1config SECURITY_LOCKDOWN_LSM 2 bool "Basic module for enforcing kernel lockdown" 3 depends on SECURITY 4 select MODULE_SIG if MODULES 5 help 6 Build support for an LSM that enforces a coarse kernel lockdown 7 behaviour. 8 9config SECURITY_LOCKDOWN_LSM_EARLY 10 bool "Enable lockdown LSM early in init" 11 depends on SECURITY_LOCKDOWN_LSM 12 help 13 Enable the lockdown LSM early in boot. This is necessary in order 14 to ensure that lockdown enforcement can be carried out on kernel 15 boot parameters that are otherwise parsed before the security 16 subsystem is fully initialised. If enabled, lockdown will 17 unconditionally be called before any other LSMs. 18 19choice 20 prompt "Kernel default lockdown mode" 21 default LOCK_DOWN_KERNEL_FORCE_NONE 22 depends on SECURITY_LOCKDOWN_LSM 23 help 24 The kernel can be configured to default to differing levels of 25 lockdown. 26 27config LOCK_DOWN_KERNEL_FORCE_NONE 28 bool "None" 29 help 30 No lockdown functionality is enabled by default. Lockdown may be 31 enabled via the kernel commandline or /sys/kernel/security/lockdown. 32 33config LOCK_DOWN_KERNEL_FORCE_INTEGRITY 34 bool "Integrity" 35 help 36 The kernel runs in integrity mode by default. Features that allow 37 the kernel to be modified at runtime are disabled. 38 39config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY 40 bool "Confidentiality" 41 help 42 The kernel runs in confidentiality mode by default. Features that 43 allow the kernel to be modified at runtime or that permit userland 44 code to read confidential material held inside the kernel are 45 disabled. 46 47endchoice 48