1*000d388eSMatthew Garrettconfig SECURITY_LOCKDOWN_LSM 2*000d388eSMatthew Garrett bool "Basic module for enforcing kernel lockdown" 3*000d388eSMatthew Garrett depends on SECURITY 4*000d388eSMatthew Garrett help 5*000d388eSMatthew Garrett Build support for an LSM that enforces a coarse kernel lockdown 6*000d388eSMatthew Garrett behaviour. 7*000d388eSMatthew Garrett 8*000d388eSMatthew Garrettconfig SECURITY_LOCKDOWN_LSM_EARLY 9*000d388eSMatthew Garrett bool "Enable lockdown LSM early in init" 10*000d388eSMatthew Garrett depends on SECURITY_LOCKDOWN_LSM 11*000d388eSMatthew Garrett help 12*000d388eSMatthew Garrett Enable the lockdown LSM early in boot. This is necessary in order 13*000d388eSMatthew Garrett to ensure that lockdown enforcement can be carried out on kernel 14*000d388eSMatthew Garrett boot parameters that are otherwise parsed before the security 15*000d388eSMatthew Garrett subsystem is fully initialised. If enabled, lockdown will 16*000d388eSMatthew Garrett unconditionally be called before any other LSMs. 17*000d388eSMatthew Garrett 18*000d388eSMatthew Garrettchoice 19*000d388eSMatthew Garrett prompt "Kernel default lockdown mode" 20*000d388eSMatthew Garrett default LOCK_DOWN_KERNEL_FORCE_NONE 21*000d388eSMatthew Garrett depends on SECURITY_LOCKDOWN_LSM 22*000d388eSMatthew Garrett help 23*000d388eSMatthew Garrett The kernel can be configured to default to differing levels of 24*000d388eSMatthew Garrett lockdown. 25*000d388eSMatthew Garrett 26*000d388eSMatthew Garrettconfig LOCK_DOWN_KERNEL_FORCE_NONE 27*000d388eSMatthew Garrett bool "None" 28*000d388eSMatthew Garrett help 29*000d388eSMatthew Garrett No lockdown functionality is enabled by default. Lockdown may be 30*000d388eSMatthew Garrett enabled via the kernel commandline or /sys/kernel/security/lockdown. 31*000d388eSMatthew Garrett 32*000d388eSMatthew Garrettconfig LOCK_DOWN_KERNEL_FORCE_INTEGRITY 33*000d388eSMatthew Garrett bool "Integrity" 34*000d388eSMatthew Garrett help 35*000d388eSMatthew Garrett The kernel runs in integrity mode by default. Features that allow 36*000d388eSMatthew Garrett the kernel to be modified at runtime are disabled. 37*000d388eSMatthew Garrett 38*000d388eSMatthew Garrettconfig LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY 39*000d388eSMatthew Garrett bool "Confidentiality" 40*000d388eSMatthew Garrett help 41*000d388eSMatthew Garrett The kernel runs in confidentiality mode by default. Features that 42*000d388eSMatthew Garrett allow the kernel to be modified at runtime or that permit userland 43*000d388eSMatthew Garrett code to read confidential material held inside the kernel are 44*000d388eSMatthew Garrett disabled. 45*000d388eSMatthew Garrett 46*000d388eSMatthew Garrettendchoice 47