1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 21da177e4SLinus Torvalds# 31da177e4SLinus Torvalds# Security configuration 41da177e4SLinus Torvalds# 51da177e4SLinus Torvalds 61da177e4SLinus Torvaldsmenu "Security options" 71da177e4SLinus Torvalds 88636a1f9SMasahiro Yamadasource "security/keys/Kconfig" 91da177e4SLinus Torvalds 10eaf06b24SDan Rosenbergconfig SECURITY_DMESG_RESTRICT 11eaf06b24SDan Rosenberg bool "Restrict unprivileged access to the kernel syslog" 12eaf06b24SDan Rosenberg default n 13eaf06b24SDan Rosenberg help 14eaf06b24SDan Rosenberg This enforces restrictions on unprivileged users reading the kernel 15eaf06b24SDan Rosenberg syslog via dmesg(8). 16eaf06b24SDan Rosenberg 17eaf06b24SDan Rosenberg If this option is not selected, no restrictions will be enforced 18eaf06b24SDan Rosenberg unless the dmesg_restrict sysctl is explicitly set to (1). 19eaf06b24SDan Rosenberg 20eaf06b24SDan Rosenberg If you are unsure how to answer this question, answer N. 21eaf06b24SDan Rosenberg 221da177e4SLinus Torvaldsconfig SECURITY 231da177e4SLinus Torvalds bool "Enable different security models" 242c40579bSAdrian Bunk depends on SYSFS 252813893fSIulia Manda depends on MULTIUSER 261da177e4SLinus Torvalds help 271da177e4SLinus Torvalds This allows you to choose different security modules to be 281da177e4SLinus Torvalds configured into your kernel. 291da177e4SLinus Torvalds 301da177e4SLinus Torvalds If this option is not selected, the default Linux security 311da177e4SLinus Torvalds model will be used. 321da177e4SLinus Torvalds 331da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 341da177e4SLinus Torvalds 35da31894eSEric Parisconfig SECURITYFS 36da31894eSEric Paris bool "Enable the securityfs filesystem" 37da31894eSEric Paris help 38da31894eSEric Paris This will build the securityfs filesystem. It is currently used by 39b102c11eSPetr Vorel various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). 40da31894eSEric Paris 41da31894eSEric Paris If you are unsure how to answer this question, answer N. 42da31894eSEric Paris 431da177e4SLinus Torvaldsconfig SECURITY_NETWORK 441da177e4SLinus Torvalds bool "Socket and Networking Security Hooks" 451da177e4SLinus Torvalds depends on SECURITY 461da177e4SLinus Torvalds help 471da177e4SLinus Torvalds This enables the socket and networking security hooks. 481da177e4SLinus Torvalds If enabled, a security module can use these hooks to 491da177e4SLinus Torvalds implement socket and networking access controls. 501da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 511da177e4SLinus Torvalds 52d291f1a6SDaniel Jurgensconfig SECURITY_INFINIBAND 53d291f1a6SDaniel Jurgens bool "Infiniband Security Hooks" 54d291f1a6SDaniel Jurgens depends on SECURITY && INFINIBAND 55d291f1a6SDaniel Jurgens help 56d291f1a6SDaniel Jurgens This enables the Infiniband security hooks. 57d291f1a6SDaniel Jurgens If enabled, a security module can use these hooks to 58d291f1a6SDaniel Jurgens implement Infiniband access controls. 59d291f1a6SDaniel Jurgens If you are unsure how to answer this question, answer N. 60d291f1a6SDaniel Jurgens 61df71837dSTrent Jaegerconfig SECURITY_NETWORK_XFRM 62df71837dSTrent Jaeger bool "XFRM (IPSec) Networking Security Hooks" 63df71837dSTrent Jaeger depends on XFRM && SECURITY_NETWORK 64df71837dSTrent Jaeger help 65df71837dSTrent Jaeger This enables the XFRM (IPSec) networking security hooks. 66df71837dSTrent Jaeger If enabled, a security module can use these hooks to 67df71837dSTrent Jaeger implement per-packet access controls based on labels 68df71837dSTrent Jaeger derived from IPSec policy. Non-IPSec communications are 69df71837dSTrent Jaeger designated as unlabelled, and only sockets authorized 70df71837dSTrent Jaeger to communicate unlabelled data can send without using 71df71837dSTrent Jaeger IPSec. 72df71837dSTrent Jaeger If you are unsure how to answer this question, answer N. 73df71837dSTrent Jaeger 74be6d3e56SKentaro Takedaconfig SECURITY_PATH 75be6d3e56SKentaro Takeda bool "Security hooks for pathname based access control" 76be6d3e56SKentaro Takeda depends on SECURITY 77be6d3e56SKentaro Takeda help 78be6d3e56SKentaro Takeda This enables the security hooks for pathname based access control. 79be6d3e56SKentaro Takeda If enabled, a security module can use these hooks to 80be6d3e56SKentaro Takeda implement pathname based access controls. 81be6d3e56SKentaro Takeda If you are unsure how to answer this question, answer N. 82be6d3e56SKentaro Takeda 8331625340SJoseph Cihulaconfig INTEL_TXT 8431625340SJoseph Cihula bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 8569575d38SShane Wang depends on HAVE_INTEL_TXT 8631625340SJoseph Cihula help 8731625340SJoseph Cihula This option enables support for booting the kernel with the 8831625340SJoseph Cihula Trusted Boot (tboot) module. This will utilize 8931625340SJoseph Cihula Intel(R) Trusted Execution Technology to perform a measured launch 9031625340SJoseph Cihula of the kernel. If the system does not support Intel(R) TXT, this 9131625340SJoseph Cihula will have no effect. 9231625340SJoseph Cihula 933c556e41SArnaldo Carvalho de Melo Intel TXT will provide higher assurance of system configuration and 9431625340SJoseph Cihula initial state as well as data reset protection. This is used to 9531625340SJoseph Cihula create a robust initial kernel measurement and verification, which 9631625340SJoseph Cihula helps to ensure that kernel security mechanisms are functioning 9731625340SJoseph Cihula correctly. This level of protection requires a root of trust outside 9831625340SJoseph Cihula of the kernel itself. 9931625340SJoseph Cihula 10031625340SJoseph Cihula Intel TXT also helps solve real end user concerns about having 10131625340SJoseph Cihula confidence that their hardware is running the VMM or kernel that 1023c556e41SArnaldo Carvalho de Melo it was configured with, especially since they may be responsible for 10331625340SJoseph Cihula providing such assurances to VMs and services running on it. 10431625340SJoseph Cihula 105c9fecf50SAlexander A. Klimov See <https://www.intel.com/technology/security/> for more information 10631625340SJoseph Cihula about Intel(R) TXT. 10731625340SJoseph Cihula See <http://tboot.sourceforge.net> for more information about tboot. 108*ff61f079SJonathan Corbet See Documentation/arch/x86/intel_txt.rst for a description of how to enable 10931625340SJoseph Cihula Intel TXT support in a kernel boot. 11031625340SJoseph Cihula 11131625340SJoseph Cihula If you are unsure as to whether this is required, answer N. 11231625340SJoseph Cihula 113788084abSEric Parisconfig LSM_MMAP_MIN_ADDR 114024e6cb4SAndreas Schwab int "Low address space for LSM to protect from user allocation" 115788084abSEric Paris depends on SECURITY && SECURITY_SELINUX 116530b099dSColin Cross default 32768 if ARM || (ARM64 && COMPAT) 117a58578e4SDave Jones default 65536 118788084abSEric Paris help 119788084abSEric Paris This is the portion of low virtual memory which should be protected 120788084abSEric Paris from userspace allocation. Keeping a user from writing to low pages 121788084abSEric Paris can help reduce the impact of kernel NULL pointer bugs. 122788084abSEric Paris 123788084abSEric Paris For most ia64, ppc64 and x86 users with lots of address space 124788084abSEric Paris a value of 65536 is reasonable and should cause no problems. 125788084abSEric Paris On arm and other archs it should not be higher than 32768. 126788084abSEric Paris Programs which use vm86 functionality or have some need to map 127788084abSEric Paris this low address space will need the permission specific to the 128788084abSEric Paris systems running LSM. 129788084abSEric Paris 130f5509cc1SKees Cookconfig HARDENED_USERCOPY 131f5509cc1SKees Cook bool "Harden memory copies between kernel and userspace" 13222ec1a2aSKees Cook imply STRICT_DEVMEM 133f5509cc1SKees Cook help 134f5509cc1SKees Cook This option checks for obviously wrong memory regions when 135f5509cc1SKees Cook copying memory to/from the kernel (via copy_to_user() and 136f5509cc1SKees Cook copy_from_user() functions) by rejecting memory ranges that 137f5509cc1SKees Cook are larger than the specified heap object, span multiple 13899c55fb1SGeert Uytterhoeven separately allocated pages, are not on the process stack, 1391109a5d9SMatthew Wilcox (Oracle) or are part of the kernel text. This prevents entire classes 140f5509cc1SKees Cook of heap overflow exploits and similar kernel memory exposures. 141f5509cc1SKees Cook 1426974f0c4SDaniel Micayconfig FORTIFY_SOURCE 1436974f0c4SDaniel Micay bool "Harden common str/mem functions against buffer overflows" 1446974f0c4SDaniel Micay depends on ARCH_HAS_FORTIFY_SOURCE 145a52f8a59SKees Cook # https://bugs.llvm.org/show_bug.cgi?id=41459 146281d0c96SKees Cook depends on !CC_IS_CLANG || CLANG_VERSION >= 120001 147281d0c96SKees Cook # https://github.com/llvm/llvm-project/issues/53645 148281d0c96SKees Cook depends on !CC_IS_CLANG || !X86_32 1496974f0c4SDaniel Micay help 1506974f0c4SDaniel Micay Detect overflows of buffers in common string and memory functions 1516974f0c4SDaniel Micay where the compiler can determine and validate the buffer sizes. 1526974f0c4SDaniel Micay 15364e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER 15464e90a8aSGreg Kroah-Hartman bool "Force all usermode helper calls through a single binary" 15564e90a8aSGreg Kroah-Hartman help 15664e90a8aSGreg Kroah-Hartman By default, the kernel can call many different userspace 15764e90a8aSGreg Kroah-Hartman binary programs through the "usermode helper" kernel 15864e90a8aSGreg Kroah-Hartman interface. Some of these binaries are statically defined 15964e90a8aSGreg Kroah-Hartman either in the kernel code itself, or as a kernel configuration 16064e90a8aSGreg Kroah-Hartman option. However, some of these are dynamically created at 16164e90a8aSGreg Kroah-Hartman runtime, or can be modified after the kernel has started up. 16264e90a8aSGreg Kroah-Hartman To provide an additional layer of security, route all of these 16364e90a8aSGreg Kroah-Hartman calls through a single executable that can not have its name 16464e90a8aSGreg Kroah-Hartman changed. 16564e90a8aSGreg Kroah-Hartman 16664e90a8aSGreg Kroah-Hartman Note, it is up to this single binary to then call the relevant 16764e90a8aSGreg Kroah-Hartman "real" usermode helper binary, based on the first argument 16864e90a8aSGreg Kroah-Hartman passed to it. If desired, this program can filter and pick 16964e90a8aSGreg Kroah-Hartman and choose what real programs are called. 17064e90a8aSGreg Kroah-Hartman 17164e90a8aSGreg Kroah-Hartman If you wish for all usermode helper programs are to be 17264e90a8aSGreg Kroah-Hartman disabled, choose this option and then set 17364e90a8aSGreg Kroah-Hartman STATIC_USERMODEHELPER_PATH to an empty string. 17464e90a8aSGreg Kroah-Hartman 17564e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER_PATH 17664e90a8aSGreg Kroah-Hartman string "Path to the static usermode helper binary" 17764e90a8aSGreg Kroah-Hartman depends on STATIC_USERMODEHELPER 17864e90a8aSGreg Kroah-Hartman default "/sbin/usermode-helper" 17964e90a8aSGreg Kroah-Hartman help 18064e90a8aSGreg Kroah-Hartman The binary called by the kernel when any usermode helper 18164e90a8aSGreg Kroah-Hartman program is wish to be run. The "real" application's name will 18264e90a8aSGreg Kroah-Hartman be in the first argument passed to this program on the command 18364e90a8aSGreg Kroah-Hartman line. 18464e90a8aSGreg Kroah-Hartman 18564e90a8aSGreg Kroah-Hartman If you wish for all usermode helper programs to be disabled, 18664e90a8aSGreg Kroah-Hartman specify an empty string here (i.e. ""). 18764e90a8aSGreg Kroah-Hartman 1888636a1f9SMasahiro Yamadasource "security/selinux/Kconfig" 1898636a1f9SMasahiro Yamadasource "security/smack/Kconfig" 1908636a1f9SMasahiro Yamadasource "security/tomoyo/Kconfig" 1918636a1f9SMasahiro Yamadasource "security/apparmor/Kconfig" 1928636a1f9SMasahiro Yamadasource "security/loadpin/Kconfig" 1938636a1f9SMasahiro Yamadasource "security/yama/Kconfig" 194aeca4e2cSMicah Mortonsource "security/safesetid/Kconfig" 195000d388eSMatthew Garrettsource "security/lockdown/Kconfig" 19690945448SMickaël Salaünsource "security/landlock/Kconfig" 1971da177e4SLinus Torvalds 1988636a1f9SMasahiro Yamadasource "security/integrity/Kconfig" 1993323eec9SMimi Zohar 2002623c4fbSKees Cookchoice 2012623c4fbSKees Cook prompt "First legacy 'major LSM' to be initialized" 2022623c4fbSKees Cook default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 2032623c4fbSKees Cook default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 2042623c4fbSKees Cook default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 2052623c4fbSKees Cook default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 2062623c4fbSKees Cook default DEFAULT_SECURITY_DAC 2072623c4fbSKees Cook 2082623c4fbSKees Cook help 2092623c4fbSKees Cook This choice is there only for converting CONFIG_DEFAULT_SECURITY 2102623c4fbSKees Cook in old kernel configs to CONFIG_LSM in new kernel configs. Don't 2112623c4fbSKees Cook change this choice unless you are creating a fresh kernel config, 2122623c4fbSKees Cook for this choice will be ignored after CONFIG_LSM has been set. 2132623c4fbSKees Cook 2142623c4fbSKees Cook Selects the legacy "major security module" that will be 2152623c4fbSKees Cook initialized first. Overridden by non-default CONFIG_LSM. 2162623c4fbSKees Cook 2172623c4fbSKees Cook config DEFAULT_SECURITY_SELINUX 2182623c4fbSKees Cook bool "SELinux" if SECURITY_SELINUX=y 2192623c4fbSKees Cook 2202623c4fbSKees Cook config DEFAULT_SECURITY_SMACK 2212623c4fbSKees Cook bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 2222623c4fbSKees Cook 2232623c4fbSKees Cook config DEFAULT_SECURITY_TOMOYO 2242623c4fbSKees Cook bool "TOMOYO" if SECURITY_TOMOYO=y 2252623c4fbSKees Cook 2262623c4fbSKees Cook config DEFAULT_SECURITY_APPARMOR 2272623c4fbSKees Cook bool "AppArmor" if SECURITY_APPARMOR=y 2282623c4fbSKees Cook 2292623c4fbSKees Cook config DEFAULT_SECURITY_DAC 2302623c4fbSKees Cook bool "Unix Discretionary Access Controls" 2312623c4fbSKees Cook 2322623c4fbSKees Cookendchoice 2332623c4fbSKees Cook 23413e735c0SKees Cookconfig LSM 23513e735c0SKees Cook string "Ordered list of enabled LSMs" 236b9b8701bSRoberto Sassu default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK 237b9b8701bSRoberto Sassu default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR 238b9b8701bSRoberto Sassu default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO 239b9b8701bSRoberto Sassu default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC 240b9b8701bSRoberto Sassu default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" 24113e735c0SKees Cook help 24213e735c0SKees Cook A comma-separated list of LSMs, in initialization order. 243b9b8701bSRoberto Sassu Any LSMs left off this list, except for those with order 244b9b8701bSRoberto Sassu LSM_ORDER_FIRST and LSM_ORDER_LAST, which are always enabled 245b9b8701bSRoberto Sassu if selected in the kernel configuration, will be ignored. 246b9b8701bSRoberto Sassu This can be controlled at boot with the "lsm=" parameter. 24713e735c0SKees Cook 24813e735c0SKees Cook If unsure, leave this as the default. 24913e735c0SKees Cook 2509f671e58SKees Cooksource "security/Kconfig.hardening" 2519f671e58SKees Cook 2521da177e4SLinus Torvaldsendmenu 2531da177e4SLinus Torvalds 254