xref: /linux/security/Kconfig (revision 22ec1a2aea73b9dfe340dff7945bd85af4cc6280)
11da177e4SLinus Torvalds#
21da177e4SLinus Torvalds# Security configuration
31da177e4SLinus Torvalds#
41da177e4SLinus Torvalds
51da177e4SLinus Torvaldsmenu "Security options"
61da177e4SLinus Torvalds
7f0894940SDavid Howellssource security/keys/Kconfig
81da177e4SLinus Torvalds
9eaf06b24SDan Rosenbergconfig SECURITY_DMESG_RESTRICT
10eaf06b24SDan Rosenberg	bool "Restrict unprivileged access to the kernel syslog"
11eaf06b24SDan Rosenberg	default n
12eaf06b24SDan Rosenberg	help
13eaf06b24SDan Rosenberg	  This enforces restrictions on unprivileged users reading the kernel
14eaf06b24SDan Rosenberg	  syslog via dmesg(8).
15eaf06b24SDan Rosenberg
16eaf06b24SDan Rosenberg	  If this option is not selected, no restrictions will be enforced
17eaf06b24SDan Rosenberg	  unless the dmesg_restrict sysctl is explicitly set to (1).
18eaf06b24SDan Rosenberg
19eaf06b24SDan Rosenberg	  If you are unsure how to answer this question, answer N.
20eaf06b24SDan Rosenberg
211da177e4SLinus Torvaldsconfig SECURITY
221da177e4SLinus Torvalds	bool "Enable different security models"
232c40579bSAdrian Bunk	depends on SYSFS
242813893fSIulia Manda	depends on MULTIUSER
251da177e4SLinus Torvalds	help
261da177e4SLinus Torvalds	  This allows you to choose different security modules to be
271da177e4SLinus Torvalds	  configured into your kernel.
281da177e4SLinus Torvalds
291da177e4SLinus Torvalds	  If this option is not selected, the default Linux security
301da177e4SLinus Torvalds	  model will be used.
311da177e4SLinus Torvalds
321da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
331da177e4SLinus Torvalds
34dd0859dcSJames Morrisconfig SECURITY_WRITABLE_HOOKS
35dd0859dcSJames Morris	depends on SECURITY
36dd0859dcSJames Morris	bool
37dd0859dcSJames Morris	default n
38dd0859dcSJames Morris
39da31894eSEric Parisconfig SECURITYFS
40da31894eSEric Paris	bool "Enable the securityfs filesystem"
41da31894eSEric Paris	help
42da31894eSEric Paris	  This will build the securityfs filesystem.  It is currently used by
433323eec9SMimi Zohar	  the TPM bios character driver and IMA, an integrity provider.  It is
443323eec9SMimi Zohar	  not used by SELinux or SMACK.
45da31894eSEric Paris
46da31894eSEric Paris	  If you are unsure how to answer this question, answer N.
47da31894eSEric Paris
481da177e4SLinus Torvaldsconfig SECURITY_NETWORK
491da177e4SLinus Torvalds	bool "Socket and Networking Security Hooks"
501da177e4SLinus Torvalds	depends on SECURITY
511da177e4SLinus Torvalds	help
521da177e4SLinus Torvalds	  This enables the socket and networking security hooks.
531da177e4SLinus Torvalds	  If enabled, a security module can use these hooks to
541da177e4SLinus Torvalds	  implement socket and networking access controls.
551da177e4SLinus Torvalds	  If you are unsure how to answer this question, answer N.
561da177e4SLinus Torvalds
57d291f1a6SDaniel Jurgensconfig SECURITY_INFINIBAND
58d291f1a6SDaniel Jurgens	bool "Infiniband Security Hooks"
59d291f1a6SDaniel Jurgens	depends on SECURITY && INFINIBAND
60d291f1a6SDaniel Jurgens	help
61d291f1a6SDaniel Jurgens	  This enables the Infiniband security hooks.
62d291f1a6SDaniel Jurgens	  If enabled, a security module can use these hooks to
63d291f1a6SDaniel Jurgens	  implement Infiniband access controls.
64d291f1a6SDaniel Jurgens	  If you are unsure how to answer this question, answer N.
65d291f1a6SDaniel Jurgens
66df71837dSTrent Jaegerconfig SECURITY_NETWORK_XFRM
67df71837dSTrent Jaeger	bool "XFRM (IPSec) Networking Security Hooks"
68df71837dSTrent Jaeger	depends on XFRM && SECURITY_NETWORK
69df71837dSTrent Jaeger	help
70df71837dSTrent Jaeger	  This enables the XFRM (IPSec) networking security hooks.
71df71837dSTrent Jaeger	  If enabled, a security module can use these hooks to
72df71837dSTrent Jaeger	  implement per-packet access controls based on labels
73df71837dSTrent Jaeger	  derived from IPSec policy.  Non-IPSec communications are
74df71837dSTrent Jaeger	  designated as unlabelled, and only sockets authorized
75df71837dSTrent Jaeger	  to communicate unlabelled data can send without using
76df71837dSTrent Jaeger	  IPSec.
77df71837dSTrent Jaeger	  If you are unsure how to answer this question, answer N.
78df71837dSTrent Jaeger
79be6d3e56SKentaro Takedaconfig SECURITY_PATH
80be6d3e56SKentaro Takeda	bool "Security hooks for pathname based access control"
81be6d3e56SKentaro Takeda	depends on SECURITY
82be6d3e56SKentaro Takeda	help
83be6d3e56SKentaro Takeda	  This enables the security hooks for pathname based access control.
84be6d3e56SKentaro Takeda	  If enabled, a security module can use these hooks to
85be6d3e56SKentaro Takeda	  implement pathname based access controls.
86be6d3e56SKentaro Takeda	  If you are unsure how to answer this question, answer N.
87be6d3e56SKentaro Takeda
8831625340SJoseph Cihulaconfig INTEL_TXT
8931625340SJoseph Cihula	bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
9069575d38SShane Wang	depends on HAVE_INTEL_TXT
9131625340SJoseph Cihula	help
9231625340SJoseph Cihula	  This option enables support for booting the kernel with the
9331625340SJoseph Cihula	  Trusted Boot (tboot) module. This will utilize
9431625340SJoseph Cihula	  Intel(R) Trusted Execution Technology to perform a measured launch
9531625340SJoseph Cihula	  of the kernel. If the system does not support Intel(R) TXT, this
9631625340SJoseph Cihula	  will have no effect.
9731625340SJoseph Cihula
983c556e41SArnaldo Carvalho de Melo	  Intel TXT will provide higher assurance of system configuration and
9931625340SJoseph Cihula	  initial state as well as data reset protection.  This is used to
10031625340SJoseph Cihula	  create a robust initial kernel measurement and verification, which
10131625340SJoseph Cihula	  helps to ensure that kernel security mechanisms are functioning
10231625340SJoseph Cihula	  correctly. This level of protection requires a root of trust outside
10331625340SJoseph Cihula	  of the kernel itself.
10431625340SJoseph Cihula
10531625340SJoseph Cihula	  Intel TXT also helps solve real end user concerns about having
10631625340SJoseph Cihula	  confidence that their hardware is running the VMM or kernel that
1073c556e41SArnaldo Carvalho de Melo	  it was configured with, especially since they may be responsible for
10831625340SJoseph Cihula	  providing such assurances to VMs and services running on it.
10931625340SJoseph Cihula
11031625340SJoseph Cihula	  See <http://www.intel.com/technology/security/> for more information
11131625340SJoseph Cihula	  about Intel(R) TXT.
11231625340SJoseph Cihula	  See <http://tboot.sourceforge.net> for more information about tboot.
11331625340SJoseph Cihula	  See Documentation/intel_txt.txt for a description of how to enable
11431625340SJoseph Cihula	  Intel TXT support in a kernel boot.
11531625340SJoseph Cihula
11631625340SJoseph Cihula	  If you are unsure as to whether this is required, answer N.
11731625340SJoseph Cihula
118788084abSEric Parisconfig LSM_MMAP_MIN_ADDR
119024e6cb4SAndreas Schwab	int "Low address space for LSM to protect from user allocation"
120788084abSEric Paris	depends on SECURITY && SECURITY_SELINUX
121530b099dSColin Cross	default 32768 if ARM || (ARM64 && COMPAT)
122a58578e4SDave Jones	default 65536
123788084abSEric Paris	help
124788084abSEric Paris	  This is the portion of low virtual memory which should be protected
125788084abSEric Paris	  from userspace allocation.  Keeping a user from writing to low pages
126788084abSEric Paris	  can help reduce the impact of kernel NULL pointer bugs.
127788084abSEric Paris
128788084abSEric Paris	  For most ia64, ppc64 and x86 users with lots of address space
129788084abSEric Paris	  a value of 65536 is reasonable and should cause no problems.
130788084abSEric Paris	  On arm and other archs it should not be higher than 32768.
131788084abSEric Paris	  Programs which use vm86 functionality or have some need to map
132788084abSEric Paris	  this low address space will need the permission specific to the
133788084abSEric Paris	  systems running LSM.
134788084abSEric Paris
135f5509cc1SKees Cookconfig HAVE_HARDENED_USERCOPY_ALLOCATOR
136f5509cc1SKees Cook	bool
137f5509cc1SKees Cook	help
138f5509cc1SKees Cook	  The heap allocator implements __check_heap_object() for
139f5509cc1SKees Cook	  validating memory ranges against heap object sizes in
140f5509cc1SKees Cook	  support of CONFIG_HARDENED_USERCOPY.
141f5509cc1SKees Cook
142f5509cc1SKees Cookconfig HARDENED_USERCOPY
143f5509cc1SKees Cook	bool "Harden memory copies between kernel and userspace"
1446040e576SLinus Torvalds	depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
145f5509cc1SKees Cook	select BUG
146*22ec1a2aSKees Cook	imply STRICT_DEVMEM
147f5509cc1SKees Cook	help
148f5509cc1SKees Cook	  This option checks for obviously wrong memory regions when
149f5509cc1SKees Cook	  copying memory to/from the kernel (via copy_to_user() and
150f5509cc1SKees Cook	  copy_from_user() functions) by rejecting memory ranges that
151f5509cc1SKees Cook	  are larger than the specified heap object, span multiple
15299c55fb1SGeert Uytterhoeven	  separately allocated pages, are not on the process stack,
153f5509cc1SKees Cook	  or are part of the kernel text. This kills entire classes
154f5509cc1SKees Cook	  of heap overflow exploits and similar kernel memory exposures.
155f5509cc1SKees Cook
1568e1f74eaSKees Cookconfig HARDENED_USERCOPY_PAGESPAN
1578e1f74eaSKees Cook	bool "Refuse to copy allocations that span multiple pages"
1588e1f74eaSKees Cook	depends on HARDENED_USERCOPY
15980a77045SLinus Torvalds	depends on EXPERT
1608e1f74eaSKees Cook	help
1618e1f74eaSKees Cook	  When a multi-page allocation is done without __GFP_COMP,
1628e1f74eaSKees Cook	  hardened usercopy will reject attempts to copy it. There are,
1638e1f74eaSKees Cook	  however, several cases of this in the kernel that have not all
1648e1f74eaSKees Cook	  been removed. This config is intended to be used only while
1658e1f74eaSKees Cook	  trying to find such users.
1668e1f74eaSKees Cook
1676974f0c4SDaniel Micayconfig FORTIFY_SOURCE
1686974f0c4SDaniel Micay	bool "Harden common str/mem functions against buffer overflows"
1696974f0c4SDaniel Micay	depends on ARCH_HAS_FORTIFY_SOURCE
1706974f0c4SDaniel Micay	help
1716974f0c4SDaniel Micay	  Detect overflows of buffers in common string and memory functions
1726974f0c4SDaniel Micay	  where the compiler can determine and validate the buffer sizes.
1736974f0c4SDaniel Micay
17464e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER
17564e90a8aSGreg Kroah-Hartman	bool "Force all usermode helper calls through a single binary"
17664e90a8aSGreg Kroah-Hartman	help
17764e90a8aSGreg Kroah-Hartman	  By default, the kernel can call many different userspace
17864e90a8aSGreg Kroah-Hartman	  binary programs through the "usermode helper" kernel
17964e90a8aSGreg Kroah-Hartman	  interface.  Some of these binaries are statically defined
18064e90a8aSGreg Kroah-Hartman	  either in the kernel code itself, or as a kernel configuration
18164e90a8aSGreg Kroah-Hartman	  option.  However, some of these are dynamically created at
18264e90a8aSGreg Kroah-Hartman	  runtime, or can be modified after the kernel has started up.
18364e90a8aSGreg Kroah-Hartman	  To provide an additional layer of security, route all of these
18464e90a8aSGreg Kroah-Hartman	  calls through a single executable that can not have its name
18564e90a8aSGreg Kroah-Hartman	  changed.
18664e90a8aSGreg Kroah-Hartman
18764e90a8aSGreg Kroah-Hartman	  Note, it is up to this single binary to then call the relevant
18864e90a8aSGreg Kroah-Hartman	  "real" usermode helper binary, based on the first argument
18964e90a8aSGreg Kroah-Hartman	  passed to it.  If desired, this program can filter and pick
19064e90a8aSGreg Kroah-Hartman	  and choose what real programs are called.
19164e90a8aSGreg Kroah-Hartman
19264e90a8aSGreg Kroah-Hartman	  If you wish for all usermode helper programs are to be
19364e90a8aSGreg Kroah-Hartman	  disabled, choose this option and then set
19464e90a8aSGreg Kroah-Hartman	  STATIC_USERMODEHELPER_PATH to an empty string.
19564e90a8aSGreg Kroah-Hartman
19664e90a8aSGreg Kroah-Hartmanconfig STATIC_USERMODEHELPER_PATH
19764e90a8aSGreg Kroah-Hartman	string "Path to the static usermode helper binary"
19864e90a8aSGreg Kroah-Hartman	depends on STATIC_USERMODEHELPER
19964e90a8aSGreg Kroah-Hartman	default "/sbin/usermode-helper"
20064e90a8aSGreg Kroah-Hartman	help
20164e90a8aSGreg Kroah-Hartman	  The binary called by the kernel when any usermode helper
20264e90a8aSGreg Kroah-Hartman	  program is wish to be run.  The "real" application's name will
20364e90a8aSGreg Kroah-Hartman	  be in the first argument passed to this program on the command
20464e90a8aSGreg Kroah-Hartman	  line.
20564e90a8aSGreg Kroah-Hartman
20664e90a8aSGreg Kroah-Hartman	  If you wish for all usermode helper programs to be disabled,
20764e90a8aSGreg Kroah-Hartman	  specify an empty string here (i.e. "").
20864e90a8aSGreg Kroah-Hartman
2091da177e4SLinus Torvaldssource security/selinux/Kconfig
210e114e473SCasey Schauflersource security/smack/Kconfig
21100d7d6f8SKentaro Takedasource security/tomoyo/Kconfig
212f9ad1af5SJohn Johansensource security/apparmor/Kconfig
2139b091556SKees Cooksource security/loadpin/Kconfig
2142d514487SKees Cooksource security/yama/Kconfig
2151da177e4SLinus Torvalds
216f381c272SMimi Zoharsource security/integrity/Kconfig
2173323eec9SMimi Zohar
2186e65f92fSJohn Johansenchoice
2196e65f92fSJohn Johansen	prompt "Default security module"
2206e65f92fSJohn Johansen	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
2216e65f92fSJohn Johansen	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
2226e65f92fSJohn Johansen	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
223f9ad1af5SJohn Johansen	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
2246e65f92fSJohn Johansen	default DEFAULT_SECURITY_DAC
2256e65f92fSJohn Johansen
2266e65f92fSJohn Johansen	help
2276e65f92fSJohn Johansen	  Select the security module that will be used by default if the
2286e65f92fSJohn Johansen	  kernel parameter security= is not specified.
2296e65f92fSJohn Johansen
2306e65f92fSJohn Johansen	config DEFAULT_SECURITY_SELINUX
2316e65f92fSJohn Johansen		bool "SELinux" if SECURITY_SELINUX=y
2326e65f92fSJohn Johansen
2336e65f92fSJohn Johansen	config DEFAULT_SECURITY_SMACK
2346e65f92fSJohn Johansen		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
2356e65f92fSJohn Johansen
2366e65f92fSJohn Johansen	config DEFAULT_SECURITY_TOMOYO
2376e65f92fSJohn Johansen		bool "TOMOYO" if SECURITY_TOMOYO=y
2386e65f92fSJohn Johansen
239f9ad1af5SJohn Johansen	config DEFAULT_SECURITY_APPARMOR
240f9ad1af5SJohn Johansen		bool "AppArmor" if SECURITY_APPARMOR=y
241f9ad1af5SJohn Johansen
2426e65f92fSJohn Johansen	config DEFAULT_SECURITY_DAC
2436e65f92fSJohn Johansen		bool "Unix Discretionary Access Controls"
2446e65f92fSJohn Johansen
2456e65f92fSJohn Johansenendchoice
2466e65f92fSJohn Johansen
2476e65f92fSJohn Johansenconfig DEFAULT_SECURITY
2486e65f92fSJohn Johansen	string
2496e65f92fSJohn Johansen	default "selinux" if DEFAULT_SECURITY_SELINUX
2506e65f92fSJohn Johansen	default "smack" if DEFAULT_SECURITY_SMACK
2516e65f92fSJohn Johansen	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
252f9ad1af5SJohn Johansen	default "apparmor" if DEFAULT_SECURITY_APPARMOR
2536e65f92fSJohn Johansen	default "" if DEFAULT_SECURITY_DAC
2546e65f92fSJohn Johansen
2551da177e4SLinus Torvaldsendmenu
2561da177e4SLinus Torvalds
257