1config SECURITY_LOCKDOWN_LSM 2 bool "Basic module for enforcing kernel lockdown" 3 depends on SECURITY 4 help 5 Build support for an LSM that enforces a coarse kernel lockdown 6 behaviour. 7 8config SECURITY_LOCKDOWN_LSM_EARLY 9 bool "Enable lockdown LSM early in init" 10 depends on SECURITY_LOCKDOWN_LSM 11 help 12 Enable the lockdown LSM early in boot. This is necessary in order 13 to ensure that lockdown enforcement can be carried out on kernel 14 boot parameters that are otherwise parsed before the security 15 subsystem is fully initialised. If enabled, lockdown will 16 unconditionally be called before any other LSMs. 17 18choice 19 prompt "Kernel default lockdown mode" 20 default LOCK_DOWN_KERNEL_FORCE_NONE 21 depends on SECURITY_LOCKDOWN_LSM 22 help 23 The kernel can be configured to default to differing levels of 24 lockdown. 25 26config LOCK_DOWN_KERNEL_FORCE_NONE 27 bool "None" 28 help 29 No lockdown functionality is enabled by default. Lockdown may be 30 enabled via the kernel commandline or /sys/kernel/security/lockdown. 31 32config LOCK_DOWN_KERNEL_FORCE_INTEGRITY 33 bool "Integrity" 34 help 35 The kernel runs in integrity mode by default. Features that allow 36 the kernel to be modified at runtime are disabled. 37 38config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY 39 bool "Confidentiality" 40 help 41 The kernel runs in confidentiality mode by default. Features that 42 allow the kernel to be modified at runtime or that permit userland 43 code to read confidential material held inside the kernel are 44 disabled. 45 46endchoice 47