11da177e4SLinus Torvalds# 21da177e4SLinus Torvalds# Security configuration 31da177e4SLinus Torvalds# 41da177e4SLinus Torvalds 51da177e4SLinus Torvaldsmenu "Security options" 61da177e4SLinus Torvalds 78636a1f9SMasahiro Yamadasource "security/keys/Kconfig" 81da177e4SLinus Torvalds 9eaf06b24SDan Rosenbergconfig SECURITY_DMESG_RESTRICT 10eaf06b24SDan Rosenberg bool "Restrict unprivileged access to the kernel syslog" 11eaf06b24SDan Rosenberg default n 12eaf06b24SDan Rosenberg help 13eaf06b24SDan Rosenberg This enforces restrictions on unprivileged users reading the kernel 14eaf06b24SDan Rosenberg syslog via dmesg(8). 15eaf06b24SDan Rosenberg 16eaf06b24SDan Rosenberg If this option is not selected, no restrictions will be enforced 17eaf06b24SDan Rosenberg unless the dmesg_restrict sysctl is explicitly set to (1). 18eaf06b24SDan Rosenberg 19eaf06b24SDan Rosenberg If you are unsure how to answer this question, answer N. 20eaf06b24SDan Rosenberg 211da177e4SLinus Torvaldsconfig SECURITY 221da177e4SLinus Torvalds bool "Enable different security models" 232c40579bSAdrian Bunk depends on SYSFS 242813893fSIulia Manda depends on MULTIUSER 251da177e4SLinus Torvalds help 261da177e4SLinus Torvalds This allows you to choose different security modules to be 271da177e4SLinus Torvalds configured into your kernel. 281da177e4SLinus Torvalds 291da177e4SLinus Torvalds If this option is not selected, the default Linux security 301da177e4SLinus Torvalds model will be used. 311da177e4SLinus Torvalds 321da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 331da177e4SLinus Torvalds 34dd0859dcSJames Morrisconfig SECURITY_WRITABLE_HOOKS 35dd0859dcSJames Morris depends on SECURITY 36dd0859dcSJames Morris bool 37dd0859dcSJames Morris default n 38dd0859dcSJames Morris 39da31894eSEric Parisconfig SECURITYFS 40da31894eSEric Paris bool "Enable the securityfs filesystem" 41da31894eSEric Paris help 42da31894eSEric Paris This will build the securityfs filesystem. It is currently used by 433323eec9SMimi Zohar the TPM bios character driver and IMA, an integrity provider. It is 443323eec9SMimi Zohar not used by SELinux or SMACK. 45da31894eSEric Paris 46da31894eSEric Paris If you are unsure how to answer this question, answer N. 47da31894eSEric Paris 481da177e4SLinus Torvaldsconfig SECURITY_NETWORK 491da177e4SLinus Torvalds bool "Socket and Networking Security Hooks" 501da177e4SLinus Torvalds depends on SECURITY 511da177e4SLinus Torvalds help 521da177e4SLinus Torvalds This enables the socket and networking security hooks. 531da177e4SLinus Torvalds If enabled, a security module can use these hooks to 541da177e4SLinus Torvalds implement socket and networking access controls. 551da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 561da177e4SLinus Torvalds 57385ce0eaSDave Hansenconfig PAGE_TABLE_ISOLATION 58385ce0eaSDave Hansen bool "Remove the kernel mapping in user mode" 5987faa0d9SThomas Gleixner default y 6061a6bd83SJoerg Roedel depends on (X86_64 || X86_PAE) && !UML 61385ce0eaSDave Hansen help 62385ce0eaSDave Hansen This feature reduces the number of hardware side channels by 63385ce0eaSDave Hansen ensuring that the majority of kernel addresses are not mapped 64385ce0eaSDave Hansen into userspace. 65385ce0eaSDave Hansen 66a237f762SW. Trevor King See Documentation/x86/pti.txt for more details. 67385ce0eaSDave Hansen 68d291f1a6SDaniel Jurgensconfig SECURITY_INFINIBAND 69d291f1a6SDaniel Jurgens bool "Infiniband Security Hooks" 70d291f1a6SDaniel Jurgens depends on SECURITY && INFINIBAND 71d291f1a6SDaniel Jurgens help 72d291f1a6SDaniel Jurgens This enables the Infiniband security hooks. 73d291f1a6SDaniel Jurgens If enabled, a security module can use these hooks to 74d291f1a6SDaniel Jurgens implement Infiniband access controls. 75d291f1a6SDaniel Jurgens If you are unsure how to answer this question, answer N. 76d291f1a6SDaniel Jurgens 77df71837dSTrent Jaegerconfig SECURITY_NETWORK_XFRM 78df71837dSTrent Jaeger bool "XFRM (IPSec) Networking Security Hooks" 79df71837dSTrent Jaeger depends on XFRM && SECURITY_NETWORK 80df71837dSTrent Jaeger help 81df71837dSTrent Jaeger This enables the XFRM (IPSec) networking security hooks. 82df71837dSTrent Jaeger If enabled, a security module can use these hooks to 83df71837dSTrent Jaeger implement per-packet access controls based on labels 84df71837dSTrent Jaeger derived from IPSec policy. Non-IPSec communications are 85df71837dSTrent Jaeger designated as unlabelled, and only sockets authorized 86df71837dSTrent Jaeger to communicate unlabelled data can send without using 87df71837dSTrent Jaeger IPSec. 88df71837dSTrent Jaeger If you are unsure how to answer this question, answer N. 89df71837dSTrent Jaeger 90be6d3e56SKentaro Takedaconfig SECURITY_PATH 91be6d3e56SKentaro Takeda bool "Security hooks for pathname based access control" 92be6d3e56SKentaro Takeda depends on SECURITY 93be6d3e56SKentaro Takeda help 94be6d3e56SKentaro Takeda This enables the security hooks for pathname based access control. 95be6d3e56SKentaro Takeda If enabled, a security module can use these hooks to 96be6d3e56SKentaro Takeda implement pathname based access controls. 97be6d3e56SKentaro Takeda If you are unsure how to answer this question, answer N. 98be6d3e56SKentaro Takeda 9931625340SJoseph Cihulaconfig INTEL_TXT 10031625340SJoseph Cihula bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 10169575d38SShane Wang depends on HAVE_INTEL_TXT 10231625340SJoseph Cihula help 10331625340SJoseph Cihula This option enables support for booting the kernel with the 10431625340SJoseph Cihula Trusted Boot (tboot) module. This will utilize 10531625340SJoseph Cihula Intel(R) Trusted Execution Technology to perform a measured launch 10631625340SJoseph Cihula of the kernel. If the system does not support Intel(R) TXT, this 10731625340SJoseph Cihula will have no effect. 10831625340SJoseph Cihula 1093c556e41SArnaldo Carvalho de Melo Intel TXT will provide higher assurance of system configuration and 11031625340SJoseph Cihula initial state as well as data reset protection. This is used to 11131625340SJoseph Cihula create a robust initial kernel measurement and verification, which 11231625340SJoseph Cihula helps to ensure that kernel security mechanisms are functioning 11331625340SJoseph Cihula correctly. This level of protection requires a root of trust outside 11431625340SJoseph Cihula of the kernel itself. 11531625340SJoseph Cihula 11631625340SJoseph Cihula Intel TXT also helps solve real end user concerns about having 11731625340SJoseph Cihula confidence that their hardware is running the VMM or kernel that 1183c556e41SArnaldo Carvalho de Melo it was configured with, especially since they may be responsible for 11931625340SJoseph Cihula providing such assurances to VMs and services running on it. 12031625340SJoseph Cihula 12131625340SJoseph Cihula See <http://www.intel.com/technology/security/> for more information 12231625340SJoseph Cihula about Intel(R) TXT. 12331625340SJoseph Cihula See <http://tboot.sourceforge.net> for more information about tboot. 12431625340SJoseph Cihula See Documentation/intel_txt.txt for a description of how to enable 12531625340SJoseph Cihula Intel TXT support in a kernel boot. 12631625340SJoseph Cihula 12731625340SJoseph Cihula If you are unsure as to whether this is required, answer N. 12831625340SJoseph Cihula 129788084abSEric Parisconfig LSM_MMAP_MIN_ADDR 130024e6cb4SAndreas Schwab int "Low address space for LSM to protect from user allocation" 131788084abSEric Paris depends on SECURITY && SECURITY_SELINUX 132530b099dSColin Cross default 32768 if ARM || (ARM64 && COMPAT) 133a58578e4SDave Jones default 65536 134788084abSEric Paris help 135788084abSEric Paris This is the portion of low virtual memory which should be protected 136788084abSEric Paris from userspace allocation. Keeping a user from writing to low pages 137788084abSEric Paris can help reduce the impact of kernel NULL pointer bugs. 138788084abSEric Paris 139788084abSEric Paris For most ia64, ppc64 and x86 users with lots of address space 140788084abSEric Paris a value of 65536 is reasonable and should cause no problems. 141788084abSEric Paris On arm and other archs it should not be higher than 32768. 142788084abSEric Paris Programs which use vm86 functionality or have some need to map 143788084abSEric Paris this low address space will need the permission specific to the 144788084abSEric Paris systems running LSM. 145788084abSEric Paris 146f5509cc1SKees Cookconfig HAVE_HARDENED_USERCOPY_ALLOCATOR 147f5509cc1SKees Cook bool 148f5509cc1SKees Cook help 149f5509cc1SKees Cook The heap allocator implements __check_heap_object() for 150f5509cc1SKees Cook validating memory ranges against heap object sizes in 151f5509cc1SKees Cook support of CONFIG_HARDENED_USERCOPY. 152f5509cc1SKees Cook 153f5509cc1SKees Cookconfig HARDENED_USERCOPY 154f5509cc1SKees Cook bool "Harden memory copies between kernel and userspace" 1556040e576SLinus Torvalds depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 15622ec1a2aSKees Cook imply STRICT_DEVMEM 157f5509cc1SKees Cook help 158f5509cc1SKees Cook This option checks for obviously wrong memory regions when 159f5509cc1SKees Cook copying memory to/from the kernel (via copy_to_user() and 160f5509cc1SKees Cook copy_from_user() functions) by rejecting memory ranges that 161f5509cc1SKees Cook are larger than the specified heap object, span multiple 16299c55fb1SGeert Uytterhoeven separately allocated pages, are not on the process stack, 163f5509cc1SKees Cook or are part of the kernel text. This kills entire classes 164f5509cc1SKees Cook of heap overflow exploits and similar kernel memory exposures. 165f5509cc1SKees Cook 1662d891fbcSKees Cookconfig HARDENED_USERCOPY_FALLBACK 1672d891fbcSKees Cook bool "Allow usercopy whitelist violations to fallback to object size" 1682d891fbcSKees Cook depends on HARDENED_USERCOPY 1692d891fbcSKees Cook default y 1702d891fbcSKees Cook help 1712d891fbcSKees Cook This is a temporary option that allows missing usercopy whitelists 1722d891fbcSKees Cook to be discovered via a WARN() to the kernel log, instead of 1732d891fbcSKees Cook rejecting the copy, falling back to non-whitelisted hardened 1742d891fbcSKees Cook usercopy that checks the slab allocation size instead of the 1752d891fbcSKees Cook whitelist size. This option will be removed once it seems like 1762d891fbcSKees Cook all missing usercopy whitelists have been identified and fixed. 1772d891fbcSKees Cook Booting with "slab_common.usercopy_fallback=Y/N" can change 1782d891fbcSKees Cook this setting. 1792d891fbcSKees Cook 1808e1f74eaSKees Cookconfig HARDENED_USERCOPY_PAGESPAN 1818e1f74eaSKees Cook bool "Refuse to copy allocations that span multiple pages" 1828e1f74eaSKees Cook depends on HARDENED_USERCOPY 18380a77045SLinus Torvalds depends on EXPERT 1848e1f74eaSKees Cook help 1858e1f74eaSKees Cook When a multi-page allocation is done without __GFP_COMP, 1868e1f74eaSKees Cook hardened usercopy will reject attempts to copy it. There are, 1878e1f74eaSKees Cook however, several cases of this in the kernel that have not all 1888e1f74eaSKees Cook been removed. This config is intended to be used only while 1898e1f74eaSKees Cook trying to find such users. 1908e1f74eaSKees Cook 1916974f0c4SDaniel Micayconfig FORTIFY_SOURCE 1926974f0c4SDaniel Micay bool "Harden common str/mem functions against buffer overflows" 1936974f0c4SDaniel Micay depends on ARCH_HAS_FORTIFY_SOURCE 1946974f0c4SDaniel Micay help 1956974f0c4SDaniel Micay Detect overflows of buffers in common string and memory functions 1966974f0c4SDaniel Micay where the compiler can determine and validate the buffer sizes. 1976974f0c4SDaniel Micay 19864e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER 19964e90a8aSGreg Kroah-Hartman bool "Force all usermode helper calls through a single binary" 20064e90a8aSGreg Kroah-Hartman help 20164e90a8aSGreg Kroah-Hartman By default, the kernel can call many different userspace 20264e90a8aSGreg Kroah-Hartman binary programs through the "usermode helper" kernel 20364e90a8aSGreg Kroah-Hartman interface. Some of these binaries are statically defined 20464e90a8aSGreg Kroah-Hartman either in the kernel code itself, or as a kernel configuration 20564e90a8aSGreg Kroah-Hartman option. However, some of these are dynamically created at 20664e90a8aSGreg Kroah-Hartman runtime, or can be modified after the kernel has started up. 20764e90a8aSGreg Kroah-Hartman To provide an additional layer of security, route all of these 20864e90a8aSGreg Kroah-Hartman calls through a single executable that can not have its name 20964e90a8aSGreg Kroah-Hartman changed. 21064e90a8aSGreg Kroah-Hartman 21164e90a8aSGreg Kroah-Hartman Note, it is up to this single binary to then call the relevant 21264e90a8aSGreg Kroah-Hartman "real" usermode helper binary, based on the first argument 21364e90a8aSGreg Kroah-Hartman passed to it. If desired, this program can filter and pick 21464e90a8aSGreg Kroah-Hartman and choose what real programs are called. 21564e90a8aSGreg Kroah-Hartman 21664e90a8aSGreg Kroah-Hartman If you wish for all usermode helper programs are to be 21764e90a8aSGreg Kroah-Hartman disabled, choose this option and then set 21864e90a8aSGreg Kroah-Hartman STATIC_USERMODEHELPER_PATH to an empty string. 21964e90a8aSGreg Kroah-Hartman 22064e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER_PATH 22164e90a8aSGreg Kroah-Hartman string "Path to the static usermode helper binary" 22264e90a8aSGreg Kroah-Hartman depends on STATIC_USERMODEHELPER 22364e90a8aSGreg Kroah-Hartman default "/sbin/usermode-helper" 22464e90a8aSGreg Kroah-Hartman help 22564e90a8aSGreg Kroah-Hartman The binary called by the kernel when any usermode helper 22664e90a8aSGreg Kroah-Hartman program is wish to be run. The "real" application's name will 22764e90a8aSGreg Kroah-Hartman be in the first argument passed to this program on the command 22864e90a8aSGreg Kroah-Hartman line. 22964e90a8aSGreg Kroah-Hartman 23064e90a8aSGreg Kroah-Hartman If you wish for all usermode helper programs to be disabled, 23164e90a8aSGreg Kroah-Hartman specify an empty string here (i.e. ""). 23264e90a8aSGreg Kroah-Hartman 2338636a1f9SMasahiro Yamadasource "security/selinux/Kconfig" 2348636a1f9SMasahiro Yamadasource "security/smack/Kconfig" 2358636a1f9SMasahiro Yamadasource "security/tomoyo/Kconfig" 2368636a1f9SMasahiro Yamadasource "security/apparmor/Kconfig" 2378636a1f9SMasahiro Yamadasource "security/loadpin/Kconfig" 2388636a1f9SMasahiro Yamadasource "security/yama/Kconfig" 2391da177e4SLinus Torvalds 2408636a1f9SMasahiro Yamadasource "security/integrity/Kconfig" 2413323eec9SMimi Zohar 2426e65f92fSJohn Johansenchoice 2436e65f92fSJohn Johansen prompt "Default security module" 2446e65f92fSJohn Johansen default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 2456e65f92fSJohn Johansen default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 2466e65f92fSJohn Johansen default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 247f9ad1af5SJohn Johansen default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 2486e65f92fSJohn Johansen default DEFAULT_SECURITY_DAC 2496e65f92fSJohn Johansen 2506e65f92fSJohn Johansen help 2516e65f92fSJohn Johansen Select the security module that will be used by default if the 2526e65f92fSJohn Johansen kernel parameter security= is not specified. 2536e65f92fSJohn Johansen 2546e65f92fSJohn Johansen config DEFAULT_SECURITY_SELINUX 2556e65f92fSJohn Johansen bool "SELinux" if SECURITY_SELINUX=y 2566e65f92fSJohn Johansen 2576e65f92fSJohn Johansen config DEFAULT_SECURITY_SMACK 2586e65f92fSJohn Johansen bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 2596e65f92fSJohn Johansen 2606e65f92fSJohn Johansen config DEFAULT_SECURITY_TOMOYO 2616e65f92fSJohn Johansen bool "TOMOYO" if SECURITY_TOMOYO=y 2626e65f92fSJohn Johansen 263f9ad1af5SJohn Johansen config DEFAULT_SECURITY_APPARMOR 264f9ad1af5SJohn Johansen bool "AppArmor" if SECURITY_APPARMOR=y 265f9ad1af5SJohn Johansen 2666e65f92fSJohn Johansen config DEFAULT_SECURITY_DAC 2676e65f92fSJohn Johansen bool "Unix Discretionary Access Controls" 2686e65f92fSJohn Johansen 2696e65f92fSJohn Johansenendchoice 2706e65f92fSJohn Johansen 2716e65f92fSJohn Johansenconfig DEFAULT_SECURITY 2726e65f92fSJohn Johansen string 2736e65f92fSJohn Johansen default "selinux" if DEFAULT_SECURITY_SELINUX 2746e65f92fSJohn Johansen default "smack" if DEFAULT_SECURITY_SMACK 2756e65f92fSJohn Johansen default "tomoyo" if DEFAULT_SECURITY_TOMOYO 276f9ad1af5SJohn Johansen default "apparmor" if DEFAULT_SECURITY_APPARMOR 2776e65f92fSJohn Johansen default "" if DEFAULT_SECURITY_DAC 2786e65f92fSJohn Johansen 279*13e735c0SKees Cookconfig LSM 280*13e735c0SKees Cook string "Ordered list of enabled LSMs" 281*13e735c0SKees Cook default "integrity" 282*13e735c0SKees Cook help 283*13e735c0SKees Cook A comma-separated list of LSMs, in initialization order. 284*13e735c0SKees Cook Any LSMs left off this list will be ignored. 285*13e735c0SKees Cook 286*13e735c0SKees Cook If unsure, leave this as the default. 287*13e735c0SKees Cook 2881da177e4SLinus Torvaldsendmenu 2891da177e4SLinus Torvalds 290