xref: /linux/security/Kconfig (revision 13e735c0e953246bd531d342bb86acb5b1bf664a)
11da177e4SLinus Torvalds#
21da177e4SLinus Torvalds# Security configuration
31da177e4SLinus Torvalds#
41da177e4SLinus Torvalds
51da177e4SLinus Torvaldsmenu "Security options"
61da177e4SLinus Torvalds
78636a1f9SMasahiro Yamadasource "security/keys/Kconfig"
81da177e4SLinus Torvalds
9eaf06b24SDan Rosenbergconfig SECURITY_DMESG_RESTRICT
10eaf06b24SDan Rosenberg	bool "Restrict unprivileged access to the kernel syslog"
11eaf06b24SDan Rosenberg	default n
12eaf06b24SDan Rosenberg	help
13eaf06b24SDan Rosenberg	  This enforces restrictions on unprivileged users reading the kernel
14eaf06b24SDan Rosenberg	  syslog via dmesg(8).
15eaf06b24SDan Rosenberg
16eaf06b24SDan Rosenberg	  If this option is not selected, no restrictions will be enforced
17eaf06b24SDan Rosenberg	  unless the dmesg_restrict sysctl is explicitly set to (1).
18eaf06b24SDan Rosenberg
19eaf06b24SDan Rosenberg	  If you are unsure how to answer this question, answer N.
20eaf06b24SDan Rosenberg
211da177e4SLinus Torvaldsconfig SECURITY
221da177e4SLinus Torvalds	bool "Enable different security models"
232c40579bSAdrian Bunk	depends on SYSFS
242813893fSIulia Manda	depends on MULTIUSER
251da177e4SLinus Torvalds	help
261da177e4SLinus Torvalds	  This allows you to choose different security modules to be
271da177e4SLinus Torvalds	  configured into your kernel.
281da177e4SLinus Torvalds
291da177e4SLinus Torvalds	  If this option is not selected, the default Linux security
301da177e4SLinus Torvalds	  model will be used.
311da177e4SLinus Torvalds
321da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
331da177e4SLinus Torvalds
34dd0859dcSJames Morrisconfig SECURITY_WRITABLE_HOOKS
35dd0859dcSJames Morris	depends on SECURITY
36dd0859dcSJames Morris	bool
37dd0859dcSJames Morris	default n
38dd0859dcSJames Morris
39da31894eSEric Parisconfig SECURITYFS
40da31894eSEric Paris	bool "Enable the securityfs filesystem"
41da31894eSEric Paris	help
42da31894eSEric Paris	  This will build the securityfs filesystem.  It is currently used by
433323eec9SMimi Zohar	  the TPM bios character driver and IMA, an integrity provider.  It is
443323eec9SMimi Zohar	  not used by SELinux or SMACK.
45da31894eSEric Paris
46da31894eSEric Paris	  If you are unsure how to answer this question, answer N.
47da31894eSEric Paris
481da177e4SLinus Torvaldsconfig SECURITY_NETWORK
491da177e4SLinus Torvalds	bool "Socket and Networking Security Hooks"
501da177e4SLinus Torvalds	depends on SECURITY
511da177e4SLinus Torvalds	help
521da177e4SLinus Torvalds	  This enables the socket and networking security hooks.
531da177e4SLinus Torvalds	  If enabled, a security module can use these hooks to
541da177e4SLinus Torvalds	  implement socket and networking access controls.
551da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
561da177e4SLinus Torvalds
57385ce0eaSDave Hansenconfig PAGE_TABLE_ISOLATION
58385ce0eaSDave Hansen	bool "Remove the kernel mapping in user mode"
5987faa0d9SThomas Gleixner	default y
6061a6bd83SJoerg Roedel	depends on (X86_64 || X86_PAE) && !UML
61385ce0eaSDave Hansen	help
62385ce0eaSDave Hansen	  This feature reduces the number of hardware side channels by
63385ce0eaSDave Hansen	  ensuring that the majority of kernel addresses are not mapped
64385ce0eaSDave Hansen	  into userspace.
65385ce0eaSDave Hansen
66a237f762SW. Trevor King	  See Documentation/x86/pti.txt for more details.
67385ce0eaSDave Hansen
68d291f1a6SDaniel Jurgensconfig SECURITY_INFINIBAND
69d291f1a6SDaniel Jurgens	bool "Infiniband Security Hooks"
70d291f1a6SDaniel Jurgens	depends on SECURITY && INFINIBAND
71d291f1a6SDaniel Jurgens	help
72d291f1a6SDaniel Jurgens	  This enables the Infiniband security hooks.
73d291f1a6SDaniel Jurgens	  If enabled, a security module can use these hooks to
74d291f1a6SDaniel Jurgens	  implement Infiniband access controls.
75d291f1a6SDaniel Jurgens	  If you are unsure how to answer this question, answer N.
76d291f1a6SDaniel Jurgens
77df71837dSTrent Jaegerconfig SECURITY_NETWORK_XFRM
78df71837dSTrent Jaeger	bool "XFRM (IPSec) Networking Security Hooks"
79df71837dSTrent Jaeger	depends on XFRM && SECURITY_NETWORK
80df71837dSTrent Jaeger	help
81df71837dSTrent Jaeger	  This enables the XFRM (IPSec) networking security hooks.
82df71837dSTrent Jaeger	  If enabled, a security module can use these hooks to
83df71837dSTrent Jaeger	  implement per-packet access controls based on labels
84df71837dSTrent Jaeger	  derived from IPSec policy.  Non-IPSec communications are
85df71837dSTrent Jaeger	  designated as unlabelled, and only sockets authorized
86df71837dSTrent Jaeger	  to communicate unlabelled data can send without using
87df71837dSTrent Jaeger	  IPSec.
88df71837dSTrent Jaeger	  If you are unsure how to answer this question, answer N.
89df71837dSTrent Jaeger
90be6d3e56SKentaro Takedaconfig SECURITY_PATH
91be6d3e56SKentaro Takeda	bool "Security hooks for pathname based access control"
92be6d3e56SKentaro Takeda	depends on SECURITY
93be6d3e56SKentaro Takeda	help
94be6d3e56SKentaro Takeda	  This enables the security hooks for pathname based access control.
95be6d3e56SKentaro Takeda	  If enabled, a security module can use these hooks to
96be6d3e56SKentaro Takeda	  implement pathname based access controls.
97be6d3e56SKentaro Takeda	  If you are unsure how to answer this question, answer N.
98be6d3e56SKentaro Takeda
9931625340SJoseph Cihulaconfig INTEL_TXT
10031625340SJoseph Cihula	bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
10169575d38SShane Wang	depends on HAVE_INTEL_TXT
10231625340SJoseph Cihula	help
10331625340SJoseph Cihula	  This option enables support for booting the kernel with the
10431625340SJoseph Cihula	  Trusted Boot (tboot) module. This will utilize
10531625340SJoseph Cihula	  Intel(R) Trusted Execution Technology to perform a measured launch
10631625340SJoseph Cihula	  of the kernel. If the system does not support Intel(R) TXT, this
10731625340SJoseph Cihula	  will have no effect.
10831625340SJoseph Cihula
1093c556e41SArnaldo Carvalho de Melo	  Intel TXT will provide higher assurance of system configuration and
11031625340SJoseph Cihula	  initial state as well as data reset protection.  This is used to
11131625340SJoseph Cihula	  create a robust initial kernel measurement and verification, which
11231625340SJoseph Cihula	  helps to ensure that kernel security mechanisms are functioning
11331625340SJoseph Cihula	  correctly. This level of protection requires a root of trust outside
11431625340SJoseph Cihula	  of the kernel itself.
11531625340SJoseph Cihula
11631625340SJoseph Cihula	  Intel TXT also helps solve real end user concerns about having
11731625340SJoseph Cihula	  confidence that their hardware is running the VMM or kernel that
1183c556e41SArnaldo Carvalho de Melo	  it was configured with, especially since they may be responsible for
11931625340SJoseph Cihula	  providing such assurances to VMs and services running on it.
12031625340SJoseph Cihula
12131625340SJoseph Cihula	  See <http://www.intel.com/technology/security/> for more information
12231625340SJoseph Cihula	  about Intel(R) TXT.
12331625340SJoseph Cihula	  See <http://tboot.sourceforge.net> for more information about tboot.
12431625340SJoseph Cihula	  See Documentation/intel_txt.txt for a description of how to enable
12531625340SJoseph Cihula	  Intel TXT support in a kernel boot.
12631625340SJoseph Cihula
12731625340SJoseph Cihula	  If you are unsure as to whether this is required, answer N.
12831625340SJoseph Cihula
129788084abSEric Parisconfig LSM_MMAP_MIN_ADDR
130024e6cb4SAndreas Schwab	int "Low address space for LSM to protect from user allocation"
131788084abSEric Paris	depends on SECURITY && SECURITY_SELINUX
132530b099dSColin Cross	default 32768 if ARM || (ARM64 && COMPAT)
133a58578e4SDave Jones	default 65536
134788084abSEric Paris	help
135788084abSEric Paris	  This is the portion of low virtual memory which should be protected
136788084abSEric Paris	  from userspace allocation.  Keeping a user from writing to low pages
137788084abSEric Paris	  can help reduce the impact of kernel NULL pointer bugs.
138788084abSEric Paris
139788084abSEric Paris	  For most ia64, ppc64 and x86 users with lots of address space
140788084abSEric Paris	  a value of 65536 is reasonable and should cause no problems.
141788084abSEric Paris	  On arm and other archs it should not be higher than 32768.
142788084abSEric Paris	  Programs which use vm86 functionality or have some need to map
143788084abSEric Paris	  this low address space will need the permission specific to the
144788084abSEric Paris	  systems running LSM.
145788084abSEric Paris
146f5509cc1SKees Cookconfig HAVE_HARDENED_USERCOPY_ALLOCATOR
147f5509cc1SKees Cook	bool
148f5509cc1SKees Cook	help
149f5509cc1SKees Cook	  The heap allocator implements __check_heap_object() for
150f5509cc1SKees Cook	  validating memory ranges against heap object sizes in
151f5509cc1SKees Cook	  support of CONFIG_HARDENED_USERCOPY.
152f5509cc1SKees Cook
153f5509cc1SKees Cookconfig HARDENED_USERCOPY
154f5509cc1SKees Cook	bool "Harden memory copies between kernel and userspace"
1556040e576SLinus Torvalds	depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
15622ec1a2aSKees Cook	imply STRICT_DEVMEM
157f5509cc1SKees Cook	help
158f5509cc1SKees Cook	  This option checks for obviously wrong memory regions when
159f5509cc1SKees Cook	  copying memory to/from the kernel (via copy_to_user() and
160f5509cc1SKees Cook	  copy_from_user() functions) by rejecting memory ranges that
161f5509cc1SKees Cook	  are larger than the specified heap object, span multiple
16299c55fb1SGeert Uytterhoeven	  separately allocated pages, are not on the process stack,
163f5509cc1SKees Cook	  or are part of the kernel text. This kills entire classes
164f5509cc1SKees Cook	  of heap overflow exploits and similar kernel memory exposures.
165f5509cc1SKees Cook
1662d891fbcSKees Cookconfig HARDENED_USERCOPY_FALLBACK
1672d891fbcSKees Cook	bool "Allow usercopy whitelist violations to fallback to object size"
1682d891fbcSKees Cook	depends on HARDENED_USERCOPY
1692d891fbcSKees Cook	default y
1702d891fbcSKees Cook	help
1712d891fbcSKees Cook	  This is a temporary option that allows missing usercopy whitelists
1722d891fbcSKees Cook	  to be discovered via a WARN() to the kernel log, instead of
1732d891fbcSKees Cook	  rejecting the copy, falling back to non-whitelisted hardened
1742d891fbcSKees Cook	  usercopy that checks the slab allocation size instead of the
1752d891fbcSKees Cook	  whitelist size. This option will be removed once it seems like
1762d891fbcSKees Cook	  all missing usercopy whitelists have been identified and fixed.
1772d891fbcSKees Cook	  Booting with "slab_common.usercopy_fallback=Y/N" can change
1782d891fbcSKees Cook	  this setting.
1792d891fbcSKees Cook
1808e1f74eaSKees Cookconfig HARDENED_USERCOPY_PAGESPAN
1818e1f74eaSKees Cook	bool "Refuse to copy allocations that span multiple pages"
1828e1f74eaSKees Cook	depends on HARDENED_USERCOPY
18380a77045SLinus Torvalds	depends on EXPERT
1848e1f74eaSKees Cook	help
1858e1f74eaSKees Cook	  When a multi-page allocation is done without __GFP_COMP,
1868e1f74eaSKees Cook	  hardened usercopy will reject attempts to copy it. There are,
1878e1f74eaSKees Cook	  however, several cases of this in the kernel that have not all
1888e1f74eaSKees Cook	  been removed. This config is intended to be used only while
1898e1f74eaSKees Cook	  trying to find such users.
1908e1f74eaSKees Cook
1916974f0c4SDaniel Micayconfig FORTIFY_SOURCE
1926974f0c4SDaniel Micay	bool "Harden common str/mem functions against buffer overflows"
1936974f0c4SDaniel Micay	depends on ARCH_HAS_FORTIFY_SOURCE
1946974f0c4SDaniel Micay	help
1956974f0c4SDaniel Micay	  Detect overflows of buffers in common string and memory functions
1966974f0c4SDaniel Micay	  where the compiler can determine and validate the buffer sizes.
1976974f0c4SDaniel Micay
19864e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER
19964e90a8aSGreg Kroah-Hartman	bool "Force all usermode helper calls through a single binary"
20064e90a8aSGreg Kroah-Hartman	help
20164e90a8aSGreg Kroah-Hartman	  By default, the kernel can call many different userspace
20264e90a8aSGreg Kroah-Hartman	  binary programs through the "usermode helper" kernel
20364e90a8aSGreg Kroah-Hartman	  interface.  Some of these binaries are statically defined
20464e90a8aSGreg Kroah-Hartman	  either in the kernel code itself, or as a kernel configuration
20564e90a8aSGreg Kroah-Hartman	  option.  However, some of these are dynamically created at
20664e90a8aSGreg Kroah-Hartman	  runtime, or can be modified after the kernel has started up.
20764e90a8aSGreg Kroah-Hartman	  To provide an additional layer of security, route all of these
20864e90a8aSGreg Kroah-Hartman	  calls through a single executable that can not have its name
20964e90a8aSGreg Kroah-Hartman	  changed.
21064e90a8aSGreg Kroah-Hartman
21164e90a8aSGreg Kroah-Hartman	  Note, it is up to this single binary to then call the relevant
21264e90a8aSGreg Kroah-Hartman	  "real" usermode helper binary, based on the first argument
21364e90a8aSGreg Kroah-Hartman	  passed to it.  If desired, this program can filter and pick
21464e90a8aSGreg Kroah-Hartman	  and choose what real programs are called.
21564e90a8aSGreg Kroah-Hartman
21664e90a8aSGreg Kroah-Hartman	  If you wish for all usermode helper programs are to be
21764e90a8aSGreg Kroah-Hartman	  disabled, choose this option and then set
21864e90a8aSGreg Kroah-Hartman	  STATIC_USERMODEHELPER_PATH to an empty string.
21964e90a8aSGreg Kroah-Hartman
22064e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER_PATH
22164e90a8aSGreg Kroah-Hartman	string "Path to the static usermode helper binary"
22264e90a8aSGreg Kroah-Hartman	depends on STATIC_USERMODEHELPER
22364e90a8aSGreg Kroah-Hartman	default "/sbin/usermode-helper"
22464e90a8aSGreg Kroah-Hartman	help
22564e90a8aSGreg Kroah-Hartman	  The binary called by the kernel when any usermode helper
22664e90a8aSGreg Kroah-Hartman	  program is wish to be run.  The "real" application's name will
22764e90a8aSGreg Kroah-Hartman	  be in the first argument passed to this program on the command
22864e90a8aSGreg Kroah-Hartman	  line.
22964e90a8aSGreg Kroah-Hartman
23064e90a8aSGreg Kroah-Hartman	  If you wish for all usermode helper programs to be disabled,
23164e90a8aSGreg Kroah-Hartman	  specify an empty string here (i.e. "").
23264e90a8aSGreg Kroah-Hartman
2338636a1f9SMasahiro Yamadasource "security/selinux/Kconfig"
2348636a1f9SMasahiro Yamadasource "security/smack/Kconfig"
2358636a1f9SMasahiro Yamadasource "security/tomoyo/Kconfig"
2368636a1f9SMasahiro Yamadasource "security/apparmor/Kconfig"
2378636a1f9SMasahiro Yamadasource "security/loadpin/Kconfig"
2388636a1f9SMasahiro Yamadasource "security/yama/Kconfig"
2391da177e4SLinus Torvalds
2408636a1f9SMasahiro Yamadasource "security/integrity/Kconfig"
2413323eec9SMimi Zohar
2426e65f92fSJohn Johansenchoice
2436e65f92fSJohn Johansen	prompt "Default security module"
2446e65f92fSJohn Johansen	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
2456e65f92fSJohn Johansen	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
2466e65f92fSJohn Johansen	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
247f9ad1af5SJohn Johansen	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
2486e65f92fSJohn Johansen	default DEFAULT_SECURITY_DAC
2496e65f92fSJohn Johansen
2506e65f92fSJohn Johansen	help
2516e65f92fSJohn Johansen	  Select the security module that will be used by default if the
2526e65f92fSJohn Johansen	  kernel parameter security= is not specified.
2536e65f92fSJohn Johansen
2546e65f92fSJohn Johansen	config DEFAULT_SECURITY_SELINUX
2556e65f92fSJohn Johansen		bool "SELinux" if SECURITY_SELINUX=y
2566e65f92fSJohn Johansen
2576e65f92fSJohn Johansen	config DEFAULT_SECURITY_SMACK
2586e65f92fSJohn Johansen		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
2596e65f92fSJohn Johansen
2606e65f92fSJohn Johansen	config DEFAULT_SECURITY_TOMOYO
2616e65f92fSJohn Johansen		bool "TOMOYO" if SECURITY_TOMOYO=y
2626e65f92fSJohn Johansen
263f9ad1af5SJohn Johansen	config DEFAULT_SECURITY_APPARMOR
264f9ad1af5SJohn Johansen		bool "AppArmor" if SECURITY_APPARMOR=y
265f9ad1af5SJohn Johansen
2666e65f92fSJohn Johansen	config DEFAULT_SECURITY_DAC
2676e65f92fSJohn Johansen		bool "Unix Discretionary Access Controls"
2686e65f92fSJohn Johansen
2696e65f92fSJohn Johansenendchoice
2706e65f92fSJohn Johansen
2716e65f92fSJohn Johansenconfig DEFAULT_SECURITY
2726e65f92fSJohn Johansen	string
2736e65f92fSJohn Johansen	default "selinux" if DEFAULT_SECURITY_SELINUX
2746e65f92fSJohn Johansen	default "smack" if DEFAULT_SECURITY_SMACK
2756e65f92fSJohn Johansen	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
276f9ad1af5SJohn Johansen	default "apparmor" if DEFAULT_SECURITY_APPARMOR
2776e65f92fSJohn Johansen	default "" if DEFAULT_SECURITY_DAC
2786e65f92fSJohn Johansen
279*13e735c0SKees Cookconfig LSM
280*13e735c0SKees Cook	string "Ordered list of enabled LSMs"
281*13e735c0SKees Cook	default "integrity"
282*13e735c0SKees Cook	help
283*13e735c0SKees Cook	  A comma-separated list of LSMs, in initialization order.
284*13e735c0SKees Cook	  Any LSMs left off this list will be ignored.
285*13e735c0SKees Cook
286*13e735c0SKees Cook	  If unsure, leave this as the default.
287*13e735c0SKees Cook
2881da177e4SLinus Torvaldsendmenu
2891da177e4SLinus Torvalds
290