1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Security configuration 4# 5 6menu "Security options" 7 8source "security/keys/Kconfig" 9 10config SECURITY_DMESG_RESTRICT 11 bool "Restrict unprivileged access to the kernel syslog" 12 default n 13 help 14 This enforces restrictions on unprivileged users reading the kernel 15 syslog via dmesg(8). 16 17 If this option is not selected, no restrictions will be enforced 18 unless the dmesg_restrict sysctl is explicitly set to (1). 19 20 If you are unsure how to answer this question, answer N. 21 22config SECURITY 23 bool "Enable different security models" 24 depends on SYSFS 25 depends on MULTIUSER 26 help 27 This allows you to choose different security modules to be 28 configured into your kernel. 29 30 If this option is not selected, the default Linux security 31 model will be used. 32 33 If you are unsure how to answer this question, answer N. 34 35config SECURITYFS 36 bool "Enable the securityfs filesystem" 37 help 38 This will build the securityfs filesystem. It is currently used by 39 various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). 40 41 If you are unsure how to answer this question, answer N. 42 43config SECURITY_NETWORK 44 bool "Socket and Networking Security Hooks" 45 depends on SECURITY 46 help 47 This enables the socket and networking security hooks. 48 If enabled, a security module can use these hooks to 49 implement socket and networking access controls. 50 If you are unsure how to answer this question, answer N. 51 52config SECURITY_INFINIBAND 53 bool "Infiniband Security Hooks" 54 depends on SECURITY && INFINIBAND 55 help 56 This enables the Infiniband security hooks. 57 If enabled, a security module can use these hooks to 58 implement Infiniband access controls. 59 If you are unsure how to answer this question, answer N. 60 61config SECURITY_NETWORK_XFRM 62 bool "XFRM (IPSec) Networking Security Hooks" 63 depends on XFRM && SECURITY_NETWORK 64 help 65 This enables the XFRM (IPSec) networking security hooks. 66 If enabled, a security module can use these hooks to 67 implement per-packet access controls based on labels 68 derived from IPSec policy. Non-IPSec communications are 69 designated as unlabelled, and only sockets authorized 70 to communicate unlabelled data can send without using 71 IPSec. 72 If you are unsure how to answer this question, answer N. 73 74config SECURITY_PATH 75 bool "Security hooks for pathname based access control" 76 depends on SECURITY 77 help 78 This enables the security hooks for pathname based access control. 79 If enabled, a security module can use these hooks to 80 implement pathname based access controls. 81 If you are unsure how to answer this question, answer N. 82 83config INTEL_TXT 84 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 85 depends on HAVE_INTEL_TXT 86 help 87 This option enables support for booting the kernel with the 88 Trusted Boot (tboot) module. This will utilize 89 Intel(R) Trusted Execution Technology to perform a measured launch 90 of the kernel. If the system does not support Intel(R) TXT, this 91 will have no effect. 92 93 Intel TXT will provide higher assurance of system configuration and 94 initial state as well as data reset protection. This is used to 95 create a robust initial kernel measurement and verification, which 96 helps to ensure that kernel security mechanisms are functioning 97 correctly. This level of protection requires a root of trust outside 98 of the kernel itself. 99 100 Intel TXT also helps solve real end user concerns about having 101 confidence that their hardware is running the VMM or kernel that 102 it was configured with, especially since they may be responsible for 103 providing such assurances to VMs and services running on it. 104 105 See <https://www.intel.com/technology/security/> for more information 106 about Intel(R) TXT. 107 See <http://tboot.sourceforge.net> for more information about tboot. 108 See Documentation/arch/x86/intel_txt.rst for a description of how to enable 109 Intel TXT support in a kernel boot. 110 111 If you are unsure as to whether this is required, answer N. 112 113config LSM_MMAP_MIN_ADDR 114 int "Low address space for LSM to protect from user allocation" 115 depends on SECURITY && SECURITY_SELINUX 116 default 32768 if ARM || (ARM64 && COMPAT) 117 default 65536 118 help 119 This is the portion of low virtual memory which should be protected 120 from userspace allocation. Keeping a user from writing to low pages 121 can help reduce the impact of kernel NULL pointer bugs. 122 123 For most ia64, ppc64 and x86 users with lots of address space 124 a value of 65536 is reasonable and should cause no problems. 125 On arm and other archs it should not be higher than 32768. 126 Programs which use vm86 functionality or have some need to map 127 this low address space will need the permission specific to the 128 systems running LSM. 129 130config HARDENED_USERCOPY 131 bool "Harden memory copies between kernel and userspace" 132 imply STRICT_DEVMEM 133 help 134 This option checks for obviously wrong memory regions when 135 copying memory to/from the kernel (via copy_to_user() and 136 copy_from_user() functions) by rejecting memory ranges that 137 are larger than the specified heap object, span multiple 138 separately allocated pages, are not on the process stack, 139 or are part of the kernel text. This prevents entire classes 140 of heap overflow exploits and similar kernel memory exposures. 141 142config FORTIFY_SOURCE 143 bool "Harden common str/mem functions against buffer overflows" 144 depends on ARCH_HAS_FORTIFY_SOURCE 145 # https://bugs.llvm.org/show_bug.cgi?id=41459 146 depends on !CC_IS_CLANG || CLANG_VERSION >= 120001 147 # https://github.com/llvm/llvm-project/issues/53645 148 depends on !CC_IS_CLANG || !X86_32 149 help 150 Detect overflows of buffers in common string and memory functions 151 where the compiler can determine and validate the buffer sizes. 152 153config STATIC_USERMODEHELPER 154 bool "Force all usermode helper calls through a single binary" 155 help 156 By default, the kernel can call many different userspace 157 binary programs through the "usermode helper" kernel 158 interface. Some of these binaries are statically defined 159 either in the kernel code itself, or as a kernel configuration 160 option. However, some of these are dynamically created at 161 runtime, or can be modified after the kernel has started up. 162 To provide an additional layer of security, route all of these 163 calls through a single executable that can not have its name 164 changed. 165 166 Note, it is up to this single binary to then call the relevant 167 "real" usermode helper binary, based on the first argument 168 passed to it. If desired, this program can filter and pick 169 and choose what real programs are called. 170 171 If you wish for all usermode helper programs are to be 172 disabled, choose this option and then set 173 STATIC_USERMODEHELPER_PATH to an empty string. 174 175config STATIC_USERMODEHELPER_PATH 176 string "Path to the static usermode helper binary" 177 depends on STATIC_USERMODEHELPER 178 default "/sbin/usermode-helper" 179 help 180 The binary called by the kernel when any usermode helper 181 program is wish to be run. The "real" application's name will 182 be in the first argument passed to this program on the command 183 line. 184 185 If you wish for all usermode helper programs to be disabled, 186 specify an empty string here (i.e. ""). 187 188source "security/selinux/Kconfig" 189source "security/smack/Kconfig" 190source "security/tomoyo/Kconfig" 191source "security/apparmor/Kconfig" 192source "security/loadpin/Kconfig" 193source "security/yama/Kconfig" 194source "security/safesetid/Kconfig" 195source "security/lockdown/Kconfig" 196source "security/landlock/Kconfig" 197 198source "security/integrity/Kconfig" 199 200choice 201 prompt "First legacy 'major LSM' to be initialized" 202 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 203 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 204 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 205 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 206 default DEFAULT_SECURITY_DAC 207 208 help 209 This choice is there only for converting CONFIG_DEFAULT_SECURITY 210 in old kernel configs to CONFIG_LSM in new kernel configs. Don't 211 change this choice unless you are creating a fresh kernel config, 212 for this choice will be ignored after CONFIG_LSM has been set. 213 214 Selects the legacy "major security module" that will be 215 initialized first. Overridden by non-default CONFIG_LSM. 216 217 config DEFAULT_SECURITY_SELINUX 218 bool "SELinux" if SECURITY_SELINUX=y 219 220 config DEFAULT_SECURITY_SMACK 221 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 222 223 config DEFAULT_SECURITY_TOMOYO 224 bool "TOMOYO" if SECURITY_TOMOYO=y 225 226 config DEFAULT_SECURITY_APPARMOR 227 bool "AppArmor" if SECURITY_APPARMOR=y 228 229 config DEFAULT_SECURITY_DAC 230 bool "Unix Discretionary Access Controls" 231 232endchoice 233 234config LSM 235 string "Ordered list of enabled LSMs" 236 default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK 237 default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR 238 default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO 239 default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC 240 default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" 241 help 242 A comma-separated list of LSMs, in initialization order. 243 Any LSMs left off this list, except for those with order 244 LSM_ORDER_FIRST and LSM_ORDER_LAST, which are always enabled 245 if selected in the kernel configuration, will be ignored. 246 This can be controlled at boot with the "lsm=" parameter. 247 248 If unsure, leave this as the default. 249 250source "security/Kconfig.hardening" 251 252endmenu 253 254