| Kconfig (22ec1a2aea73b9dfe340dff7945bd85af4cc6280) | Kconfig (385ce0ea4c078517fa51c261882c4e72fba53005) |
|---|---|
| 1# 2# Security configuration 3# 4 5menu "Security options" 6 7source security/keys/Kconfig 8 --- 40 unchanged lines hidden (view full) --- 49 bool "Socket and Networking Security Hooks" 50 depends on SECURITY 51 help 52 This enables the socket and networking security hooks. 53 If enabled, a security module can use these hooks to 54 implement socket and networking access controls. 55 If you are unsure how to answer this question, answer N. 56 | 1# 2# Security configuration 3# 4 5menu "Security options" 6 7source security/keys/Kconfig 8 --- 40 unchanged lines hidden (view full) --- 49 bool "Socket and Networking Security Hooks" 50 depends on SECURITY 51 help 52 This enables the socket and networking security hooks. 53 If enabled, a security module can use these hooks to 54 implement socket and networking access controls. 55 If you are unsure how to answer this question, answer N. 56 |
| 57config PAGE_TABLE_ISOLATION 58 bool "Remove the kernel mapping in user mode" 59 depends on X86_64 && !UML 60 help 61 This feature reduces the number of hardware side channels by 62 ensuring that the majority of kernel addresses are not mapped 63 into userspace. 64 65 See Documentation/x86/pagetable-isolation.txt for more details. 66 |
|
| 57config SECURITY_INFINIBAND 58 bool "Infiniband Security Hooks" 59 depends on SECURITY && INFINIBAND 60 help 61 This enables the Infiniband security hooks. 62 If enabled, a security module can use these hooks to 63 implement Infiniband access controls. 64 If you are unsure how to answer this question, answer N. --- 73 unchanged lines hidden (view full) --- 138 The heap allocator implements __check_heap_object() for 139 validating memory ranges against heap object sizes in 140 support of CONFIG_HARDENED_USERCOPY. 141 142config HARDENED_USERCOPY 143 bool "Harden memory copies between kernel and userspace" 144 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 145 select BUG | 67config SECURITY_INFINIBAND 68 bool "Infiniband Security Hooks" 69 depends on SECURITY && INFINIBAND 70 help 71 This enables the Infiniband security hooks. 72 If enabled, a security module can use these hooks to 73 implement Infiniband access controls. 74 If you are unsure how to answer this question, answer N. --- 73 unchanged lines hidden (view full) --- 148 The heap allocator implements __check_heap_object() for 149 validating memory ranges against heap object sizes in 150 support of CONFIG_HARDENED_USERCOPY. 151 152config HARDENED_USERCOPY 153 bool "Harden memory copies between kernel and userspace" 154 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 155 select BUG |
| 146 imply STRICT_DEVMEM | |
| 147 help 148 This option checks for obviously wrong memory regions when 149 copying memory to/from the kernel (via copy_to_user() and 150 copy_from_user() functions) by rejecting memory ranges that 151 are larger than the specified heap object, span multiple 152 separately allocated pages, are not on the process stack, 153 or are part of the kernel text. This kills entire classes 154 of heap overflow exploits and similar kernel memory exposures. --- 102 unchanged lines hidden --- | 156 help 157 This option checks for obviously wrong memory regions when 158 copying memory to/from the kernel (via copy_to_user() and 159 copy_from_user() functions) by rejecting memory ranges that 160 are larger than the specified heap object, span multiple 161 separately allocated pages, are not on the process stack, 162 or are part of the kernel text. This kills entire classes 163 of heap overflow exploits and similar kernel memory exposures. --- 102 unchanged lines hidden --- |