11da177e4SLinus Torvalds# 21da177e4SLinus Torvalds# Security configuration 31da177e4SLinus Torvalds# 41da177e4SLinus Torvalds 51da177e4SLinus Torvaldsmenu "Security options" 61da177e4SLinus Torvalds 71da177e4SLinus Torvaldsconfig KEYS 81da177e4SLinus Torvalds bool "Enable access key retention support" 91da177e4SLinus Torvalds help 101da177e4SLinus Torvalds This option provides support for retaining authentication tokens and 111da177e4SLinus Torvalds access keys in the kernel. 121da177e4SLinus Torvalds 131da177e4SLinus Torvalds It also includes provision of methods by which such keys might be 141da177e4SLinus Torvalds associated with a process so that network filesystems, encryption 151da177e4SLinus Torvalds support and the like can find them. 161da177e4SLinus Torvalds 171da177e4SLinus Torvalds Furthermore, a special type of key is available that acts as keyring: 181da177e4SLinus Torvalds a searchable sequence of keys. Each process is equipped with access 191da177e4SLinus Torvalds to five standard keyrings: UID-specific, GID-specific, session, 201da177e4SLinus Torvalds process and thread. 211da177e4SLinus Torvalds 221da177e4SLinus Torvalds If you are unsure as to whether this is required, answer N. 231da177e4SLinus Torvalds 241da177e4SLinus Torvaldsconfig KEYS_DEBUG_PROC_KEYS 251da177e4SLinus Torvalds bool "Enable the /proc/keys file by which all keys may be viewed" 261da177e4SLinus Torvalds depends on KEYS 271da177e4SLinus Torvalds help 281da177e4SLinus Torvalds This option turns on support for the /proc/keys file through which 291da177e4SLinus Torvalds all the keys on the system can be listed. 301da177e4SLinus Torvalds 311da177e4SLinus Torvalds This option is a slight security risk in that it makes it possible 321da177e4SLinus Torvalds for anyone to see all the keys on the system. Normally the manager 331da177e4SLinus Torvalds pretends keys that are inaccessible to a process don't exist as far 341da177e4SLinus Torvalds as that process is concerned. 351da177e4SLinus Torvalds 361da177e4SLinus Torvaldsconfig SECURITY 371da177e4SLinus Torvalds bool "Enable different security models" 382c40579bSAdrian Bunk depends on SYSFS 391da177e4SLinus Torvalds help 401da177e4SLinus Torvalds This allows you to choose different security modules to be 411da177e4SLinus Torvalds configured into your kernel. 421da177e4SLinus Torvalds 431da177e4SLinus Torvalds If this option is not selected, the default Linux security 441da177e4SLinus Torvalds model will be used. 451da177e4SLinus Torvalds 461da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 471da177e4SLinus Torvalds 481da177e4SLinus Torvaldsconfig SECURITY_NETWORK 491da177e4SLinus Torvalds bool "Socket and Networking Security Hooks" 501da177e4SLinus Torvalds depends on SECURITY 511da177e4SLinus Torvalds help 521da177e4SLinus Torvalds This enables the socket and networking security hooks. 531da177e4SLinus Torvalds If enabled, a security module can use these hooks to 541da177e4SLinus Torvalds implement socket and networking access controls. 551da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 561da177e4SLinus Torvalds 57*df71837dSTrent Jaegerconfig SECURITY_NETWORK_XFRM 58*df71837dSTrent Jaeger bool "XFRM (IPSec) Networking Security Hooks" 59*df71837dSTrent Jaeger depends on XFRM && SECURITY_NETWORK 60*df71837dSTrent Jaeger help 61*df71837dSTrent Jaeger This enables the XFRM (IPSec) networking security hooks. 62*df71837dSTrent Jaeger If enabled, a security module can use these hooks to 63*df71837dSTrent Jaeger implement per-packet access controls based on labels 64*df71837dSTrent Jaeger derived from IPSec policy. Non-IPSec communications are 65*df71837dSTrent Jaeger designated as unlabelled, and only sockets authorized 66*df71837dSTrent Jaeger to communicate unlabelled data can send without using 67*df71837dSTrent Jaeger IPSec. 68*df71837dSTrent Jaeger If you are unsure how to answer this question, answer N. 69*df71837dSTrent Jaeger 701da177e4SLinus Torvaldsconfig SECURITY_CAPABILITIES 711da177e4SLinus Torvalds tristate "Default Linux Capabilities" 721da177e4SLinus Torvalds depends on SECURITY 731da177e4SLinus Torvalds help 741da177e4SLinus Torvalds This enables the "default" Linux capabilities functionality. 751da177e4SLinus Torvalds If you are unsure how to answer this question, answer Y. 761da177e4SLinus Torvalds 771da177e4SLinus Torvaldsconfig SECURITY_ROOTPLUG 781da177e4SLinus Torvalds tristate "Root Plug Support" 791da177e4SLinus Torvalds depends on USB && SECURITY 801da177e4SLinus Torvalds help 811da177e4SLinus Torvalds This is a sample LSM module that should only be used as such. 821da177e4SLinus Torvalds It prevents any programs running with egid == 0 if a specific 831da177e4SLinus Torvalds USB device is not present in the system. 841da177e4SLinus Torvalds 851da177e4SLinus Torvalds See <http://www.linuxjournal.com/article.php?sid=6279> for 861da177e4SLinus Torvalds more information about this module. 871da177e4SLinus Torvalds 881da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 891da177e4SLinus Torvalds 901da177e4SLinus Torvaldsconfig SECURITY_SECLVL 911da177e4SLinus Torvalds tristate "BSD Secure Levels" 921da177e4SLinus Torvalds depends on SECURITY 931da177e4SLinus Torvalds select CRYPTO 941da177e4SLinus Torvalds select CRYPTO_SHA1 951da177e4SLinus Torvalds help 961da177e4SLinus Torvalds Implements BSD Secure Levels as an LSM. See 971da177e4SLinus Torvalds <file:Documentation/seclvl.txt> for instructions on how to use this 981da177e4SLinus Torvalds module. 991da177e4SLinus Torvalds 1001da177e4SLinus Torvalds If you are unsure how to answer this question, answer N. 1011da177e4SLinus Torvalds 1021da177e4SLinus Torvaldssource security/selinux/Kconfig 1031da177e4SLinus Torvalds 1041da177e4SLinus Torvaldsendmenu 1051da177e4SLinus Torvalds 106