• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# Security configuration
3#
4
5menu "Security options"
6
7source security/keys/Kconfig
8
9config SECURITY_DMESG_RESTRICT
10	bool "Restrict unprivileged access to the kernel syslog"
11	default n
12	help
13	  This enforces restrictions on unprivileged users reading the kernel
14	  syslog via dmesg(8).
15
16	  If this option is not selected, no restrictions will be enforced
17	  unless the dmesg_restrict sysctl is explicitly set to (1).
18
19	  If you are unsure how to answer this question, answer N.
20
21config SECURITY_PERF_EVENTS_RESTRICT
22	bool "Restrict unprivileged use of performance events"
23	depends on PERF_EVENTS
24	help
25	  If you say Y here, the kernel.perf_event_paranoid sysctl
26	  will be set to 3 by default, and no unprivileged use of the
27	  perf_event_open syscall will be permitted unless it is
28	  changed.
29
30config SECURITY
31	bool "Enable different security models"
32	depends on SYSFS
33	help
34	  This allows you to choose different security modules to be
35	  configured into your kernel.
36
37	  If this option is not selected, the default Linux security
38	  model will be used.
39
40	  If you are unsure how to answer this question, answer N.
41
42config SECURITYFS
43	bool "Enable the securityfs filesystem"
44	help
45	  This will build the securityfs filesystem.  It is currently used by
46	  the TPM bios character driver and IMA, an integrity provider.  It is
47	  not used by SELinux or SMACK.
48
49	  If you are unsure how to answer this question, answer N.
50
51config SECURITY_NETWORK
52	bool "Socket and Networking Security Hooks"
53	depends on SECURITY
54	help
55	  This enables the socket and networking security hooks.
56	  If enabled, a security module can use these hooks to
57	  implement socket and networking access controls.
58	  If you are unsure how to answer this question, answer N.
59
60config SECURITY_NETWORK_XFRM
61	bool "XFRM (IPSec) Networking Security Hooks"
62	depends on XFRM && SECURITY_NETWORK
63	help
64	  This enables the XFRM (IPSec) networking security hooks.
65	  If enabled, a security module can use these hooks to
66	  implement per-packet access controls based on labels
67	  derived from IPSec policy.  Non-IPSec communications are
68	  designated as unlabelled, and only sockets authorized
69	  to communicate unlabelled data can send without using
70	  IPSec.
71	  If you are unsure how to answer this question, answer N.
72
73config SECURITY_PATH
74	bool "Security hooks for pathname based access control"
75	depends on SECURITY
76	help
77	  This enables the security hooks for pathname based access control.
78	  If enabled, a security module can use these hooks to
79	  implement pathname based access controls.
80	  If you are unsure how to answer this question, answer N.
81
82config INTEL_TXT
83	bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
84	depends on HAVE_INTEL_TXT
85	help
86	  This option enables support for booting the kernel with the
87	  Trusted Boot (tboot) module. This will utilize
88	  Intel(R) Trusted Execution Technology to perform a measured launch
89	  of the kernel. If the system does not support Intel(R) TXT, this
90	  will have no effect.
91
92	  Intel TXT will provide higher assurance of system configuration and
93	  initial state as well as data reset protection.  This is used to
94	  create a robust initial kernel measurement and verification, which
95	  helps to ensure that kernel security mechanisms are functioning
96	  correctly. This level of protection requires a root of trust outside
97	  of the kernel itself.
98
99	  Intel TXT also helps solve real end user concerns about having
100	  confidence that their hardware is running the VMM or kernel that
101	  it was configured with, especially since they may be responsible for
102	  providing such assurances to VMs and services running on it.
103
104	  See <http://www.intel.com/technology/security/> for more information
105	  about Intel(R) TXT.
106	  See <http://tboot.sourceforge.net> for more information about tboot.
107	  See Documentation/intel_txt.txt for a description of how to enable
108	  Intel TXT support in a kernel boot.
109
110	  If you are unsure as to whether this is required, answer N.
111
112config LSM_MMAP_MIN_ADDR
113	int "Low address space for LSM to protect from user allocation"
114	depends on SECURITY && SECURITY_SELINUX
115	default 32768 if ARM
116	default 65536
117	help
118	  This is the portion of low virtual memory which should be protected
119	  from userspace allocation.  Keeping a user from writing to low pages
120	  can help reduce the impact of kernel NULL pointer bugs.
121
122	  For most ia64, ppc64 and x86 users with lots of address space
123	  a value of 65536 is reasonable and should cause no problems.
124	  On arm and other archs it should not be higher than 32768.
125	  Programs which use vm86 functionality or have some need to map
126	  this low address space will need the permission specific to the
127	  systems running LSM.
128
129source security/selinux/Kconfig
130source security/smack/Kconfig
131source security/tomoyo/Kconfig
132source security/apparmor/Kconfig
133source security/yama/Kconfig
134
135source security/integrity/Kconfig
136
137choice
138	prompt "Default security module"
139	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
140	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
141	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
142	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
143	default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
144	default DEFAULT_SECURITY_DAC
145
146	help
147	  Select the security module that will be used by default if the
148	  kernel parameter security= is not specified.
149
150	config DEFAULT_SECURITY_SELINUX
151		bool "SELinux" if SECURITY_SELINUX=y
152
153	config DEFAULT_SECURITY_SMACK
154		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
155
156	config DEFAULT_SECURITY_TOMOYO
157		bool "TOMOYO" if SECURITY_TOMOYO=y
158
159	config DEFAULT_SECURITY_APPARMOR
160		bool "AppArmor" if SECURITY_APPARMOR=y
161
162	config DEFAULT_SECURITY_YAMA
163		bool "Yama" if SECURITY_YAMA=y
164
165	config DEFAULT_SECURITY_DAC
166		bool "Unix Discretionary Access Controls"
167
168endchoice
169
170config DEFAULT_SECURITY
171	string
172	default "selinux" if DEFAULT_SECURITY_SELINUX
173	default "smack" if DEFAULT_SECURITY_SMACK
174	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
175	default "apparmor" if DEFAULT_SECURITY_APPARMOR
176	default "yama" if DEFAULT_SECURITY_YAMA
177	default "" if DEFAULT_SECURITY_DAC
178
179endmenu
180
181