1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 21da177e4SLinus Torvalds# 31da177e4SLinus Torvalds# Security configuration 41da177e4SLinus Torvalds# 51da177e4SLinus Torvalds 61da177e4SLinus Torvaldsmenu "Security options" 71da177e4SLinus Torvalds 88636a1f9SMasahiro Yamadasource "security/keys/Kconfig" 91da177e4SLinus Torvalds 10eaf06b24SDan Rosenbergconfig SECURITY_DMESG_RESTRICT 11eaf06b24SDan Rosenberg bool "Restrict unprivileged access to the kernel syslog" 12eaf06b24SDan Rosenberg default n 13eaf06b24SDan Rosenberg help 14eaf06b24SDan Rosenberg This enforces restrictions on unprivileged users reading the kernel 15eaf06b24SDan Rosenberg syslog via dmesg(8). 16eaf06b24SDan Rosenberg 17eaf06b24SDan Rosenberg If this option is not selected, no restrictions will be enforced 18eaf06b24SDan Rosenberg unless the dmesg_restrict sysctl is explicitly set to (1). 19eaf06b24SDan Rosenberg 20eaf06b24SDan Rosenberg If you are unsure how to answer this question, answer N. 21eaf06b24SDan Rosenberg 22*41e8149cSAdrian Ratiuchoice 23*41e8149cSAdrian Ratiu prompt "Allow /proc/pid/mem access override" 24*41e8149cSAdrian Ratiu default PROC_MEM_ALWAYS_FORCE 25*41e8149cSAdrian Ratiu help 26*41e8149cSAdrian Ratiu Traditionally /proc/pid/mem allows users to override memory 27*41e8149cSAdrian Ratiu permissions for users like ptrace, assuming they have ptrace 28*41e8149cSAdrian Ratiu capability. 29*41e8149cSAdrian Ratiu 30*41e8149cSAdrian Ratiu This allows people to limit that - either never override, or 31*41e8149cSAdrian Ratiu require actual active ptrace attachment. 32*41e8149cSAdrian Ratiu 33*41e8149cSAdrian Ratiu Defaults to the traditional behavior (for now) 34*41e8149cSAdrian Ratiu 35*41e8149cSAdrian Ratiuconfig PROC_MEM_ALWAYS_FORCE 36*41e8149cSAdrian Ratiu bool "Traditional /proc/pid/mem behavior" 37*41e8149cSAdrian Ratiu help 38*41e8149cSAdrian Ratiu This allows /proc/pid/mem accesses to override memory mapping 39*41e8149cSAdrian Ratiu permissions if you have ptrace access rights. 40*41e8149cSAdrian Ratiu 41*41e8149cSAdrian Ratiuconfig PROC_MEM_FORCE_PTRACE 42*41e8149cSAdrian Ratiu bool "Require active ptrace() use for access override" 43*41e8149cSAdrian Ratiu help 44*41e8149cSAdrian Ratiu This allows /proc/pid/mem accesses to override memory mapping 45*41e8149cSAdrian Ratiu permissions for active ptracers like gdb. 46*41e8149cSAdrian Ratiu 47*41e8149cSAdrian Ratiuconfig PROC_MEM_NO_FORCE 48*41e8149cSAdrian Ratiu bool "Never" 49*41e8149cSAdrian Ratiu help 50*41e8149cSAdrian Ratiu Never override memory mapping permissions 51*41e8149cSAdrian Ratiu 52*41e8149cSAdrian Ratiuendchoice 53*41e8149cSAdrian Ratiu 541da177e4SLinus Torvaldsconfig SECURITY 551da177e4SLinus Torvalds bool "Enable different security models" 562c40579bSAdrian Bunk depends on SYSFS 572813893fSIulia Manda depends on MULTIUSER 581da177e4SLinus Torvalds help 591da177e4SLinus Torvalds This allows you to choose different security modules to be 601da177e4SLinus Torvalds configured into your kernel. 611da177e4SLinus Torvalds 621da177e4SLinus Torvalds If this option is not selected, the default Linux security 631da177e4SLinus Torvalds model will be used. 641da177e4SLinus Torvalds 651da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 661da177e4SLinus Torvalds 67da31894eSEric Parisconfig SECURITYFS 68da31894eSEric Paris bool "Enable the securityfs filesystem" 69da31894eSEric Paris help 70da31894eSEric Paris This will build the securityfs filesystem. It is currently used by 71b102c11eSPetr Vorel various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). 72da31894eSEric Paris 73da31894eSEric Paris If you are unsure how to answer this question, answer N. 74da31894eSEric Paris 751da177e4SLinus Torvaldsconfig SECURITY_NETWORK 761da177e4SLinus Torvalds bool "Socket and Networking Security Hooks" 771da177e4SLinus Torvalds depends on SECURITY 781da177e4SLinus Torvalds help 791da177e4SLinus Torvalds This enables the socket and networking security hooks. 801da177e4SLinus Torvalds If enabled, a security module can use these hooks to 811da177e4SLinus Torvalds implement socket and networking access controls. 821da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 831da177e4SLinus Torvalds 84d291f1a6SDaniel Jurgensconfig SECURITY_INFINIBAND 85d291f1a6SDaniel Jurgens bool "Infiniband Security Hooks" 86d291f1a6SDaniel Jurgens depends on SECURITY && INFINIBAND 87d291f1a6SDaniel Jurgens help 88d291f1a6SDaniel Jurgens This enables the Infiniband security hooks. 89d291f1a6SDaniel Jurgens If enabled, a security module can use these hooks to 90d291f1a6SDaniel Jurgens implement Infiniband access controls. 91d291f1a6SDaniel Jurgens If you are unsure how to answer this question, answer N. 92d291f1a6SDaniel Jurgens 93df71837dSTrent Jaegerconfig SECURITY_NETWORK_XFRM 94df71837dSTrent Jaeger bool "XFRM (IPSec) Networking Security Hooks" 95df71837dSTrent Jaeger depends on XFRM && SECURITY_NETWORK 96df71837dSTrent Jaeger help 97df71837dSTrent Jaeger This enables the XFRM (IPSec) networking security hooks. 98df71837dSTrent Jaeger If enabled, a security module can use these hooks to 99df71837dSTrent Jaeger implement per-packet access controls based on labels 100df71837dSTrent Jaeger derived from IPSec policy. Non-IPSec communications are 101df71837dSTrent Jaeger designated as unlabelled, and only sockets authorized 102df71837dSTrent Jaeger to communicate unlabelled data can send without using 103df71837dSTrent Jaeger IPSec. 104df71837dSTrent Jaeger If you are unsure how to answer this question, answer N. 105df71837dSTrent Jaeger 106be6d3e56SKentaro Takedaconfig SECURITY_PATH 107be6d3e56SKentaro Takeda bool "Security hooks for pathname based access control" 108be6d3e56SKentaro Takeda depends on SECURITY 109be6d3e56SKentaro Takeda help 110be6d3e56SKentaro Takeda This enables the security hooks for pathname based access control. 111be6d3e56SKentaro Takeda If enabled, a security module can use these hooks to 112be6d3e56SKentaro Takeda implement pathname based access controls. 113be6d3e56SKentaro Takeda If you are unsure how to answer this question, answer N. 114be6d3e56SKentaro Takeda 11531625340SJoseph Cihulaconfig INTEL_TXT 11631625340SJoseph Cihula bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 11769575d38SShane Wang depends on HAVE_INTEL_TXT 11831625340SJoseph Cihula help 11931625340SJoseph Cihula This option enables support for booting the kernel with the 12031625340SJoseph Cihula Trusted Boot (tboot) module. This will utilize 12131625340SJoseph Cihula Intel(R) Trusted Execution Technology to perform a measured launch 12231625340SJoseph Cihula of the kernel. If the system does not support Intel(R) TXT, this 12331625340SJoseph Cihula will have no effect. 12431625340SJoseph Cihula 1253c556e41SArnaldo Carvalho de Melo Intel TXT will provide higher assurance of system configuration and 12631625340SJoseph Cihula initial state as well as data reset protection. This is used to 12731625340SJoseph Cihula create a robust initial kernel measurement and verification, which 12831625340SJoseph Cihula helps to ensure that kernel security mechanisms are functioning 12931625340SJoseph Cihula correctly. This level of protection requires a root of trust outside 13031625340SJoseph Cihula of the kernel itself. 13131625340SJoseph Cihula 13231625340SJoseph Cihula Intel TXT also helps solve real end user concerns about having 13331625340SJoseph Cihula confidence that their hardware is running the VMM or kernel that 1343c556e41SArnaldo Carvalho de Melo it was configured with, especially since they may be responsible for 13531625340SJoseph Cihula providing such assurances to VMs and services running on it. 13631625340SJoseph Cihula 137c9fecf50SAlexander A. Klimov See <https://www.intel.com/technology/security/> for more information 13831625340SJoseph Cihula about Intel(R) TXT. 13931625340SJoseph Cihula See <http://tboot.sourceforge.net> for more information about tboot. 140ff61f079SJonathan Corbet See Documentation/arch/x86/intel_txt.rst for a description of how to enable 14131625340SJoseph Cihula Intel TXT support in a kernel boot. 14231625340SJoseph Cihula 14331625340SJoseph Cihula If you are unsure as to whether this is required, answer N. 14431625340SJoseph Cihula 145788084abSEric Parisconfig LSM_MMAP_MIN_ADDR 146024e6cb4SAndreas Schwab int "Low address space for LSM to protect from user allocation" 147788084abSEric Paris depends on SECURITY && SECURITY_SELINUX 148530b099dSColin Cross default 32768 if ARM || (ARM64 && COMPAT) 149a58578e4SDave Jones default 65536 150788084abSEric Paris help 151788084abSEric Paris This is the portion of low virtual memory which should be protected 152788084abSEric Paris from userspace allocation. Keeping a user from writing to low pages 153788084abSEric Paris can help reduce the impact of kernel NULL pointer bugs. 154788084abSEric Paris 155788084abSEric Paris For most ia64, ppc64 and x86 users with lots of address space 156788084abSEric Paris a value of 65536 is reasonable and should cause no problems. 157788084abSEric Paris On arm and other archs it should not be higher than 32768. 158788084abSEric Paris Programs which use vm86 functionality or have some need to map 159788084abSEric Paris this low address space will need the permission specific to the 160788084abSEric Paris systems running LSM. 161788084abSEric Paris 162f5509cc1SKees Cookconfig HARDENED_USERCOPY 163f5509cc1SKees Cook bool "Harden memory copies between kernel and userspace" 16422ec1a2aSKees Cook imply STRICT_DEVMEM 165f5509cc1SKees Cook help 166f5509cc1SKees Cook This option checks for obviously wrong memory regions when 167f5509cc1SKees Cook copying memory to/from the kernel (via copy_to_user() and 168f5509cc1SKees Cook copy_from_user() functions) by rejecting memory ranges that 169f5509cc1SKees Cook are larger than the specified heap object, span multiple 17099c55fb1SGeert Uytterhoeven separately allocated pages, are not on the process stack, 1711109a5d9SMatthew Wilcox (Oracle) or are part of the kernel text. This prevents entire classes 172f5509cc1SKees Cook of heap overflow exploits and similar kernel memory exposures. 173f5509cc1SKees Cook 1746974f0c4SDaniel Micayconfig FORTIFY_SOURCE 1756974f0c4SDaniel Micay bool "Harden common str/mem functions against buffer overflows" 1766974f0c4SDaniel Micay depends on ARCH_HAS_FORTIFY_SOURCE 177281d0c96SKees Cook # https://github.com/llvm/llvm-project/issues/53645 178281d0c96SKees Cook depends on !CC_IS_CLANG || !X86_32 1796974f0c4SDaniel Micay help 1806974f0c4SDaniel Micay Detect overflows of buffers in common string and memory functions 1816974f0c4SDaniel Micay where the compiler can determine and validate the buffer sizes. 1826974f0c4SDaniel Micay 18364e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER 18464e90a8aSGreg Kroah-Hartman bool "Force all usermode helper calls through a single binary" 18564e90a8aSGreg Kroah-Hartman help 18664e90a8aSGreg Kroah-Hartman By default, the kernel can call many different userspace 18764e90a8aSGreg Kroah-Hartman binary programs through the "usermode helper" kernel 18864e90a8aSGreg Kroah-Hartman interface. Some of these binaries are statically defined 18964e90a8aSGreg Kroah-Hartman either in the kernel code itself, or as a kernel configuration 19064e90a8aSGreg Kroah-Hartman option. However, some of these are dynamically created at 19164e90a8aSGreg Kroah-Hartman runtime, or can be modified after the kernel has started up. 19264e90a8aSGreg Kroah-Hartman To provide an additional layer of security, route all of these 19364e90a8aSGreg Kroah-Hartman calls through a single executable that can not have its name 19464e90a8aSGreg Kroah-Hartman changed. 19564e90a8aSGreg Kroah-Hartman 19664e90a8aSGreg Kroah-Hartman Note, it is up to this single binary to then call the relevant 19764e90a8aSGreg Kroah-Hartman "real" usermode helper binary, based on the first argument 19864e90a8aSGreg Kroah-Hartman passed to it. If desired, this program can filter and pick 19964e90a8aSGreg Kroah-Hartman and choose what real programs are called. 20064e90a8aSGreg Kroah-Hartman 20164e90a8aSGreg Kroah-Hartman If you wish for all usermode helper programs are to be 20264e90a8aSGreg Kroah-Hartman disabled, choose this option and then set 20364e90a8aSGreg Kroah-Hartman STATIC_USERMODEHELPER_PATH to an empty string. 20464e90a8aSGreg Kroah-Hartman 20564e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER_PATH 20664e90a8aSGreg Kroah-Hartman string "Path to the static usermode helper binary" 20764e90a8aSGreg Kroah-Hartman depends on STATIC_USERMODEHELPER 20864e90a8aSGreg Kroah-Hartman default "/sbin/usermode-helper" 20964e90a8aSGreg Kroah-Hartman help 21064e90a8aSGreg Kroah-Hartman The binary called by the kernel when any usermode helper 21164e90a8aSGreg Kroah-Hartman program is wish to be run. The "real" application's name will 21264e90a8aSGreg Kroah-Hartman be in the first argument passed to this program on the command 21364e90a8aSGreg Kroah-Hartman line. 21464e90a8aSGreg Kroah-Hartman 21564e90a8aSGreg Kroah-Hartman If you wish for all usermode helper programs to be disabled, 21664e90a8aSGreg Kroah-Hartman specify an empty string here (i.e. ""). 21764e90a8aSGreg Kroah-Hartman 2188636a1f9SMasahiro Yamadasource "security/selinux/Kconfig" 2198636a1f9SMasahiro Yamadasource "security/smack/Kconfig" 2208636a1f9SMasahiro Yamadasource "security/tomoyo/Kconfig" 2218636a1f9SMasahiro Yamadasource "security/apparmor/Kconfig" 2228636a1f9SMasahiro Yamadasource "security/loadpin/Kconfig" 2238636a1f9SMasahiro Yamadasource "security/yama/Kconfig" 224aeca4e2cSMicah Mortonsource "security/safesetid/Kconfig" 225000d388eSMatthew Garrettsource "security/lockdown/Kconfig" 22690945448SMickaël Salaünsource "security/landlock/Kconfig" 22703115077SDeven Bowerssource "security/ipe/Kconfig" 2281da177e4SLinus Torvalds 2298636a1f9SMasahiro Yamadasource "security/integrity/Kconfig" 2303323eec9SMimi Zohar 2312623c4fbSKees Cookchoice 2322623c4fbSKees Cook prompt "First legacy 'major LSM' to be initialized" 2332623c4fbSKees Cook default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 2342623c4fbSKees Cook default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 2352623c4fbSKees Cook default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 2362623c4fbSKees Cook default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 2372623c4fbSKees Cook default DEFAULT_SECURITY_DAC 2382623c4fbSKees Cook 2392623c4fbSKees Cook help 2402623c4fbSKees Cook This choice is there only for converting CONFIG_DEFAULT_SECURITY 2412623c4fbSKees Cook in old kernel configs to CONFIG_LSM in new kernel configs. Don't 2422623c4fbSKees Cook change this choice unless you are creating a fresh kernel config, 2432623c4fbSKees Cook for this choice will be ignored after CONFIG_LSM has been set. 2442623c4fbSKees Cook 2452623c4fbSKees Cook Selects the legacy "major security module" that will be 2462623c4fbSKees Cook initialized first. Overridden by non-default CONFIG_LSM. 2472623c4fbSKees Cook 2482623c4fbSKees Cook config DEFAULT_SECURITY_SELINUX 2492623c4fbSKees Cook bool "SELinux" if SECURITY_SELINUX=y 2502623c4fbSKees Cook 2512623c4fbSKees Cook config DEFAULT_SECURITY_SMACK 2522623c4fbSKees Cook bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 2532623c4fbSKees Cook 2542623c4fbSKees Cook config DEFAULT_SECURITY_TOMOYO 2552623c4fbSKees Cook bool "TOMOYO" if SECURITY_TOMOYO=y 2562623c4fbSKees Cook 2572623c4fbSKees Cook config DEFAULT_SECURITY_APPARMOR 2582623c4fbSKees Cook bool "AppArmor" if SECURITY_APPARMOR=y 2592623c4fbSKees Cook 2602623c4fbSKees Cook config DEFAULT_SECURITY_DAC 2612623c4fbSKees Cook bool "Unix Discretionary Access Controls" 2622623c4fbSKees Cook 2632623c4fbSKees Cookendchoice 2642623c4fbSKees Cook 26513e735c0SKees Cookconfig LSM 26613e735c0SKees Cook string "Ordered list of enabled LSMs" 26703115077SDeven Bowers default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK 26803115077SDeven Bowers default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR 26903115077SDeven Bowers default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO 27003115077SDeven Bowers default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC 27103115077SDeven Bowers default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf" 27213e735c0SKees Cook help 27313e735c0SKees Cook A comma-separated list of LSMs, in initialization order. 274b9b8701bSRoberto Sassu Any LSMs left off this list, except for those with order 275b9b8701bSRoberto Sassu LSM_ORDER_FIRST and LSM_ORDER_LAST, which are always enabled 276b9b8701bSRoberto Sassu if selected in the kernel configuration, will be ignored. 277b9b8701bSRoberto Sassu This can be controlled at boot with the "lsm=" parameter. 27813e735c0SKees Cook 27913e735c0SKees Cook If unsure, leave this as the default. 28013e735c0SKees Cook 2819f671e58SKees Cooksource "security/Kconfig.hardening" 2829f671e58SKees Cook 2831da177e4SLinus Torvaldsendmenu 2841da177e4SLinus Torvalds 285