linux/security/Kconfig
<<
>>
Prefs
   1# SPDX-License-Identifier: GPL-2.0-only
   2#
   3# Security configuration
   4#
   5
   6menu "Security options"
   7
   8source "security/keys/Kconfig"
   9
  10config SECURITY_DMESG_RESTRICT
  11        bool "Restrict unprivileged access to the kernel syslog"
  12        default n
  13        help
  14          This enforces restrictions on unprivileged users reading the kernel
  15          syslog via dmesg(8).
  16
  17          If this option is not selected, no restrictions will be enforced
  18          unless the dmesg_restrict sysctl is explicitly set to (1).
  19
  20          If you are unsure how to answer this question, answer N.
  21
  22config SECURITY
  23        bool "Enable different security models"
  24        depends on SYSFS
  25        depends on MULTIUSER
  26        help
  27          This allows you to choose different security modules to be
  28          configured into your kernel.
  29
  30          If this option is not selected, the default Linux security
  31          model will be used.
  32
  33          If you are unsure how to answer this question, answer N.
  34
  35config SECURITY_WRITABLE_HOOKS
  36        depends on SECURITY
  37        bool
  38        default n
  39
  40config SECURITYFS
  41        bool "Enable the securityfs filesystem"
  42        help
  43          This will build the securityfs filesystem.  It is currently used by
  44          various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM).
  45
  46          If you are unsure how to answer this question, answer N.
  47
  48config SECURITY_NETWORK
  49        bool "Socket and Networking Security Hooks"
  50        depends on SECURITY
  51        help
  52          This enables the socket and networking security hooks.
  53          If enabled, a security module can use these hooks to
  54          implement socket and networking access controls.
  55          If you are unsure how to answer this question, answer N.
  56
  57config PAGE_TABLE_ISOLATION
  58        bool "Remove the kernel mapping in user mode"
  59        default y
  60        depends on (X86_64 || X86_PAE) && !UML
  61        help
  62          This feature reduces the number of hardware side channels by
  63          ensuring that the majority of kernel addresses are not mapped
  64          into userspace.
  65
  66          See Documentation/x86/pti.rst for more details.
  67
  68config SECURITY_INFINIBAND
  69        bool "Infiniband Security Hooks"
  70        depends on SECURITY && INFINIBAND
  71        help
  72          This enables the Infiniband security hooks.
  73          If enabled, a security module can use these hooks to
  74          implement Infiniband access controls.
  75          If you are unsure how to answer this question, answer N.
  76
  77config SECURITY_NETWORK_XFRM
  78        bool "XFRM (IPSec) Networking Security Hooks"
  79        depends on XFRM && SECURITY_NETWORK
  80        help
  81          This enables the XFRM (IPSec) networking security hooks.
  82          If enabled, a security module can use these hooks to
  83          implement per-packet access controls based on labels
  84          derived from IPSec policy.  Non-IPSec communications are
  85          designated as unlabelled, and only sockets authorized
  86          to communicate unlabelled data can send without using
  87          IPSec.
  88          If you are unsure how to answer this question, answer N.
  89
  90config SECURITY_PATH
  91        bool "Security hooks for pathname based access control"
  92        depends on SECURITY
  93        help
  94          This enables the security hooks for pathname based access control.
  95          If enabled, a security module can use these hooks to
  96          implement pathname based access controls.
  97          If you are unsure how to answer this question, answer N.
  98
  99config INTEL_TXT
 100        bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
 101        depends on HAVE_INTEL_TXT
 102        help
 103          This option enables support for booting the kernel with the
 104          Trusted Boot (tboot) module. This will utilize
 105          Intel(R) Trusted Execution Technology to perform a measured launch
 106          of the kernel. If the system does not support Intel(R) TXT, this
 107          will have no effect.
 108
 109          Intel TXT will provide higher assurance of system configuration and
 110          initial state as well as data reset protection.  This is used to
 111          create a robust initial kernel measurement and verification, which
 112          helps to ensure that kernel security mechanisms are functioning
 113          correctly. This level of protection requires a root of trust outside
 114          of the kernel itself.
 115
 116          Intel TXT also helps solve real end user concerns about having
 117          confidence that their hardware is running the VMM or kernel that
 118          it was configured with, especially since they may be responsible for
 119          providing such assurances to VMs and services running on it.
 120
 121          See <http://www.intel.com/technology/security/> for more information
 122          about Intel(R) TXT.
 123          See <http://tboot.sourceforge.net> for more information about tboot.
 124          See Documentation/x86/intel_txt.rst for a description of how to enable
 125          Intel TXT support in a kernel boot.
 126
 127          If you are unsure as to whether this is required, answer N.
 128
 129config LSM_MMAP_MIN_ADDR
 130        int "Low address space for LSM to protect from user allocation"
 131        depends on SECURITY && SECURITY_SELINUX
 132        default 32768 if ARM || (ARM64 && COMPAT)
 133        default 65536
 134        help
 135          This is the portion of low virtual memory which should be protected
 136          from userspace allocation.  Keeping a user from writing to low pages
 137          can help reduce the impact of kernel NULL pointer bugs.
 138
 139          For most ia64, ppc64 and x86 users with lots of address space
 140          a value of 65536 is reasonable and should cause no problems.
 141          On arm and other archs it should not be higher than 32768.
 142          Programs which use vm86 functionality or have some need to map
 143          this low address space will need the permission specific to the
 144          systems running LSM.
 145
 146config HAVE_HARDENED_USERCOPY_ALLOCATOR
 147        bool
 148        help
 149          The heap allocator implements __check_heap_object() for
 150          validating memory ranges against heap object sizes in
 151          support of CONFIG_HARDENED_USERCOPY.
 152
 153config HARDENED_USERCOPY
 154        bool "Harden memory copies between kernel and userspace"
 155        depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
 156        imply STRICT_DEVMEM
 157        help
 158          This option checks for obviously wrong memory regions when
 159          copying memory to/from the kernel (via copy_to_user() and
 160          copy_from_user() functions) by rejecting memory ranges that
 161          are larger than the specified heap object, span multiple
 162          separately allocated pages, are not on the process stack,
 163          or are part of the kernel text. This kills entire classes
 164          of heap overflow exploits and similar kernel memory exposures.
 165
 166config HARDENED_USERCOPY_FALLBACK
 167        bool "Allow usercopy whitelist violations to fallback to object size"
 168        depends on HARDENED_USERCOPY
 169        default y
 170        help
 171          This is a temporary option that allows missing usercopy whitelists
 172          to be discovered via a WARN() to the kernel log, instead of
 173          rejecting the copy, falling back to non-whitelisted hardened
 174          usercopy that checks the slab allocation size instead of the
 175          whitelist size. This option will be removed once it seems like
 176          all missing usercopy whitelists have been identified and fixed.
 177          Booting with "slab_common.usercopy_fallback=Y/N" can change
 178          this setting.
 179
 180config HARDENED_USERCOPY_PAGESPAN
 181        bool "Refuse to copy allocations that span multiple pages"
 182        depends on HARDENED_USERCOPY
 183        depends on EXPERT
 184        help
 185          When a multi-page allocation is done without __GFP_COMP,
 186          hardened usercopy will reject attempts to copy it. There are,
 187          however, several cases of this in the kernel that have not all
 188          been removed. This config is intended to be used only while
 189          trying to find such users.
 190
 191config FORTIFY_SOURCE
 192        bool "Harden common str/mem functions against buffer overflows"
 193        depends on ARCH_HAS_FORTIFY_SOURCE
 194        help
 195          Detect overflows of buffers in common string and memory functions
 196          where the compiler can determine and validate the buffer sizes.
 197
 198config STATIC_USERMODEHELPER
 199        bool "Force all usermode helper calls through a single binary"
 200        help
 201          By default, the kernel can call many different userspace
 202          binary programs through the "usermode helper" kernel
 203          interface.  Some of these binaries are statically defined
 204          either in the kernel code itself, or as a kernel configuration
 205          option.  However, some of these are dynamically created at
 206          runtime, or can be modified after the kernel has started up.
 207          To provide an additional layer of security, route all of these
 208          calls through a single executable that can not have its name
 209          changed.
 210
 211          Note, it is up to this single binary to then call the relevant
 212          "real" usermode helper binary, based on the first argument
 213          passed to it.  If desired, this program can filter and pick
 214          and choose what real programs are called.
 215
 216          If you wish for all usermode helper programs are to be
 217          disabled, choose this option and then set
 218          STATIC_USERMODEHELPER_PATH to an empty string.
 219
 220config STATIC_USERMODEHELPER_PATH
 221        string "Path to the static usermode helper binary"
 222        depends on STATIC_USERMODEHELPER
 223        default "/sbin/usermode-helper"
 224        help
 225          The binary called by the kernel when any usermode helper
 226          program is wish to be run.  The "real" application's name will
 227          be in the first argument passed to this program on the command
 228          line.
 229
 230          If you wish for all usermode helper programs to be disabled,
 231          specify an empty string here (i.e. "").
 232
 233source "security/selinux/Kconfig"
 234source "security/smack/Kconfig"
 235source "security/tomoyo/Kconfig"
 236source "security/apparmor/Kconfig"
 237source "security/loadpin/Kconfig"
 238source "security/yama/Kconfig"
 239source "security/safesetid/Kconfig"
 240source "security/lockdown/Kconfig"
 241
 242source "security/integrity/Kconfig"
 243
 244choice
 245        prompt "First legacy 'major LSM' to be initialized"
 246        default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
 247        default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 248        default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 249        default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
 250        default DEFAULT_SECURITY_DAC
 251
 252        help
 253          This choice is there only for converting CONFIG_DEFAULT_SECURITY
 254          in old kernel configs to CONFIG_LSM in new kernel configs. Don't
 255          change this choice unless you are creating a fresh kernel config,
 256          for this choice will be ignored after CONFIG_LSM has been set.
 257
 258          Selects the legacy "major security module" that will be
 259          initialized first. Overridden by non-default CONFIG_LSM.
 260
 261        config DEFAULT_SECURITY_SELINUX
 262                bool "SELinux" if SECURITY_SELINUX=y
 263
 264        config DEFAULT_SECURITY_SMACK
 265                bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
 266
 267        config DEFAULT_SECURITY_TOMOYO
 268                bool "TOMOYO" if SECURITY_TOMOYO=y
 269
 270        config DEFAULT_SECURITY_APPARMOR
 271                bool "AppArmor" if SECURITY_APPARMOR=y
 272
 273        config DEFAULT_SECURITY_DAC
 274                bool "Unix Discretionary Access Controls"
 275
 276endchoice
 277
 278config LSM
 279        string "Ordered list of enabled LSMs"
 280        default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
 281        default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
 282        default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
 283        default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
 284        default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 285        help
 286          A comma-separated list of LSMs, in initialization order.
 287          Any LSMs left off this list will be ignored. This can be
 288          controlled at boot with the "lsm=" parameter.
 289
 290          If unsure, leave this as the default.
 291
 292source "security/Kconfig.hardening"
 293
 294endmenu
 295
 296