1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Security configuration 4# 5 6menu "Security options" 7 8source "security/keys/Kconfig" 9 10config SECURITY_DMESG_RESTRICT 11 bool "Restrict unprivileged access to the kernel syslog" 12 default n 13 help 14 This enforces restrictions on unprivileged users reading the kernel 15 syslog via dmesg(8). 16 17 If this option is not selected, no restrictions will be enforced 18 unless the dmesg_restrict sysctl is explicitly set to (1). 19 20 If you are unsure how to answer this question, answer N. 21 22config SECURITY 23 bool "Enable different security models" 24 depends on SYSFS 25 depends on MULTIUSER 26 help 27 This allows you to choose different security modules to be 28 configured into your kernel. 29 30 If this option is not selected, the default Linux security 31 model will be used. 32 33 If you are unsure how to answer this question, answer N. 34 35config SECURITY_WRITABLE_HOOKS 36 depends on SECURITY 37 bool 38 default n 39 40config SECURITYFS 41 bool "Enable the securityfs filesystem" 42 help 43 This will build the securityfs filesystem. It is currently used by 44 various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). 45 46 If you are unsure how to answer this question, answer N. 47 48config SECURITY_NETWORK 49 bool "Socket and Networking Security Hooks" 50 depends on SECURITY 51 help 52 This enables the socket and networking security hooks. 53 If enabled, a security module can use these hooks to 54 implement socket and networking access controls. 55 If you are unsure how to answer this question, answer N. 56 57config PAGE_TABLE_ISOLATION 58 bool "Remove the kernel mapping in user mode" 59 default y 60 depends on (X86_64 || X86_PAE) && !UML 61 help 62 This feature reduces the number of hardware side channels by 63 ensuring that the majority of kernel addresses are not mapped 64 into userspace. 65 66 See Documentation/x86/pti.rst for more details. 67 68config SECURITY_INFINIBAND 69 bool "Infiniband Security Hooks" 70 depends on SECURITY && INFINIBAND 71 help 72 This enables the Infiniband security hooks. 73 If enabled, a security module can use these hooks to 74 implement Infiniband access controls. 75 If you are unsure how to answer this question, answer N. 76 77config SECURITY_NETWORK_XFRM 78 bool "XFRM (IPSec) Networking Security Hooks" 79 depends on XFRM && SECURITY_NETWORK 80 help 81 This enables the XFRM (IPSec) networking security hooks. 82 If enabled, a security module can use these hooks to 83 implement per-packet access controls based on labels 84 derived from IPSec policy. Non-IPSec communications are 85 designated as unlabelled, and only sockets authorized 86 to communicate unlabelled data can send without using 87 IPSec. 88 If you are unsure how to answer this question, answer N. 89 90config SECURITY_PATH 91 bool "Security hooks for pathname based access control" 92 depends on SECURITY 93 help 94 This enables the security hooks for pathname based access control. 95 If enabled, a security module can use these hooks to 96 implement pathname based access controls. 97 If you are unsure how to answer this question, answer N. 98 99config INTEL_TXT 100 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 101 depends on HAVE_INTEL_TXT 102 help 103 This option enables support for booting the kernel with the 104 Trusted Boot (tboot) module. This will utilize 105 Intel(R) Trusted Execution Technology to perform a measured launch 106 of the kernel. If the system does not support Intel(R) TXT, this 107 will have no effect. 108 109 Intel TXT will provide higher assurance of system configuration and 110 initial state as well as data reset protection. This is used to 111 create a robust initial kernel measurement and verification, which 112 helps to ensure that kernel security mechanisms are functioning 113 correctly. This level of protection requires a root of trust outside 114 of the kernel itself. 115 116 Intel TXT also helps solve real end user concerns about having 117 confidence that their hardware is running the VMM or kernel that 118 it was configured with, especially since they may be responsible for 119 providing such assurances to VMs and services running on it. 120 121 See <https://www.intel.com/technology/security/> for more information 122 about Intel(R) TXT. 123 See <http://tboot.sourceforge.net> for more information about tboot. 124 See Documentation/x86/intel_txt.rst for a description of how to enable 125 Intel TXT support in a kernel boot. 126 127 If you are unsure as to whether this is required, answer N. 128 129config LSM_MMAP_MIN_ADDR 130 int "Low address space for LSM to protect from user allocation" 131 depends on SECURITY && SECURITY_SELINUX 132 default 32768 if ARM || (ARM64 && COMPAT) 133 default 65536 134 help 135 This is the portion of low virtual memory which should be protected 136 from userspace allocation. Keeping a user from writing to low pages 137 can help reduce the impact of kernel NULL pointer bugs. 138 139 For most ia64, ppc64 and x86 users with lots of address space 140 a value of 65536 is reasonable and should cause no problems. 141 On arm and other archs it should not be higher than 32768. 142 Programs which use vm86 functionality or have some need to map 143 this low address space will need the permission specific to the 144 systems running LSM. 145 146config HAVE_HARDENED_USERCOPY_ALLOCATOR 147 bool 148 help 149 The heap allocator implements __check_heap_object() for 150 validating memory ranges against heap object sizes in 151 support of CONFIG_HARDENED_USERCOPY. 152 153config HARDENED_USERCOPY 154 bool "Harden memory copies between kernel and userspace" 155 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 156 imply STRICT_DEVMEM 157 help 158 This option checks for obviously wrong memory regions when 159 copying memory to/from the kernel (via copy_to_user() and 160 copy_from_user() functions) by rejecting memory ranges that 161 are larger than the specified heap object, span multiple 162 separately allocated pages, are not on the process stack, 163 or are part of the kernel text. This kills entire classes 164 of heap overflow exploits and similar kernel memory exposures. 165 166config HARDENED_USERCOPY_FALLBACK 167 bool "Allow usercopy whitelist violations to fallback to object size" 168 depends on HARDENED_USERCOPY 169 default y 170 help 171 This is a temporary option that allows missing usercopy whitelists 172 to be discovered via a WARN() to the kernel log, instead of 173 rejecting the copy, falling back to non-whitelisted hardened 174 usercopy that checks the slab allocation size instead of the 175 whitelist size. This option will be removed once it seems like 176 all missing usercopy whitelists have been identified and fixed. 177 Booting with "slab_common.usercopy_fallback=Y/N" can change 178 this setting. 179 180config HARDENED_USERCOPY_PAGESPAN 181 bool "Refuse to copy allocations that span multiple pages" 182 depends on HARDENED_USERCOPY 183 depends on EXPERT 184 help 185 When a multi-page allocation is done without __GFP_COMP, 186 hardened usercopy will reject attempts to copy it. There are, 187 however, several cases of this in the kernel that have not all 188 been removed. This config is intended to be used only while 189 trying to find such users. 190 191config FORTIFY_SOURCE 192 bool "Harden common str/mem functions against buffer overflows" 193 depends on ARCH_HAS_FORTIFY_SOURCE 194 # https://bugs.llvm.org/show_bug.cgi?id=50322 195 # https://bugs.llvm.org/show_bug.cgi?id=41459 196 depends on !CC_IS_CLANG 197 help 198 Detect overflows of buffers in common string and memory functions 199 where the compiler can determine and validate the buffer sizes. 200 201config STATIC_USERMODEHELPER 202 bool "Force all usermode helper calls through a single binary" 203 help 204 By default, the kernel can call many different userspace 205 binary programs through the "usermode helper" kernel 206 interface. Some of these binaries are statically defined 207 either in the kernel code itself, or as a kernel configuration 208 option. However, some of these are dynamically created at 209 runtime, or can be modified after the kernel has started up. 210 To provide an additional layer of security, route all of these 211 calls through a single executable that can not have its name 212 changed. 213 214 Note, it is up to this single binary to then call the relevant 215 "real" usermode helper binary, based on the first argument 216 passed to it. If desired, this program can filter and pick 217 and choose what real programs are called. 218 219 If you wish for all usermode helper programs are to be 220 disabled, choose this option and then set 221 STATIC_USERMODEHELPER_PATH to an empty string. 222 223config STATIC_USERMODEHELPER_PATH 224 string "Path to the static usermode helper binary" 225 depends on STATIC_USERMODEHELPER 226 default "/sbin/usermode-helper" 227 help 228 The binary called by the kernel when any usermode helper 229 program is wish to be run. The "real" application's name will 230 be in the first argument passed to this program on the command 231 line. 232 233 If you wish for all usermode helper programs to be disabled, 234 specify an empty string here (i.e. ""). 235 236source "security/selinux/Kconfig" 237source "security/smack/Kconfig" 238source "security/tomoyo/Kconfig" 239source "security/apparmor/Kconfig" 240source "security/loadpin/Kconfig" 241source "security/yama/Kconfig" 242source "security/safesetid/Kconfig" 243source "security/lockdown/Kconfig" 244source "security/landlock/Kconfig" 245 246source "security/integrity/Kconfig" 247 248choice 249 prompt "First legacy 'major LSM' to be initialized" 250 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 251 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 252 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 253 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 254 default DEFAULT_SECURITY_DAC 255 256 help 257 This choice is there only for converting CONFIG_DEFAULT_SECURITY 258 in old kernel configs to CONFIG_LSM in new kernel configs. Don't 259 change this choice unless you are creating a fresh kernel config, 260 for this choice will be ignored after CONFIG_LSM has been set. 261 262 Selects the legacy "major security module" that will be 263 initialized first. Overridden by non-default CONFIG_LSM. 264 265 config DEFAULT_SECURITY_SELINUX 266 bool "SELinux" if SECURITY_SELINUX=y 267 268 config DEFAULT_SECURITY_SMACK 269 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 270 271 config DEFAULT_SECURITY_TOMOYO 272 bool "TOMOYO" if SECURITY_TOMOYO=y 273 274 config DEFAULT_SECURITY_APPARMOR 275 bool "AppArmor" if SECURITY_APPARMOR=y 276 277 config DEFAULT_SECURITY_DAC 278 bool "Unix Discretionary Access Controls" 279 280endchoice 281 282config LSM 283 string "Ordered list of enabled LSMs" 284 default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK 285 default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR 286 default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO 287 default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC 288 default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" 289 help 290 A comma-separated list of LSMs, in initialization order. 291 Any LSMs left off this list will be ignored. This can be 292 controlled at boot with the "lsm=" parameter. 293 294 If unsure, leave this as the default. 295 296source "security/Kconfig.hardening" 297 298endmenu 299 300