Home
last modified time | relevance | path

Searched refs:to (Results 1 – 17 of 17) sorted by relevance

/security/
DKconfig11 bool "Restrict unprivileged access to the kernel syslog"
18 unless the dmesg_restrict sysctl is explicitly set to (1).
20 If you are unsure how to answer this question, answer N.
27 This allows you to choose different security modules to be
33 If you are unsure how to answer this question, answer N.
46 If you are unsure how to answer this question, answer N.
53 If enabled, a security module can use these hooks to
55 If you are unsure how to answer this question, answer N.
62 If enabled, a security module can use these hooks to
64 If you are unsure how to answer this question, answer N.
[all …]
DKconfig.hardening9 anything passed by reference to another function, under the
11 the initialization. As this regularly leads to exploitable
12 flaws, this plugin is available to identify and zero-initialize
45 function entry time. This has the possibility to have the
59 This leaves the kernel vulnerable to the standard
89 this with CONFIG_KASAN_STACK can lead to a stack overflow
100 initialized. This is intended to eliminate all classes
106 this with CONFIG_KASAN_STACK can lead to a stack overflow
114 with a specific debug value. This is intended to eliminate
119 Pattern initialization is known to provoke many existing bugs
[all …]
Dsecurity.c698 const struct cred *to) in security_binder_transaction() argument
700 return call_int_hook(binder_transaction, 0, from, to); in security_binder_transaction()
704 const struct cred *to) in security_binder_transfer_binder() argument
706 return call_int_hook(binder_transfer_binder, 0, from, to); in security_binder_transfer_binder()
710 const struct cred *to, struct file *file) in security_binder_transfer_file() argument
712 return call_int_hook(binder_transfer_file, 0, from, to, file); in security_binder_transfer_file()
/security/selinux/
DKconfig10 If you are unsure how to answer this question, answer N.
18 to be disabled at boot. If this option is selected, SELinux
20 command line. The purpose of this option is to allow a single
21 kernel image to be distributed with SELinux built in, but not
24 If you are unsure how to answer this question, answer N.
32 This option enables writing to a selinuxfs node 'disable', which
33 allows SELinux to be disabled at runtime prior to the policy load.
35 This option is similar to the selinux=0 boot parameter, but is to
38 to employ.
48 If you are unsure how to answer this question, answer N.
[all …]
Dhooks.c1597 #error Fix SELinux to handle capabilities > 63.
2026 const struct cred *to) in selinux_binder_transaction() argument
2030 u32 tosid = cred_sid(to); in selinux_binder_transaction()
2046 const struct cred *to) in selinux_binder_transfer_binder() argument
2049 cred_sid(from), cred_sid(to), in selinux_binder_transfer_binder()
2055 const struct cred *to, in selinux_binder_transfer_file() argument
2058 u32 sid = cred_sid(to); in selinux_binder_transfer_file()
2608 char *to = options; in selinux_sb_eat_lsm_opts() local
2645 if (to != from) in selinux_sb_eat_lsm_opts()
2646 memmove(to, from, len); in selinux_sb_eat_lsm_opts()
[all …]
/security/keys/
DKconfig19 to five standard keyrings: UID-specific, GID-specific, session,
22 If you are unsure as to whether this is required, answer N.
29 call that didn't upcall to the kernel to be cached temporarily in the
30 task_struct. The cache is cleared by exit and just prior to the
34 wants to request a key that is likely the same as the one requested
35 by the last step to save on the searching.
38 filesystem in which each method needs to request an authentication
53 LSMs gets to rule on which admin-level processes get to access the
66 (for example Kerberos ticket caches). The data may be stored out to
69 If you are unsure as to whether this is required, answer N.
[all …]
/security/integrity/ima/
DKconfig21 to change the contents of an important system file
26 TPM hardware, so that the TPM can prove to a third party
29 to learn more about IMA.
39 TPM PCRs are only reset on a hard reboot. In order to validate
43 Depending on the IMA policy, the measurement list can grow to
52 that IMA uses to maintain the integrity aggregate of the
70 limited to 255 characters. The 'ima-ng' measurement list
125 bool "Enable multiple writes to the IMA policy"
129 appended to the original policy. Have in mind that the rules are
139 It is often useful to be able to read back the IMA policy. It is
[all …]
/security/integrity/evm/
DKconfig14 If you are unsure how to answer this question, answer N.
27 additional info to the calculation, requires existing EVM
28 labeled file systems to be relabeled.
37 In addition to the original security xattrs (eg. security.selinux,
44 additional info to the calculation, requires existing EVM
45 labeled file systems to be relabeled.
52 Allow userland to provide additional xattrs for HMAC calculation.
54 When this option is enabled, root can add additional xattrs to the
66 onto the '.evm' trusted keyring. A public key can be used to
/security/smack/
DKconfig14 If you are unsure how to answer this question, answer N.
26 rules. The developer can use the information to
30 This is a superior mechanism to the oft abused
32 If you are unsure how to answer this question, answer N.
43 If you are unsure how to answer this question, answer N.
50 Sending a signal has been treated as a write operation to the
53 to differentiate between delivering a network packet and
55 If you are unsure how to answer this question, answer N.
Dsmack_lsm.c715 char *from = options, *to = options; in smack_sb_eat_lsm_opts() local
744 if (to != from) in smack_sb_eat_lsm_opts()
745 memmove(to, from, len); in smack_sb_eat_lsm_opts()
746 to += len; in smack_sb_eat_lsm_opts()
753 *to = '\0'; in smack_sb_eat_lsm_opts()
/security/safesetid/
DKconfig3 bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities"
8 SafeSetID is an LSM module that gates the setid family of syscalls to
9 restrict UID/GID transitions from a given UID/GID to only those
12 with CAP_SET{U/G}ID, such as allowing a user to set up user namespace
15 If you are unsure how to answer this question, answer N.
/security/lockdown/
DKconfig14 to ensure that lockdown enforcement can be carried out on kernel
24 The kernel can be configured to default to differing levels of
37 the kernel to be modified at runtime are disabled.
43 allow the kernel to be modified at runtime or that permit userland
44 code to read confidential material held inside the kernel are
/security/integrity/
DKconfig15 Refer to the individual components for additional details.
29 to "lock" certain keyring to prevent adding new keys.
51 This option requires that all keys added to the .ima and
81 Enable loading of keys to the .platform keyring and blacklisted
82 hashes to the .blacklist keyring for powerpc based platforms.
89 In addition to enabling integrity auditing support, this
/security/apparmor/
DKconfig18 If you are unsure how to answer this question, answer N.
28 is available to userspace via the apparmor filesystem.
38 to verify that policy in the kernel matches what is expected,
69 When enabled, various debug messages will be logged to
79 KUnit tests run during boot and output the results to the debug log
85 to the KUnit documentation in Documentation/dev-tools/kunit/.
/security/tomoyo/
DKconfig16 If you are unsure how to answer this question, answer N.
40 If you don't need audit logs, you may set this value to 0.
47 Say Y here if you want to activate access control as soon as built-in
49 operations which can lead to the hijacking of the boot sequence are
77 want to also pass TOMOYO_trigger=/bin/systemd option.
/security/loadpin/
DKconfig3 bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
8 can be pinned to the first filesystem used for loading. When
/security/yama/
DKconfig14 If you are unsure how to answer this question, answer N.