN_KERNEL_FORCE_NONE 21 default LOCK_DOWN_KERNEL_FORCE_NONE 22 depends on SECURITY_LOCKDOWN_LSM 22 depends on SECURITY_LOCKDOWN_LSM 23 help 23 help 24 The kernel can be configured to defa 24 The kernel can be configured to default to differing levels of 25 lockdown. 25 lockdown. 26 26 27 config LOCK_DOWN_KERNEL_FORCE_NONE 27 config LOCK_DOWN_KERNEL_FORCE_NONE 28 bool "None" 28 bool "None" 29 help 29 help 30 No lockdown functionality is enabled 30 No lockdown functionality is enabled by default. Lockdown may be 31 enabled via the kernel commandline o 31 enabled via the kernel commandline or /sys/kernel/security/lockdown. 32 32 33 config LOCK_DOWN_KERNEL_FORCE_INTEGRITY 33 config LOCK_DOWN_KERNEL_FORCE_INTEGRITY 34 bool "Integrity" 34 bool "Integrity" 35 help 35 help 36 The kernel runs in integrity mode by 36 The kernel runs in integrity mode by default. Features that allow 37 the kernel to be modified at runtime 37 the kernel to be modified at runtime are disabled. 38 38 39 config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY 39 config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY 40 bool "Confidentiality" 40 bool "Confidentiality" 41 help 41 help 42 The kernel runs in confidentiality mo 42 The kernel runs in confidentiality mode by default. Features that 43 allow the kernel to be modified at ru 43 allow the kernel to be modified at runtime or that permit userland 44 code to read confidential material he 44 code to read confidential material held inside the kernel are 45 disabled. 45 disabled. 46 46 47 endchoice 47 endchoice
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.