1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Security configuration 4# 5 6menu "Security options" 7 8source "security/keys/Kconfig" 9 10config SECURITY_DMESG_RESTRICT 11 bool "Restrict unprivileged access to the kernel syslog" 12 default n 13 help 14 This enforces restrictions on unprivileged users reading the kernel 15 syslog via dmesg(8). 16 17 If this option is not selected, no restrictions will be enforced 18 unless the dmesg_restrict sysctl is explicitly set to (1). 19 20 If you are unsure how to answer this question, answer N. 21 22config SECURITY 23 bool "Enable different security models" 24 depends on SYSFS 25 depends on MULTIUSER 26 help 27 This allows you to choose different security modules to be 28 configured into your kernel. 29 30 If this option is not selected, the default Linux security 31 model will be used. 32 33 If you are unsure how to answer this question, answer N. 34 35config SECURITY_WRITABLE_HOOKS 36 depends on SECURITY 37 bool 38 default n 39 40config SECURITYFS 41 bool "Enable the securityfs filesystem" 42 help 43 This will build the securityfs filesystem. It is currently used by 44 various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). 45 46 If you are unsure how to answer this question, answer N. 47 48config SECURITY_NETWORK 49 bool "Socket and Networking Security Hooks" 50 depends on SECURITY 51 help 52 This enables the socket and networking security hooks. 53 If enabled, a security module can use these hooks to 54 implement socket and networking access controls. 55 If you are unsure how to answer this question, answer N. 56 57config SECURITY_INFINIBAND 58 bool "Infiniband Security Hooks" 59 depends on SECURITY && INFINIBAND 60 help 61 This enables the Infiniband security hooks. 62 If enabled, a security module can use these hooks to 63 implement Infiniband access controls. 64 If you are unsure how to answer this question, answer N. 65 66config SECURITY_NETWORK_XFRM 67 bool "XFRM (IPSec) Networking Security Hooks" 68 depends on XFRM && SECURITY_NETWORK 69 help 70 This enables the XFRM (IPSec) networking security hooks. 71 If enabled, a security module can use these hooks to 72 implement per-packet access controls based on labels 73 derived from IPSec policy. Non-IPSec communications are 74 designated as unlabelled, and only sockets authorized 75 to communicate unlabelled data can send without using 76 IPSec. 77 If you are unsure how to answer this question, answer N. 78 79config SECURITY_PATH 80 bool "Security hooks for pathname based access control" 81 depends on SECURITY 82 help 83 This enables the security hooks for pathname based access control. 84 If enabled, a security module can use these hooks to 85 implement pathname based access controls. 86 If you are unsure how to answer this question, answer N. 87 88config INTEL_TXT 89 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 90 depends on HAVE_INTEL_TXT 91 help 92 This option enables support for booting the kernel with the 93 Trusted Boot (tboot) module. This will utilize 94 Intel(R) Trusted Execution Technology to perform a measured launch 95 of the kernel. If the system does not support Intel(R) TXT, this 96 will have no effect. 97 98 Intel TXT will provide higher assurance of system configuration and 99 initial state as well as data reset protection. This is used to 100 create a robust initial kernel measurement and verification, which 101 helps to ensure that kernel security mechanisms are functioning 102 correctly. This level of protection requires a root of trust outside 103 of the kernel itself. 104 105 Intel TXT also helps solve real end user concerns about having 106 confidence that their hardware is running the VMM or kernel that 107 it was configured with, especially since they may be responsible for 108 providing such assurances to VMs and services running on it. 109 110 See <https://www.intel.com/technology/security/> for more information 111 about Intel(R) TXT. 112 See <http://tboot.sourceforge.net> for more information about tboot. 113 See Documentation/x86/intel_txt.rst for a description of how to enable 114 Intel TXT support in a kernel boot. 115 116 If you are unsure as to whether this is required, answer N. 117 118config LSM_MMAP_MIN_ADDR 119 int "Low address space for LSM to protect from user allocation" 120 depends on SECURITY && SECURITY_SELINUX 121 default 32768 if ARM || (ARM64 && COMPAT) 122 default 65536 123 help 124 This is the portion of low virtual memory which should be protected 125 from userspace allocation. Keeping a user from writing to low pages 126 can help reduce the impact of kernel NULL pointer bugs. 127 128 For most ia64, ppc64 and x86 users with lots of address space 129 a value of 65536 is reasonable and should cause no problems. 130 On arm and other archs it should not be higher than 32768. 131 Programs which use vm86 functionality or have some need to map 132 this low address space will need the permission specific to the 133 systems running LSM. 134 135config HAVE_HARDENED_USERCOPY_ALLOCATOR 136 bool 137 help 138 The heap allocator implements __check_heap_object() for 139 validating memory ranges against heap object sizes in 140 support of CONFIG_HARDENED_USERCOPY. 141 142config HARDENED_USERCOPY 143 bool "Harden memory copies between kernel and userspace" 144 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 145 imply STRICT_DEVMEM 146 help 147 This option checks for obviously wrong memory regions when 148 copying memory to/from the kernel (via copy_to_user() and 149 copy_from_user() functions) by rejecting memory ranges that 150 are larger than the specified heap object, span multiple 151 separately allocated pages, are not on the process stack, 152 or are part of the kernel text. This kills entire classes 153 of heap overflow exploits and similar kernel memory exposures. 154 155config HARDENED_USERCOPY_FALLBACK 156 bool "Allow usercopy whitelist violations to fallback to object size" 157 depends on HARDENED_USERCOPY 158 default y 159 help 160 This is a temporary option that allows missing usercopy whitelists 161 to be discovered via a WARN() to the kernel log, instead of 162 rejecting the copy, falling back to non-whitelisted hardened 163 usercopy that checks the slab allocation size instead of the 164 whitelist size. This option will be removed once it seems like 165 all missing usercopy whitelists have been identified and fixed. 166 Booting with "slab_common.usercopy_fallback=Y/N" can change 167 this setting. 168 169config HARDENED_USERCOPY_PAGESPAN 170 bool "Refuse to copy allocations that span multiple pages" 171 depends on HARDENED_USERCOPY 172 depends on EXPERT 173 help 174 When a multi-page allocation is done without __GFP_COMP, 175 hardened usercopy will reject attempts to copy it. There are, 176 however, several cases of this in the kernel that have not all 177 been removed. This config is intended to be used only while 178 trying to find such users. 179 180config FORTIFY_SOURCE 181 bool "Harden common str/mem functions against buffer overflows" 182 depends on ARCH_HAS_FORTIFY_SOURCE 183 # https://bugs.llvm.org/show_bug.cgi?id=50322 184 # https://bugs.llvm.org/show_bug.cgi?id=41459 185 depends on !CC_IS_CLANG 186 help 187 Detect overflows of buffers in common string and memory functions 188 where the compiler can determine and validate the buffer sizes. 189 190config STATIC_USERMODEHELPER 191 bool "Force all usermode helper calls through a single binary" 192 help 193 By default, the kernel can call many different userspace 194 binary programs through the "usermode helper" kernel 195 interface. Some of these binaries are statically defined 196 either in the kernel code itself, or as a kernel configuration 197 option. However, some of these are dynamically created at 198 runtime, or can be modified after the kernel has started up. 199 To provide an additional layer of security, route all of these 200 calls through a single executable that can not have its name 201 changed. 202 203 Note, it is up to this single binary to then call the relevant 204 "real" usermode helper binary, based on the first argument 205 passed to it. If desired, this program can filter and pick 206 and choose what real programs are called. 207 208 If you wish for all usermode helper programs are to be 209 disabled, choose this option and then set 210 STATIC_USERMODEHELPER_PATH to an empty string. 211 212config STATIC_USERMODEHELPER_PATH 213 string "Path to the static usermode helper binary" 214 depends on STATIC_USERMODEHELPER 215 default "/sbin/usermode-helper" 216 help 217 The binary called by the kernel when any usermode helper 218 program is wish to be run. The "real" application's name will 219 be in the first argument passed to this program on the command 220 line. 221 222 If you wish for all usermode helper programs to be disabled, 223 specify an empty string here (i.e. ""). 224 225source "security/selinux/Kconfig" 226source "security/smack/Kconfig" 227source "security/tomoyo/Kconfig" 228source "security/apparmor/Kconfig" 229source "security/loadpin/Kconfig" 230source "security/yama/Kconfig" 231source "security/safesetid/Kconfig" 232source "security/lockdown/Kconfig" 233source "security/xpm/Kconfig" 234 235source "security/integrity/Kconfig" 236 237choice 238 prompt "First legacy 'major LSM' to be initialized" 239 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 240 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 241 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 242 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 243 default DEFAULT_SECURITY_DAC 244 245 help 246 This choice is there only for converting CONFIG_DEFAULT_SECURITY 247 in old kernel configs to CONFIG_LSM in new kernel configs. Don't 248 change this choice unless you are creating a fresh kernel config, 249 for this choice will be ignored after CONFIG_LSM has been set. 250 251 Selects the legacy "major security module" that will be 252 initialized first. Overridden by non-default CONFIG_LSM. 253 254 config DEFAULT_SECURITY_SELINUX 255 bool "SELinux" if SECURITY_SELINUX=y 256 257 config DEFAULT_SECURITY_SMACK 258 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 259 260 config DEFAULT_SECURITY_TOMOYO 261 bool "TOMOYO" if SECURITY_TOMOYO=y 262 263 config DEFAULT_SECURITY_APPARMOR 264 bool "AppArmor" if SECURITY_APPARMOR=y 265 266 config DEFAULT_SECURITY_DAC 267 bool "Unix Discretionary Access Controls" 268 269endchoice 270 271config LSM 272 string "Ordered list of enabled LSMs" 273 default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK 274 default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR 275 default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO 276 default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC 277 default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" 278 help 279 A comma-separated list of LSMs, in initialization order. 280 Any LSMs left off this list will be ignored. This can be 281 controlled at boot with the "lsm=" parameter. 282 283 If unsure, leave this as the default. 284 285source "security/Kconfig.hardening" 286 287endmenu 288 289