11da177e4SLinus Torvalds# 21da177e4SLinus Torvalds# Security configuration 31da177e4SLinus Torvalds# 41da177e4SLinus Torvalds 51da177e4SLinus Torvaldsmenu "Security options" 61da177e4SLinus Torvalds 7f0894940SDavid Howellssource security/keys/Kconfig 81da177e4SLinus Torvalds 9eaf06b24SDan Rosenbergconfig SECURITY_DMESG_RESTRICT 10eaf06b24SDan Rosenberg bool "Restrict unprivileged access to the kernel syslog" 11eaf06b24SDan Rosenberg default n 12eaf06b24SDan Rosenberg help 13eaf06b24SDan Rosenberg This enforces restrictions on unprivileged users reading the kernel 14eaf06b24SDan Rosenberg syslog via dmesg(8). 15eaf06b24SDan Rosenberg 16eaf06b24SDan Rosenberg If this option is not selected, no restrictions will be enforced 17eaf06b24SDan Rosenberg unless the dmesg_restrict sysctl is explicitly set to (1). 18eaf06b24SDan Rosenberg 19eaf06b24SDan Rosenberg If you are unsure how to answer this question, answer N. 20eaf06b24SDan Rosenberg 211da177e4SLinus Torvaldsconfig SECURITY 221da177e4SLinus Torvalds bool "Enable different security models" 232c40579bSAdrian Bunk depends on SYSFS 242813893fSIulia Manda depends on MULTIUSER 251da177e4SLinus Torvalds help 261da177e4SLinus Torvalds This allows you to choose different security modules to be 271da177e4SLinus Torvalds configured into your kernel. 281da177e4SLinus Torvalds 291da177e4SLinus Torvalds If this option is not selected, the default Linux security 301da177e4SLinus Torvalds model will be used. 311da177e4SLinus Torvalds 321da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 331da177e4SLinus Torvalds 34dd0859dcSJames Morrisconfig SECURITY_WRITABLE_HOOKS 35dd0859dcSJames Morris depends on SECURITY 36dd0859dcSJames Morris bool 37dd0859dcSJames Morris default n 38dd0859dcSJames Morris 39da31894eSEric Parisconfig SECURITYFS 40da31894eSEric Paris bool "Enable the securityfs filesystem" 41da31894eSEric Paris help 42da31894eSEric Paris This will build the securityfs filesystem. It is currently used by 433323eec9SMimi Zohar the TPM bios character driver and IMA, an integrity provider. It is 443323eec9SMimi Zohar not used by SELinux or SMACK. 45da31894eSEric Paris 46da31894eSEric Paris If you are unsure how to answer this question, answer N. 47da31894eSEric Paris 481da177e4SLinus Torvaldsconfig SECURITY_NETWORK 491da177e4SLinus Torvalds bool "Socket and Networking Security Hooks" 501da177e4SLinus Torvalds depends on SECURITY 511da177e4SLinus Torvalds help 521da177e4SLinus Torvalds This enables the socket and networking security hooks. 531da177e4SLinus Torvalds If enabled, a security module can use these hooks to 541da177e4SLinus Torvalds implement socket and networking access controls. 551da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 561da177e4SLinus Torvalds 57d291f1a6SDaniel Jurgensconfig SECURITY_INFINIBAND 58d291f1a6SDaniel Jurgens bool "Infiniband Security Hooks" 59d291f1a6SDaniel Jurgens depends on SECURITY && INFINIBAND 60d291f1a6SDaniel Jurgens help 61d291f1a6SDaniel Jurgens This enables the Infiniband security hooks. 62d291f1a6SDaniel Jurgens If enabled, a security module can use these hooks to 63d291f1a6SDaniel Jurgens implement Infiniband access controls. 64d291f1a6SDaniel Jurgens If you are unsure how to answer this question, answer N. 65d291f1a6SDaniel Jurgens 66df71837dSTrent Jaegerconfig SECURITY_NETWORK_XFRM 67df71837dSTrent Jaeger bool "XFRM (IPSec) Networking Security Hooks" 68df71837dSTrent Jaeger depends on XFRM && SECURITY_NETWORK 69df71837dSTrent Jaeger help 70df71837dSTrent Jaeger This enables the XFRM (IPSec) networking security hooks. 71df71837dSTrent Jaeger If enabled, a security module can use these hooks to 72df71837dSTrent Jaeger implement per-packet access controls based on labels 73df71837dSTrent Jaeger derived from IPSec policy. Non-IPSec communications are 74df71837dSTrent Jaeger designated as unlabelled, and only sockets authorized 75df71837dSTrent Jaeger to communicate unlabelled data can send without using 76df71837dSTrent Jaeger IPSec. 77df71837dSTrent Jaeger If you are unsure how to answer this question, answer N. 78df71837dSTrent Jaeger 79be6d3e56SKentaro Takedaconfig SECURITY_PATH 80be6d3e56SKentaro Takeda bool "Security hooks for pathname based access control" 81be6d3e56SKentaro Takeda depends on SECURITY 82be6d3e56SKentaro Takeda help 83be6d3e56SKentaro Takeda This enables the security hooks for pathname based access control. 84be6d3e56SKentaro Takeda If enabled, a security module can use these hooks to 85be6d3e56SKentaro Takeda implement pathname based access controls. 86be6d3e56SKentaro Takeda If you are unsure how to answer this question, answer N. 87be6d3e56SKentaro Takeda 8831625340SJoseph Cihulaconfig INTEL_TXT 8931625340SJoseph Cihula bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 9069575d38SShane Wang depends on HAVE_INTEL_TXT 9131625340SJoseph Cihula help 9231625340SJoseph Cihula This option enables support for booting the kernel with the 9331625340SJoseph Cihula Trusted Boot (tboot) module. This will utilize 9431625340SJoseph Cihula Intel(R) Trusted Execution Technology to perform a measured launch 9531625340SJoseph Cihula of the kernel. If the system does not support Intel(R) TXT, this 9631625340SJoseph Cihula will have no effect. 9731625340SJoseph Cihula 983c556e41SArnaldo Carvalho de Melo Intel TXT will provide higher assurance of system configuration and 9931625340SJoseph Cihula initial state as well as data reset protection. This is used to 10031625340SJoseph Cihula create a robust initial kernel measurement and verification, which 10131625340SJoseph Cihula helps to ensure that kernel security mechanisms are functioning 10231625340SJoseph Cihula correctly. This level of protection requires a root of trust outside 10331625340SJoseph Cihula of the kernel itself. 10431625340SJoseph Cihula 10531625340SJoseph Cihula Intel TXT also helps solve real end user concerns about having 10631625340SJoseph Cihula confidence that their hardware is running the VMM or kernel that 1073c556e41SArnaldo Carvalho de Melo it was configured with, especially since they may be responsible for 10831625340SJoseph Cihula providing such assurances to VMs and services running on it. 10931625340SJoseph Cihula 11031625340SJoseph Cihula See <http://www.intel.com/technology/security/> for more information 11131625340SJoseph Cihula about Intel(R) TXT. 11231625340SJoseph Cihula See <http://tboot.sourceforge.net> for more information about tboot. 11331625340SJoseph Cihula See Documentation/intel_txt.txt for a description of how to enable 11431625340SJoseph Cihula Intel TXT support in a kernel boot. 11531625340SJoseph Cihula 11631625340SJoseph Cihula If you are unsure as to whether this is required, answer N. 11731625340SJoseph Cihula 118788084abSEric Parisconfig LSM_MMAP_MIN_ADDR 119024e6cb4SAndreas Schwab int "Low address space for LSM to protect from user allocation" 120788084abSEric Paris depends on SECURITY && SECURITY_SELINUX 121530b099dSColin Cross default 32768 if ARM || (ARM64 && COMPAT) 122a58578e4SDave Jones default 65536 123788084abSEric Paris help 124788084abSEric Paris This is the portion of low virtual memory which should be protected 125788084abSEric Paris from userspace allocation. Keeping a user from writing to low pages 126788084abSEric Paris can help reduce the impact of kernel NULL pointer bugs. 127788084abSEric Paris 128788084abSEric Paris For most ia64, ppc64 and x86 users with lots of address space 129788084abSEric Paris a value of 65536 is reasonable and should cause no problems. 130788084abSEric Paris On arm and other archs it should not be higher than 32768. 131788084abSEric Paris Programs which use vm86 functionality or have some need to map 132788084abSEric Paris this low address space will need the permission specific to the 133788084abSEric Paris systems running LSM. 134788084abSEric Paris 135f5509cc1SKees Cookconfig HAVE_HARDENED_USERCOPY_ALLOCATOR 136f5509cc1SKees Cook bool 137f5509cc1SKees Cook help 138f5509cc1SKees Cook The heap allocator implements __check_heap_object() for 139f5509cc1SKees Cook validating memory ranges against heap object sizes in 140f5509cc1SKees Cook support of CONFIG_HARDENED_USERCOPY. 141f5509cc1SKees Cook 142f5509cc1SKees Cookconfig HARDENED_USERCOPY 143f5509cc1SKees Cook bool "Harden memory copies between kernel and userspace" 1446040e576SLinus Torvalds depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 145f5509cc1SKees Cook select BUG 146f5509cc1SKees Cook help 147f5509cc1SKees Cook This option checks for obviously wrong memory regions when 148f5509cc1SKees Cook copying memory to/from the kernel (via copy_to_user() and 149f5509cc1SKees Cook copy_from_user() functions) by rejecting memory ranges that 150f5509cc1SKees Cook are larger than the specified heap object, span multiple 15199c55fb1SGeert Uytterhoeven separately allocated pages, are not on the process stack, 152f5509cc1SKees Cook or are part of the kernel text. This kills entire classes 153f5509cc1SKees Cook of heap overflow exploits and similar kernel memory exposures. 154f5509cc1SKees Cook 1552d891fbcSKees Cookconfig HARDENED_USERCOPY_FALLBACK 1562d891fbcSKees Cook bool "Allow usercopy whitelist violations to fallback to object size" 1572d891fbcSKees Cook depends on HARDENED_USERCOPY 1582d891fbcSKees Cook default y 1592d891fbcSKees Cook help 1602d891fbcSKees Cook This is a temporary option that allows missing usercopy whitelists 1612d891fbcSKees Cook to be discovered via a WARN() to the kernel log, instead of 1622d891fbcSKees Cook rejecting the copy, falling back to non-whitelisted hardened 1632d891fbcSKees Cook usercopy that checks the slab allocation size instead of the 1642d891fbcSKees Cook whitelist size. This option will be removed once it seems like 1652d891fbcSKees Cook all missing usercopy whitelists have been identified and fixed. 1662d891fbcSKees Cook Booting with "slab_common.usercopy_fallback=Y/N" can change 1672d891fbcSKees Cook this setting. 1682d891fbcSKees Cook 1698e1f74eaSKees Cookconfig HARDENED_USERCOPY_PAGESPAN 1708e1f74eaSKees Cook bool "Refuse to copy allocations that span multiple pages" 1718e1f74eaSKees Cook depends on HARDENED_USERCOPY 17280a77045SLinus Torvalds depends on EXPERT 1738e1f74eaSKees Cook help 1748e1f74eaSKees Cook When a multi-page allocation is done without __GFP_COMP, 1758e1f74eaSKees Cook hardened usercopy will reject attempts to copy it. There are, 1768e1f74eaSKees Cook however, several cases of this in the kernel that have not all 1778e1f74eaSKees Cook been removed. This config is intended to be used only while 1788e1f74eaSKees Cook trying to find such users. 1798e1f74eaSKees Cook 1806974f0c4SDaniel Micayconfig FORTIFY_SOURCE 1816974f0c4SDaniel Micay bool "Harden common str/mem functions against buffer overflows" 1826974f0c4SDaniel Micay depends on ARCH_HAS_FORTIFY_SOURCE 1836974f0c4SDaniel Micay help 1846974f0c4SDaniel Micay Detect overflows of buffers in common string and memory functions 1856974f0c4SDaniel Micay where the compiler can determine and validate the buffer sizes. 1866974f0c4SDaniel Micay 18764e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER 18864e90a8aSGreg Kroah-Hartman bool "Force all usermode helper calls through a single binary" 18964e90a8aSGreg Kroah-Hartman help 19064e90a8aSGreg Kroah-Hartman By default, the kernel can call many different userspace 19164e90a8aSGreg Kroah-Hartman binary programs through the "usermode helper" kernel 19264e90a8aSGreg Kroah-Hartman interface. Some of these binaries are statically defined 19364e90a8aSGreg Kroah-Hartman either in the kernel code itself, or as a kernel configuration 19464e90a8aSGreg Kroah-Hartman option. However, some of these are dynamically created at 19564e90a8aSGreg Kroah-Hartman runtime, or can be modified after the kernel has started up. 19664e90a8aSGreg Kroah-Hartman To provide an additional layer of security, route all of these 19764e90a8aSGreg Kroah-Hartman calls through a single executable that can not have its name 19864e90a8aSGreg Kroah-Hartman changed. 19964e90a8aSGreg Kroah-Hartman 20064e90a8aSGreg Kroah-Hartman Note, it is up to this single binary to then call the relevant 20164e90a8aSGreg Kroah-Hartman "real" usermode helper binary, based on the first argument 20264e90a8aSGreg Kroah-Hartman passed to it. If desired, this program can filter and pick 20364e90a8aSGreg Kroah-Hartman and choose what real programs are called. 20464e90a8aSGreg Kroah-Hartman 20564e90a8aSGreg Kroah-Hartman If you wish for all usermode helper programs are to be 20664e90a8aSGreg Kroah-Hartman disabled, choose this option and then set 20764e90a8aSGreg Kroah-Hartman STATIC_USERMODEHELPER_PATH to an empty string. 20864e90a8aSGreg Kroah-Hartman 20964e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER_PATH 21064e90a8aSGreg Kroah-Hartman string "Path to the static usermode helper binary" 21164e90a8aSGreg Kroah-Hartman depends on STATIC_USERMODEHELPER 21264e90a8aSGreg Kroah-Hartman default "/sbin/usermode-helper" 21364e90a8aSGreg Kroah-Hartman help 21464e90a8aSGreg Kroah-Hartman The binary called by the kernel when any usermode helper 21564e90a8aSGreg Kroah-Hartman program is wish to be run. The "real" application's name will 21664e90a8aSGreg Kroah-Hartman be in the first argument passed to this program on the command 21764e90a8aSGreg Kroah-Hartman line. 21864e90a8aSGreg Kroah-Hartman 21964e90a8aSGreg Kroah-Hartman If you wish for all usermode helper programs to be disabled, 22064e90a8aSGreg Kroah-Hartman specify an empty string here (i.e. ""). 22164e90a8aSGreg Kroah-Hartman 2221da177e4SLinus Torvaldssource security/selinux/Kconfig 223e114e473SCasey Schauflersource security/smack/Kconfig 22400d7d6f8SKentaro Takedasource security/tomoyo/Kconfig 225f9ad1af5SJohn Johansensource security/apparmor/Kconfig 2269b091556SKees Cooksource security/loadpin/Kconfig 2272d514487SKees Cooksource security/yama/Kconfig 2281da177e4SLinus Torvalds 229f381c272SMimi Zoharsource security/integrity/Kconfig 2303323eec9SMimi Zohar 2316e65f92fSJohn Johansenchoice 2326e65f92fSJohn Johansen prompt "Default security module" 2336e65f92fSJohn Johansen default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 2346e65f92fSJohn Johansen default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 2356e65f92fSJohn Johansen default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 236f9ad1af5SJohn Johansen default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 2376e65f92fSJohn Johansen default DEFAULT_SECURITY_DAC 2386e65f92fSJohn Johansen 2396e65f92fSJohn Johansen help 2406e65f92fSJohn Johansen Select the security module that will be used by default if the 2416e65f92fSJohn Johansen kernel parameter security= is not specified. 2426e65f92fSJohn Johansen 2436e65f92fSJohn Johansen config DEFAULT_SECURITY_SELINUX 2446e65f92fSJohn Johansen bool "SELinux" if SECURITY_SELINUX=y 2456e65f92fSJohn Johansen 2466e65f92fSJohn Johansen config DEFAULT_SECURITY_SMACK 2476e65f92fSJohn Johansen bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 2486e65f92fSJohn Johansen 2496e65f92fSJohn Johansen config DEFAULT_SECURITY_TOMOYO 2506e65f92fSJohn Johansen bool "TOMOYO" if SECURITY_TOMOYO=y 2516e65f92fSJohn Johansen 252f9ad1af5SJohn Johansen config DEFAULT_SECURITY_APPARMOR 253f9ad1af5SJohn Johansen bool "AppArmor" if SECURITY_APPARMOR=y 254f9ad1af5SJohn Johansen 2556e65f92fSJohn Johansen config DEFAULT_SECURITY_DAC 2566e65f92fSJohn Johansen bool "Unix Discretionary Access Controls" 2576e65f92fSJohn Johansen 2586e65f92fSJohn Johansenendchoice 2596e65f92fSJohn Johansen 2606e65f92fSJohn Johansenconfig DEFAULT_SECURITY 2616e65f92fSJohn Johansen string 2626e65f92fSJohn Johansen default "selinux" if DEFAULT_SECURITY_SELINUX 2636e65f92fSJohn Johansen default "smack" if DEFAULT_SECURITY_SMACK 2646e65f92fSJohn Johansen default "tomoyo" if DEFAULT_SECURITY_TOMOYO 265f9ad1af5SJohn Johansen default "apparmor" if DEFAULT_SECURITY_APPARMOR 2666e65f92fSJohn Johansen default "" if DEFAULT_SECURITY_DAC 2676e65f92fSJohn Johansen 2681da177e4SLinus Torvaldsendmenu 2691da177e4SLinus Torvalds 270