linux/security/Kconfig
<<
>>
Prefs 
   1#
   2# Security configuration
   3#
   4
   5menu "Security options"
   6
   7config KEYS
   8        bool "Enable access key retention support"
   9        help
  10          This option provides support for retaining authentication tokens and
  11          access keys in the kernel.
  12
  13          It also includes provision of methods by which such keys might be
  14          associated with a process so that network filesystems, encryption
  15          support and the like can find them.
  16
  17          Furthermore, a special type of key is available that acts as keyring:
  18          a searchable sequence of keys. Each process is equipped with access
  19          to five standard keyrings: UID-specific, GID-specific, session,
  20          process and thread.
  21
  22          If you are unsure as to whether this is required, answer N.
  23
  24config KEYS_DEBUG_PROC_KEYS
  25        bool "Enable the /proc/keys file by which keys may be viewed"
  26        depends on KEYS
  27        help
  28          This option turns on support for the /proc/keys file - through which
  29          can be listed all the keys on the system that are viewable by the
  30          reading process.
  31
  32          The only keys included in the list are those that grant View
  33          permission to the reading process whether or not it possesses them.
  34          Note that LSM security checks are still performed, and may further
  35          filter out keys that the current process is not authorised to view.
  36
  37          Only key attributes are listed here; key payloads are not included in
  38          the resulting table.
  39
  40          If you are unsure as to whether this is required, answer N.
  41
  42config SECURITY
  43        bool "Enable different security models"
  44        depends on SYSFS
  45        help
  46          This allows you to choose different security modules to be
  47          configured into your kernel.
  48
  49          If this option is not selected, the default Linux security
  50          model will be used.
  51
  52          If you are unsure how to answer this question, answer N.
  53
  54config SECURITYFS
  55        bool "Enable the securityfs filesystem"
  56        help
  57          This will build the securityfs filesystem.  It is currently used by
  58          the TPM bios character driver and IMA, an integrity provider.  It is
  59          not used by SELinux or SMACK.
  60
  61          If you are unsure how to answer this question, answer N.
  62
  63config SECURITY_NETWORK
  64        bool "Socket and Networking Security Hooks"
  65        depends on SECURITY
  66        help
  67          This enables the socket and networking security hooks.
  68          If enabled, a security module can use these hooks to
  69          implement socket and networking access controls.
  70          If you are unsure how to answer this question, answer N.
  71
  72config SECURITY_NETWORK_XFRM
  73        bool "XFRM (IPSec) Networking Security Hooks"
  74        depends on XFRM && SECURITY_NETWORK
  75        help
  76          This enables the XFRM (IPSec) networking security hooks.
  77          If enabled, a security module can use these hooks to
  78          implement per-packet access controls based on labels
  79          derived from IPSec policy.  Non-IPSec communications are
  80          designated as unlabelled, and only sockets authorized
  81          to communicate unlabelled data can send without using
  82          IPSec.
  83          If you are unsure how to answer this question, answer N.
  84
  85config SECURITY_PATH
  86        bool "Security hooks for pathname based access control"
  87        depends on SECURITY
  88        help
  89          This enables the security hooks for pathname based access control.
  90          If enabled, a security module can use these hooks to
  91          implement pathname based access controls.
  92          If you are unsure how to answer this question, answer N.
  93
  94config SECURITY_FILE_CAPABILITIES
  95        bool "File POSIX Capabilities"
  96        default n
  97        help
  98          This enables filesystem capabilities, allowing you to give
  99          binaries a subset of root's powers without using setuid 0.
 100
 101          If in doubt, answer N.
 102
 103config SECURITY_ROOTPLUG
 104        bool "Root Plug Support"
 105        depends on USB=y && SECURITY
 106        help
 107          This is a sample LSM module that should only be used as such.
 108          It prevents any programs running with egid == 0 if a specific
 109          USB device is not present in the system.
 110
 111          See <http://www.linuxjournal.com/article.php?sid=6279> for
 112          more information about this module.
 113
 114          If you are unsure how to answer this question, answer N.
 115
 116config INTEL_TXT
 117        bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
 118        depends on HAVE_INTEL_TXT
 119        help
 120          This option enables support for booting the kernel with the
 121          Trusted Boot (tboot) module. This will utilize
 122          Intel(R) Trusted Execution Technology to perform a measured launch
 123          of the kernel. If the system does not support Intel(R) TXT, this
 124          will have no effect.
 125
 126          Intel TXT will provide higher assurance of system configuration and
 127          initial state as well as data reset protection.  This is used to
 128          create a robust initial kernel measurement and verification, which
 129          helps to ensure that kernel security mechanisms are functioning
 130          correctly. This level of protection requires a root of trust outside
 131          of the kernel itself.
 132
 133          Intel TXT also helps solve real end user concerns about having
 134          confidence that their hardware is running the VMM or kernel that
 135          it was configured with, especially since they may be responsible for
 136          providing such assurances to VMs and services running on it.
 137
 138          See <http://www.intel.com/technology/security/> for more information
 139          about Intel(R) TXT.
 140          See <http://tboot.sourceforge.net> for more information about tboot.
 141          See Documentation/intel_txt.txt for a description of how to enable
 142          Intel TXT support in a kernel boot.
 143
 144          If you are unsure as to whether this is required, answer N.
 145
 146config LSM_MMAP_MIN_ADDR
 147        int "Low address space for LSM to protect from user allocation"
 148        depends on SECURITY && SECURITY_SELINUX
 149        default 65536
 150        help
 151          This is the portion of low virtual memory which should be protected
 152          from userspace allocation.  Keeping a user from writing to low pages
 153          can help reduce the impact of kernel NULL pointer bugs.
 154
 155          For most ia64, ppc64 and x86 users with lots of address space
 156          a value of 65536 is reasonable and should cause no problems.
 157          On arm and other archs it should not be higher than 32768.
 158          Programs which use vm86 functionality or have some need to map
 159          this low address space will need the permission specific to the
 160          systems running LSM.
 161
 162source security/selinux/Kconfig
 163source security/smack/Kconfig
 164source security/tomoyo/Kconfig
 165
 166source security/integrity/ima/Kconfig
 167
 168endmenu
 169
 170
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.