1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Security configuration 4# 5 6menu "Security options" 7 8source "security/keys/Kconfig" 9 10config SECURITY_DMESG_RESTRICT 11 bool "Restrict unprivileged access to the kernel syslog" 12 default n 13 help 14 This enforces restrictions on unprivileged users reading the kernel 15 syslog via dmesg(8). 16 17 If this option is not selected, no restrictions will be enforced 18 unless the dmesg_restrict sysctl is explicitly set to (1). 19 20 If you are unsure how to answer this question, answer N. 21 22choice 23 prompt "Allow /proc/pid/mem access override" 24 default PROC_MEM_ALWAYS_FORCE 25 help 26 Traditionally /proc/pid/mem allows users to override memory 27 permissions for users like ptrace, assuming they have ptrace 28 capability. 29 30 This allows people to limit that - either never override, or 31 require actual active ptrace attachment. 32 33 Defaults to the traditional behavior (for now) 34 35config PROC_MEM_ALWAYS_FORCE 36 bool "Traditional /proc/pid/mem behavior" 37 help 38 This allows /proc/pid/mem accesses to override memory mapping 39 permissions if you have ptrace access rights. 40 41config PROC_MEM_FORCE_PTRACE 42 bool "Require active ptrace() use for access override" 43 help 44 This allows /proc/pid/mem accesses to override memory mapping 45 permissions for active ptracers like gdb. 46 47config PROC_MEM_NO_FORCE 48 bool "Never" 49 help 50 Never override memory mapping permissions 51 52endchoice 53 54config SECURITY 55 bool "Enable different security models" 56 depends on SYSFS 57 depends on MULTIUSER 58 help 59 This allows you to choose different security modules to be 60 configured into your kernel. 61 62 If this option is not selected, the default Linux security 63 model will be used. 64 65 If you are unsure how to answer this question, answer N. 66 67config HAS_SECURITY_AUDIT 68 def_bool y 69 depends on AUDIT 70 depends on SECURITY 71 72config SECURITYFS 73 bool "Enable the securityfs filesystem" 74 help 75 This will build the securityfs filesystem. It is currently used by 76 various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). 77 78 If you are unsure how to answer this question, answer N. 79 80config SECURITY_NETWORK 81 bool "Socket and Networking Security Hooks" 82 depends on SECURITY 83 help 84 This enables the socket and networking security hooks. 85 If enabled, a security module can use these hooks to 86 implement socket and networking access controls. 87 If you are unsure how to answer this question, answer N. 88 89config SECURITY_INFINIBAND 90 bool "Infiniband Security Hooks" 91 depends on SECURITY && INFINIBAND 92 help 93 This enables the Infiniband security hooks. 94 If enabled, a security module can use these hooks to 95 implement Infiniband access controls. 96 If you are unsure how to answer this question, answer N. 97 98config SECURITY_NETWORK_XFRM 99 bool "XFRM (IPSec) Networking Security Hooks" 100 depends on XFRM && SECURITY_NETWORK 101 help 102 This enables the XFRM (IPSec) networking security hooks. 103 If enabled, a security module can use these hooks to 104 implement per-packet access controls based on labels 105 derived from IPSec policy. Non-IPSec communications are 106 designated as unlabelled, and only sockets authorized 107 to communicate unlabelled data can send without using 108 IPSec. 109 If you are unsure how to answer this question, answer N. 110 111config SECURITY_PATH 112 bool "Security hooks for pathname based access control" 113 depends on SECURITY 114 help 115 This enables the security hooks for pathname based access control. 116 If enabled, a security module can use these hooks to 117 implement pathname based access controls. 118 If you are unsure how to answer this question, answer N. 119 120config INTEL_TXT 121 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 122 depends on HAVE_INTEL_TXT 123 help 124 This option enables support for booting the kernel with the 125 Trusted Boot (tboot) module. This will utilize 126 Intel(R) Trusted Execution Technology to perform a measured launch 127 of the kernel. If the system does not support Intel(R) TXT, this 128 will have no effect. 129 130 Intel TXT will provide higher assurance of system configuration and 131 initial state as well as data reset protection. This is used to 132 create a robust initial kernel measurement and verification, which 133 helps to ensure that kernel security mechanisms are functioning 134 correctly. This level of protection requires a root of trust outside 135 of the kernel itself. 136 137 Intel TXT also helps solve real end user concerns about having 138 confidence that their hardware is running the VMM or kernel that 139 it was configured with, especially since they may be responsible for 140 providing such assurances to VMs and services running on it. 141 142 See <https://www.intel.com/technology/security/> for more information 143 about Intel(R) TXT. 144 See <http://tboot.sourceforge.net> for more information about tboot. 145 See Documentation/arch/x86/intel_txt.rst for a description of how to enable 146 Intel TXT support in a kernel boot. 147 148 If you are unsure as to whether this is required, answer N. 149 150config LSM_MMAP_MIN_ADDR 151 int "Low address space for LSM to protect from user allocation" 152 depends on SECURITY && SECURITY_SELINUX 153 default 32768 if ARM || (ARM64 && COMPAT) 154 default 65536 155 help 156 This is the portion of low virtual memory which should be protected 157 from userspace allocation. Keeping a user from writing to low pages 158 can help reduce the impact of kernel NULL pointer bugs. 159 160 For most ia64, ppc64 and x86 users with lots of address space 161 a value of 65536 is reasonable and should cause no problems. 162 On arm and other archs it should not be higher than 32768. 163 Programs which use vm86 functionality or have some need to map 164 this low address space will need the permission specific to the 165 systems running LSM. 166 167config STATIC_USERMODEHELPER 168 bool "Force all usermode helper calls through a single binary" 169 help 170 By default, the kernel can call many different userspace 171 binary programs through the "usermode helper" kernel 172 interface. Some of these binaries are statically defined 173 either in the kernel code itself, or as a kernel configuration 174 option. However, some of these are dynamically created at 175 runtime, or can be modified after the kernel has started up. 176 To provide an additional layer of security, route all of these 177 calls through a single executable that can not have its name 178 changed. 179 180 Note, it is up to this single binary to then call the relevant 181 "real" usermode helper binary, based on the first argument 182 passed to it. If desired, this program can filter and pick 183 and choose what real programs are called. 184 185 If you wish for all usermode helper programs are to be 186 disabled, choose this option and then set 187 STATIC_USERMODEHELPER_PATH to an empty string. 188 189config STATIC_USERMODEHELPER_PATH 190 string "Path to the static usermode helper binary" 191 depends on STATIC_USERMODEHELPER 192 default "/sbin/usermode-helper" 193 help 194 The binary called by the kernel when any usermode helper 195 program is wish to be run. The "real" application's name will 196 be in the first argument passed to this program on the command 197 line. 198 199 If you wish for all usermode helper programs to be disabled, 200 specify an empty string here (i.e. ""). 201 202source "security/selinux/Kconfig" 203source "security/smack/Kconfig" 204source "security/tomoyo/Kconfig" 205source "security/apparmor/Kconfig" 206source "security/loadpin/Kconfig" 207source "security/yama/Kconfig" 208source "security/safesetid/Kconfig" 209source "security/lockdown/Kconfig" 210source "security/landlock/Kconfig" 211source "security/ipe/Kconfig" 212 213source "security/integrity/Kconfig" 214 215choice 216 prompt "First legacy 'major LSM' to be initialized" 217 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 218 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 219 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 220 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 221 default DEFAULT_SECURITY_DAC 222 223 help 224 This choice is there only for converting CONFIG_DEFAULT_SECURITY 225 in old kernel configs to CONFIG_LSM in new kernel configs. Don't 226 change this choice unless you are creating a fresh kernel config, 227 for this choice will be ignored after CONFIG_LSM has been set. 228 229 Selects the legacy "major security module" that will be 230 initialized first. Overridden by non-default CONFIG_LSM. 231 232 config DEFAULT_SECURITY_SELINUX 233 bool "SELinux" if SECURITY_SELINUX=y 234 235 config DEFAULT_SECURITY_SMACK 236 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 237 238 config DEFAULT_SECURITY_TOMOYO 239 bool "TOMOYO" if SECURITY_TOMOYO=y 240 241 config DEFAULT_SECURITY_APPARMOR 242 bool "AppArmor" if SECURITY_APPARMOR=y 243 244 config DEFAULT_SECURITY_DAC 245 bool "Unix Discretionary Access Controls" 246 247endchoice 248 249config LSM 250 string "Ordered list of enabled LSMs" 251 default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK 252 default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR 253 default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO 254 default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC 255 default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf" 256 help 257 A comma-separated list of LSMs, in initialization order. 258 Any LSMs left off this list, except for those with order 259 LSM_ORDER_FIRST and LSM_ORDER_LAST, which are always enabled 260 if selected in the kernel configuration, will be ignored. 261 This can be controlled at boot with the "lsm=" parameter. 262 263 If unsure, leave this as the default. 264 265source "security/Kconfig.hardening" 266 267endmenu 268 269