1# 2# Security configuration 3# 4 5menu "Security options" 6 7source "security/keys/Kconfig" 8 9config SECURITY_DMESG_RESTRICT 10 bool "Restrict unprivileged access to the kernel syslog" 11 default n 12 help 13 This enforces restrictions on unprivileged users reading the kernel 14 syslog via dmesg(8). 15 16 If this option is not selected, no restrictions will be enforced 17 unless the dmesg_restrict sysctl is explicitly set to (1). 18 19 If you are unsure how to answer this question, answer N. 20 21config SECURITY 22 bool "Enable different security models" 23 depends on SYSFS 24 depends on MULTIUSER 25 help 26 This allows you to choose different security modules to be 27 configured into your kernel. 28 29 If this option is not selected, the default Linux security 30 model will be used. 31 32 If you are unsure how to answer this question, answer N. 33 34config SECURITY_WRITABLE_HOOKS 35 depends on SECURITY 36 bool 37 default n 38 39config SECURITYFS 40 bool "Enable the securityfs filesystem" 41 help 42 This will build the securityfs filesystem. It is currently used by 43 various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). 44 45 If you are unsure how to answer this question, answer N. 46 47config SECURITY_NETWORK 48 bool "Socket and Networking Security Hooks" 49 depends on SECURITY 50 help 51 This enables the socket and networking security hooks. 52 If enabled, a security module can use these hooks to 53 implement socket and networking access controls. 54 If you are unsure how to answer this question, answer N. 55 56config PAGE_TABLE_ISOLATION 57 bool "Remove the kernel mapping in user mode" 58 default y 59 depends on (X86_64 || X86_PAE) && !UML 60 help 61 This feature reduces the number of hardware side channels by 62 ensuring that the majority of kernel addresses are not mapped 63 into userspace. 64 65 See Documentation/x86/pti.txt for more details. 66 67config SECURITY_INFINIBAND 68 bool "Infiniband Security Hooks" 69 depends on SECURITY && INFINIBAND 70 help 71 This enables the Infiniband security hooks. 72 If enabled, a security module can use these hooks to 73 implement Infiniband access controls. 74 If you are unsure how to answer this question, answer N. 75 76config SECURITY_NETWORK_XFRM 77 bool "XFRM (IPSec) Networking Security Hooks" 78 depends on XFRM && SECURITY_NETWORK 79 help 80 This enables the XFRM (IPSec) networking security hooks. 81 If enabled, a security module can use these hooks to 82 implement per-packet access controls based on labels 83 derived from IPSec policy. Non-IPSec communications are 84 designated as unlabelled, and only sockets authorized 85 to communicate unlabelled data can send without using 86 IPSec. 87 If you are unsure how to answer this question, answer N. 88 89config SECURITY_PATH 90 bool "Security hooks for pathname based access control" 91 depends on SECURITY 92 help 93 This enables the security hooks for pathname based access control. 94 If enabled, a security module can use these hooks to 95 implement pathname based access controls. 96 If you are unsure how to answer this question, answer N. 97 98config INTEL_TXT 99 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 100 depends on HAVE_INTEL_TXT 101 help 102 This option enables support for booting the kernel with the 103 Trusted Boot (tboot) module. This will utilize 104 Intel(R) Trusted Execution Technology to perform a measured launch 105 of the kernel. If the system does not support Intel(R) TXT, this 106 will have no effect. 107 108 Intel TXT will provide higher assurance of system configuration and 109 initial state as well as data reset protection. This is used to 110 create a robust initial kernel measurement and verification, which 111 helps to ensure that kernel security mechanisms are functioning 112 correctly. This level of protection requires a root of trust outside 113 of the kernel itself. 114 115 Intel TXT also helps solve real end user concerns about having 116 confidence that their hardware is running the VMM or kernel that 117 it was configured with, especially since they may be responsible for 118 providing such assurances to VMs and services running on it. 119 120 See <http://www.intel.com/technology/security/> for more information 121 about Intel(R) TXT. 122 See <http://tboot.sourceforge.net> for more information about tboot. 123 See Documentation/intel_txt.txt for a description of how to enable 124 Intel TXT support in a kernel boot. 125 126 If you are unsure as to whether this is required, answer N. 127 128config LSM_MMAP_MIN_ADDR 129 int "Low address space for LSM to protect from user allocation" 130 depends on SECURITY && SECURITY_SELINUX 131 default 32768 if ARM || (ARM64 && COMPAT) 132 default 65536 133 help 134 This is the portion of low virtual memory which should be protected 135 from userspace allocation. Keeping a user from writing to low pages 136 can help reduce the impact of kernel NULL pointer bugs. 137 138 For most ia64, ppc64 and x86 users with lots of address space 139 a value of 65536 is reasonable and should cause no problems. 140 On arm and other archs it should not be higher than 32768. 141 Programs which use vm86 functionality or have some need to map 142 this low address space will need the permission specific to the 143 systems running LSM. 144 145config HAVE_HARDENED_USERCOPY_ALLOCATOR 146 bool 147 help 148 The heap allocator implements __check_heap_object() for 149 validating memory ranges against heap object sizes in 150 support of CONFIG_HARDENED_USERCOPY. 151 152config HARDENED_USERCOPY 153 bool "Harden memory copies between kernel and userspace" 154 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 155 imply STRICT_DEVMEM 156 help 157 This option checks for obviously wrong memory regions when 158 copying memory to/from the kernel (via copy_to_user() and 159 copy_from_user() functions) by rejecting memory ranges that 160 are larger than the specified heap object, span multiple 161 separately allocated pages, are not on the process stack, 162 or are part of the kernel text. This kills entire classes 163 of heap overflow exploits and similar kernel memory exposures. 164 165config HARDENED_USERCOPY_FALLBACK 166 bool "Allow usercopy whitelist violations to fallback to object size" 167 depends on HARDENED_USERCOPY 168 default y 169 help 170 This is a temporary option that allows missing usercopy whitelists 171 to be discovered via a WARN() to the kernel log, instead of 172 rejecting the copy, falling back to non-whitelisted hardened 173 usercopy that checks the slab allocation size instead of the 174 whitelist size. This option will be removed once it seems like 175 all missing usercopy whitelists have been identified and fixed. 176 Booting with "slab_common.usercopy_fallback=Y/N" can change 177 this setting. 178 179config HARDENED_USERCOPY_PAGESPAN 180 bool "Refuse to copy allocations that span multiple pages" 181 depends on HARDENED_USERCOPY 182 depends on EXPERT 183 help 184 When a multi-page allocation is done without __GFP_COMP, 185 hardened usercopy will reject attempts to copy it. There are, 186 however, several cases of this in the kernel that have not all 187 been removed. This config is intended to be used only while 188 trying to find such users. 189 190config FORTIFY_SOURCE 191 bool "Harden common str/mem functions against buffer overflows" 192 depends on ARCH_HAS_FORTIFY_SOURCE 193 help 194 Detect overflows of buffers in common string and memory functions 195 where the compiler can determine and validate the buffer sizes. 196 197config STATIC_USERMODEHELPER 198 bool "Force all usermode helper calls through a single binary" 199 help 200 By default, the kernel can call many different userspace 201 binary programs through the "usermode helper" kernel 202 interface. Some of these binaries are statically defined 203 either in the kernel code itself, or as a kernel configuration 204 option. However, some of these are dynamically created at 205 runtime, or can be modified after the kernel has started up. 206 To provide an additional layer of security, route all of these 207 calls through a single executable that can not have its name 208 changed. 209 210 Note, it is up to this single binary to then call the relevant 211 "real" usermode helper binary, based on the first argument 212 passed to it. If desired, this program can filter and pick 213 and choose what real programs are called. 214 215 If you wish for all usermode helper programs are to be 216 disabled, choose this option and then set 217 STATIC_USERMODEHELPER_PATH to an empty string. 218 219config STATIC_USERMODEHELPER_PATH 220 string "Path to the static usermode helper binary" 221 depends on STATIC_USERMODEHELPER 222 default "/sbin/usermode-helper" 223 help 224 The binary called by the kernel when any usermode helper 225 program is wish to be run. The "real" application's name will 226 be in the first argument passed to this program on the command 227 line. 228 229 If you wish for all usermode helper programs to be disabled, 230 specify an empty string here (i.e. ""). 231 232source "security/selinux/Kconfig" 233source "security/smack/Kconfig" 234source "security/tomoyo/Kconfig" 235source "security/apparmor/Kconfig" 236source "security/loadpin/Kconfig" 237source "security/yama/Kconfig" 238source "security/safesetid/Kconfig" 239 240source "security/integrity/Kconfig" 241 242choice 243 prompt "First legacy 'major LSM' to be initialized" 244 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 245 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 246 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 247 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 248 default DEFAULT_SECURITY_DAC 249 250 help 251 This choice is there only for converting CONFIG_DEFAULT_SECURITY 252 in old kernel configs to CONFIG_LSM in new kernel configs. Don't 253 change this choice unless you are creating a fresh kernel config, 254 for this choice will be ignored after CONFIG_LSM has been set. 255 256 Selects the legacy "major security module" that will be 257 initialized first. Overridden by non-default CONFIG_LSM. 258 259 config DEFAULT_SECURITY_SELINUX 260 bool "SELinux" if SECURITY_SELINUX=y 261 262 config DEFAULT_SECURITY_SMACK 263 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 264 265 config DEFAULT_SECURITY_TOMOYO 266 bool "TOMOYO" if SECURITY_TOMOYO=y 267 268 config DEFAULT_SECURITY_APPARMOR 269 bool "AppArmor" if SECURITY_APPARMOR=y 270 271 config DEFAULT_SECURITY_DAC 272 bool "Unix Discretionary Access Controls" 273 274endchoice 275 276config LSM 277 string "Ordered list of enabled LSMs" 278 default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK 279 default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR 280 default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO 281 default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC 282 default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" 283 help 284 A comma-separated list of LSMs, in initialization order. 285 Any LSMs left off this list will be ignored. This can be 286 controlled at boot with the "lsm=" parameter. 287 288 If unsure, leave this as the default. 289 290source "security/Kconfig.hardening" 291 292endmenu 293 294