[mirror_ubuntu-artful-kernel.git] / security / Kconfig

#
# Security configuration
#

menu "Security options"

source security/keys/Kconfig

config SECURITY_DMESG_RESTRICT
	bool "Restrict unprivileged access to the kernel syslog"
	default n
	help
	  This enforces restrictions on unprivileged users reading the kernel
	  syslog via dmesg(8).

	  If this option is not selected, no restrictions will be enforced
	  unless the dmesg_restrict sysctl is explicitly set to (1).

	  If you are unsure how to answer this question, answer N.

config SECURITY_PERF_EVENTS_RESTRICT
	bool "Restrict unprivileged use of performance events"
	depends on PERF_EVENTS
	help
	  If you say Y here, the kernel.perf_event_paranoid sysctl
	  will be set to 3 by default, and no unprivileged use of the
	  perf_event_open syscall will be permitted unless it is
	  changed.

config SECURITY
	bool "Enable different security models"
	depends on SYSFS
	depends on MULTIUSER
	help
	  This allows you to choose different security modules to be
	  configured into your kernel.

	  If this option is not selected, the default Linux security
	  model will be used.

	  If you are unsure how to answer this question, answer N.

config SECURITY_WRITABLE_HOOKS
	depends on SECURITY
	bool
	default n

config SECURITY_STACKING
	bool "Security module stacking"
	depends on SECURITY
	help
	  Allows multiple major security modules to be stacked.
	  Modules are invoked in the order registered with a
	  "bail on fail" policy, in which the infrastructure
	  will stop processing once a denial is detected. Not
	  all modules can be stacked. SELinux and Smack are
	  known to be incompatible. User space components may
	  have trouble identifying the security module providing
	  data in some cases.

	  If you select this option you will have to select which
	  of the stackable modules you wish to be active. The
	  "Default security module" will be ignored. The boot line
	  "security=" option can be used to specify that one of
	  the modules identifed for stacking should be used instead
	  of the entire stack.

	  If you are unsure how to answer this question, answer N.

config SECURITY_LSM_DEBUG
	bool "Enable debugging of the LSM infrastructure"
	depends on SECURITY
	help
	  This allows you to choose debug messages related to
	  security modules configured into your kernel. These
	  messages may be helpful in determining how a security
	  module is using security blobs.

	  If you are unsure how to answer this question, answer N.

config SECURITYFS
	bool "Enable the securityfs filesystem"
	help
	  This will build the securityfs filesystem.  It is currently used by
	  the TPM bios character driver and IMA, an integrity provider.  It is
	  not used by SELinux or SMACK.

	  If you are unsure how to answer this question, answer N.

config SECURITY_NETWORK
	bool "Socket and Networking Security Hooks"
	depends on SECURITY
	help
	  This enables the socket and networking security hooks.
	  If enabled, a security module can use these hooks to
	  implement socket and networking access controls.
	  If you are unsure how to answer this question, answer N.

config SECURITY_INFINIBAND
	bool "Infiniband Security Hooks"
	depends on SECURITY && INFINIBAND
	help
	  This enables the Infiniband security hooks.
	  If enabled, a security module can use these hooks to
	  implement Infiniband access controls.
	  If you are unsure how to answer this question, answer N.

config SECURITY_NETWORK_XFRM
	bool "XFRM (IPSec) Networking Security Hooks"
	depends on XFRM && SECURITY_NETWORK
	help
	  This enables the XFRM (IPSec) networking security hooks.
	  If enabled, a security module can use these hooks to
	  implement per-packet access controls based on labels
	  derived from IPSec policy.  Non-IPSec communications are
	  designated as unlabelled, and only sockets authorized
	  to communicate unlabelled data can send without using
	  IPSec.
	  If you are unsure how to answer this question, answer N.

config SECURITY_PATH
	bool "Security hooks for pathname based access control"
	depends on SECURITY
	help
	  This enables the security hooks for pathname based access control.
	  If enabled, a security module can use these hooks to
	  implement pathname based access controls.
	  If you are unsure how to answer this question, answer N.

config INTEL_TXT
	bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
	depends on HAVE_INTEL_TXT
	help
	  This option enables support for booting the kernel with the
	  Trusted Boot (tboot) module. This will utilize
	  Intel(R) Trusted Execution Technology to perform a measured launch
	  of the kernel. If the system does not support Intel(R) TXT, this
	  will have no effect.

	  Intel TXT will provide higher assurance of system configuration and
	  initial state as well as data reset protection.  This is used to
	  create a robust initial kernel measurement and verification, which
	  helps to ensure that kernel security mechanisms are functioning
	  correctly. This level of protection requires a root of trust outside
	  of the kernel itself.

	  Intel TXT also helps solve real end user concerns about having
	  confidence that their hardware is running the VMM or kernel that
	  it was configured with, especially since they may be responsible for
	  providing such assurances to VMs and services running on it.

	  See <http://www.intel.com/technology/security/> for more information
	  about Intel(R) TXT.
	  See <http://tboot.sourceforge.net> for more information about tboot.
	  See Documentation/intel_txt.txt for a description of how to enable
	  Intel TXT support in a kernel boot.

	  If you are unsure as to whether this is required, answer N.

config LSM_MMAP_MIN_ADDR
	int "Low address space for LSM to protect from user allocation"
	depends on SECURITY && SECURITY_SELINUX
	default 32768 if ARM || (ARM64 && COMPAT)
	default 65536
	help
	  This is the portion of low virtual memory which should be protected
	  from userspace allocation.  Keeping a user from writing to low pages
	  can help reduce the impact of kernel NULL pointer bugs.

	  For most ia64, ppc64 and x86 users with lots of address space
	  a value of 65536 is reasonable and should cause no problems.
	  On arm and other archs it should not be higher than 32768.
	  Programs which use vm86 functionality or have some need to map
	  this low address space will need the permission specific to the
	  systems running LSM.

config HAVE_HARDENED_USERCOPY_ALLOCATOR
	bool
	help
	  The heap allocator implements __check_heap_object() for
	  validating memory ranges against heap object sizes in
	  support of CONFIG_HARDENED_USERCOPY.

config HARDENED_USERCOPY
	bool "Harden memory copies between kernel and userspace"
	depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
	select BUG
	help
	  This option checks for obviously wrong memory regions when
	  copying memory to/from the kernel (via copy_to_user() and
	  copy_from_user() functions) by rejecting memory ranges that
	  are larger than the specified heap object, span multiple
	  separately allocated pages, are not on the process stack,
	  or are part of the kernel text. This kills entire classes
	  of heap overflow exploits and similar kernel memory exposures.

config HARDENED_USERCOPY_PAGESPAN
	bool "Refuse to copy allocations that span multiple pages"
	depends on HARDENED_USERCOPY
	depends on EXPERT
	help
	  When a multi-page allocation is done without __GFP_COMP,
	  hardened usercopy will reject attempts to copy it. There are,
	  however, several cases of this in the kernel that have not all
	  been removed. This config is intended to be used only while
	  trying to find such users.

config FORTIFY_SOURCE
	bool "Harden common str/mem functions against buffer overflows"
	depends on ARCH_HAS_FORTIFY_SOURCE
	help
	  Detect overflows of buffers in common string and memory functions
	  where the compiler can determine and validate the buffer sizes.

config STATIC_USERMODEHELPER
	bool "Force all usermode helper calls through a single binary"
	help
	  By default, the kernel can call many different userspace
	  binary programs through the "usermode helper" kernel
	  interface.  Some of these binaries are statically defined
	  either in the kernel code itself, or as a kernel configuration
	  option.  However, some of these are dynamically created at
	  runtime, or can be modified after the kernel has started up.
	  To provide an additional layer of security, route all of these
	  calls through a single executable that can not have its name
	  changed.

	  Note, it is up to this single binary to then call the relevant
	  "real" usermode helper binary, based on the first argument
	  passed to it.  If desired, this program can filter and pick
	  and choose what real programs are called.

	  If you wish for all usermode helper programs are to be
	  disabled, choose this option and then set
	  STATIC_USERMODEHELPER_PATH to an empty string.

config STATIC_USERMODEHELPER_PATH
	string "Path to the static usermode helper binary"
	depends on STATIC_USERMODEHELPER
	default "/sbin/usermode-helper"
	help
	  The binary called by the kernel when any usermode helper
	  program is wish to be run.  The "real" application's name will
	  be in the first argument passed to this program on the command
	  line.

	  If you wish for all usermode helper programs to be disabled,
	  specify an empty string here (i.e. "").

config LOCK_DOWN_KERNEL
	bool "Allow the kernel to be 'locked down'"
	help
	  Allow the kernel to be locked down under certain circumstances, for
	  instance if UEFI secure boot is enabled.  Locking down the kernel
	  turns off various features that might otherwise allow access to the
	  kernel image (eg. setting MSR registers).

config ALLOW_LOCKDOWN_LIFT
	bool
	help
	  Allow the lockdown on a kernel to be lifted, thereby restoring the
	  ability of userspace to access the kernel image (eg. by SysRq+x under
	  x86).

source security/selinux/Kconfig
source security/smack/Kconfig
source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/loadpin/Kconfig
source security/yama/Kconfig

source security/integrity/Kconfig

menu "Security Module Selection"
	visible if !SECURITY_STACKING

choice
	prompt "Default security module"
	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
	default DEFAULT_SECURITY_DAC

	help
	  Select the security module that will be used by default if the
	  kernel parameter security= is not specified.

	config DEFAULT_SECURITY_SELINUX
		bool "SELinux" if SECURITY_SELINUX=y

	config DEFAULT_SECURITY_SMACK
		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y

	config DEFAULT_SECURITY_TOMOYO
		bool "TOMOYO" if SECURITY_TOMOYO=y

	config DEFAULT_SECURITY_APPARMOR
		bool "AppArmor" if SECURITY_APPARMOR=y

	config DEFAULT_SECURITY_DAC
		bool "Unix Discretionary Access Controls"

endchoice

config DEFAULT_SECURITY
	string
	default "selinux" if DEFAULT_SECURITY_SELINUX
	default "smack" if DEFAULT_SECURITY_SMACK
	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
	default "apparmor" if DEFAULT_SECURITY_APPARMOR
	default "" if DEFAULT_SECURITY_DAC

endmenu

menu "Security Module Stack"
	visible if SECURITY_STACKING

choice
	prompt "mutually exclusive LSMs"
	default SECURITY_NO_EXCLUSIVE_LSM

	config SECURITY_NO_EXCLUSIVE_LSM
		bool "none"
		help
		  Do no add an LSM to is mutually exclusive to the stack."
	config SECURITY_SELINUX_STACKED
		bool "SELinux" if SECURITY_SELINUX=y
		help
		  Add the SELinux security module to the stack.
		  Please be sure your user space code is accomodating of
		  this security module.
		  Ensure that your network configuration is compatible
		  with your combination of security modules.

		  Incompatible with Smack being stacked.

		  If you are unsure how to answer this question, answer N.

	config SECURITY_SMACK_STACKED
		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
		help
		  Add the Smack security module to the stack.
		  Please be sure your user space code is accomodating of
		  this security module.
		  Ensure that your network configuration is compatible
		  with your combination of security modules.

		  Incompatible with SeLinux being stacked.

		  If you are unsure how to answer this question, answer N.
endchoice

config SECURITY_TOMOYO_STACKED
	bool "TOMOYO support is enabled by default"
	depends on SECURITY_TOMOYO && SECURITY_STACKING
	default n
	help
	  This option instructs the system to use the TOMOYO checks.
	  If not selected the module will not be invoked.
	  Stacked security modules may interact in unexpected ways.
	  Please be sure your user space code is accomodating of
	  multiple security modules.

	  If you are unsure how to answer this question, answer N.

config SECURITY_APPARMOR_STACKED
	bool "AppArmor support is enabled by default"
	depends on SECURITY_APPARMOR && SECURITY_STACKING
	default n
	help
	  This option instructs the system to use the AppArmor checks.
	  If not selected the module will not be invoked.
	  Stacked security modules may interact in unexpected ways.
	  Please be sure your user space code is accomodating of
	  multiple security modules.

	  If you are unsure how to answer this question, answer N.

choice
	prompt "Default LSM for legacy interfaces"
	default SECURITY_DEFAULT_DISPLAY_SELINUX if SECURITY_SELINUX_STACKED
	default SECURITY_DEFAULT_DISPLAY_SMACK if SECURITY_SMACK_STACKED
	default SECURITY_DEFAULT_DISPLAY_TOMOYO if SECURITY_TOMOYO_STACKED
	default SECURITY_DEFAULT_DISPALY_APPARMOR if SECURITY_APPARMOR_STACKED
	default SECURITY_DEFAULT_DISPLAY_FIRST

	help
	  Select the security module context that will be displayed by
          default on legacy interfaces if the kernel parameter
          security.display= is not specified.

	config SECURITY_DEFAULT_DISPLAY_SELINUX
		bool "SELinux" if SECURITY_SELINUX=y

	config SECURITY_DEFAULT_DISPLAY_SMACK
		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y

	config SECURITY_DEFAULT_DISPLAY_TOMOYO
		bool "TOMOYO" if SECURITY_TOMOYO=y

	config SECURITY_DEFAULT_DISPLAY_APPARMOR
		bool "AppArmor" if SECURITY_APPARMOR=y

	config SECURITY_DEFAULT_DISPLAY_FIRST
		bool "First security module to register"

endchoice

config SECURITY_DEFAULT_DISPLAY_NAME
	string
	default "selinux" if SECURITY_DEFAULT_DISPLAY_SELINUX
	default "smack" if SECURITY_DEFAULT_DISPLAY_SMACK
	default "tomoyo" if SECURITY_DEFAULT_DISPLAY_TOMOYO
	default "apparmor" if SECURITY_DEFAULT_DISPLAY_APPARMOR
	default "" if SECURITY_DEFAULT_DISPLAY_FIRST

endmenu

endmenu
Commit	Line	Data
1da177e4 LT	1	#
	2	# Security configuration
	3	#
	4
	5	menu "Security options"
	6
f0894940	7	source security/keys/Kconfig
1da177e4	8
eaf06b24 DR	9	config SECURITY_DMESG_RESTRICT
	10	bool "Restrict unprivileged access to the kernel syslog"
	11	default n
	12	help
	13	This enforces restrictions on unprivileged users reading the kernel
	14	syslog via dmesg(8).
	15
	16	If this option is not selected, no restrictions will be enforced
	17	unless the dmesg_restrict sysctl is explicitly set to (1).
	18
	19	If you are unsure how to answer this question, answer N.
	20
cc58fdf5 BH	21	config SECURITY_PERF_EVENTS_RESTRICT
	22	bool "Restrict unprivileged use of performance events"
	23	depends on PERF_EVENTS
	24	help
	25	If you say Y here, the kernel.perf_event_paranoid sysctl
	26	will be set to 3 by default, and no unprivileged use of the
	27	perf_event_open syscall will be permitted unless it is
	28	changed.
	29
1da177e4 LT	30	config SECURITY
1da177e4 LT	31	bool "Enable different security models"
2c40579b	32	depends on SYSFS
2813893f	33	depends on MULTIUSER
1da177e4 LT	34	help
	35	This allows you to choose different security modules to be
	36	configured into your kernel.
	37
	38	If this option is not selected, the default Linux security
	39	model will be used.
	40
	41	If you are unsure how to answer this question, answer N.
	42
dd0859dc JM	43	config SECURITY_WRITABLE_HOOKS
	44	depends on SECURITY
	45	bool
	46	default n
	47
a3c3cde2 CS	48	config SECURITY_STACKING
	49	bool "Security module stacking"
	50	depends on SECURITY
	51	help
	52	Allows multiple major security modules to be stacked.
	53	Modules are invoked in the order registered with a
	54	"bail on fail" policy, in which the infrastructure
	55	will stop processing once a denial is detected. Not
	56	all modules can be stacked. SELinux and Smack are
	57	known to be incompatible. User space components may
	58	have trouble identifying the security module providing
	59	data in some cases.
	60
	61	If you select this option you will have to select which
	62	of the stackable modules you wish to be active. The
	63	"Default security module" will be ignored. The boot line
	64	"security=" option can be used to specify that one of
	65	the modules identifed for stacking should be used instead
	66	of the entire stack.
	67
	68	If you are unsure how to answer this question, answer N.
	69
98738d70 CS	70	config SECURITY_LSM_DEBUG
	71	bool "Enable debugging of the LSM infrastructure"
	72	depends on SECURITY
	73	help
	74	This allows you to choose debug messages related to
	75	security modules configured into your kernel. These
	76	messages may be helpful in determining how a security
	77	module is using security blobs.
	78
	79	If you are unsure how to answer this question, answer N.
	80
da31894e EP	81	config SECURITYFS
	82	bool "Enable the securityfs filesystem"
	83	help
	84	This will build the securityfs filesystem. It is currently used by
3323eec9 MZ	85	the TPM bios character driver and IMA, an integrity provider. It is
3323eec9 MZ	86	not used by SELinux or SMACK.
da31894e EP	87
	88	If you are unsure how to answer this question, answer N.
	89
1da177e4 LT	90	config SECURITY_NETWORK
	91	bool "Socket and Networking Security Hooks"
	92	depends on SECURITY
	93	help
	94	This enables the socket and networking security hooks.
	95	If enabled, a security module can use these hooks to
	96	implement socket and networking access controls.
	97	If you are unsure how to answer this question, answer N.
df71837d	98
d291f1a6 DJ	99	config SECURITY_INFINIBAND
	100	bool "Infiniband Security Hooks"
	101	depends on SECURITY && INFINIBAND
	102	help
	103	This enables the Infiniband security hooks.
	104	If enabled, a security module can use these hooks to
	105	implement Infiniband access controls.
	106	If you are unsure how to answer this question, answer N.
	107
df71837d TJ	108	config SECURITY_NETWORK_XFRM
	109	bool "XFRM (IPSec) Networking Security Hooks"
	110	depends on XFRM && SECURITY_NETWORK
	111	help
	112	This enables the XFRM (IPSec) networking security hooks.
	113	If enabled, a security module can use these hooks to
	114	implement per-packet access controls based on labels
	115	derived from IPSec policy. Non-IPSec communications are
	116	designated as unlabelled, and only sockets authorized
	117	to communicate unlabelled data can send without using
	118	IPSec.
	119	If you are unsure how to answer this question, answer N.
1da177e4	120
be6d3e56 KT	121	config SECURITY_PATH
	122	bool "Security hooks for pathname based access control"
	123	depends on SECURITY
	124	help
	125	This enables the security hooks for pathname based access control.
	126	If enabled, a security module can use these hooks to
	127	implement pathname based access controls.
	128	If you are unsure how to answer this question, answer N.
	129
31625340 JC	130	config INTEL_TXT
31625340 JC	131	bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
69575d38	132	depends on HAVE_INTEL_TXT
31625340 JC	133	help
	134	This option enables support for booting the kernel with the
	135	Trusted Boot (tboot) module. This will utilize
	136	Intel(R) Trusted Execution Technology to perform a measured launch
	137	of the kernel. If the system does not support Intel(R) TXT, this
	138	will have no effect.
	139
3c556e41	140	Intel TXT will provide higher assurance of system configuration and
31625340 JC	141	initial state as well as data reset protection. This is used to
	142	create a robust initial kernel measurement and verification, which
	143	helps to ensure that kernel security mechanisms are functioning
	144	correctly. This level of protection requires a root of trust outside
	145	of the kernel itself.
	146
	147	Intel TXT also helps solve real end user concerns about having
	148	confidence that their hardware is running the VMM or kernel that
3c556e41	149	it was configured with, especially since they may be responsible for
31625340 JC	150	providing such assurances to VMs and services running on it.
	151
	152	See <http://www.intel.com/technology/security/> for more information
	153	about Intel(R) TXT.
	154	See <http://tboot.sourceforge.net> for more information about tboot.
	155	See Documentation/intel_txt.txt for a description of how to enable
	156	Intel TXT support in a kernel boot.
	157
	158	If you are unsure as to whether this is required, answer N.
	159
788084ab	160	config LSM_MMAP_MIN_ADDR
024e6cb4	161	int "Low address space for LSM to protect from user allocation"
788084ab	162	depends on SECURITY && SECURITY_SELINUX
530b099d	163	default 32768 if ARM \|\| (ARM64 && COMPAT)
a58578e4	164	default 65536
788084ab EP	165	help
	166	This is the portion of low virtual memory which should be protected
	167	from userspace allocation. Keeping a user from writing to low pages
	168	can help reduce the impact of kernel NULL pointer bugs.
	169
	170	For most ia64, ppc64 and x86 users with lots of address space
	171	a value of 65536 is reasonable and should cause no problems.
	172	On arm and other archs it should not be higher than 32768.
	173	Programs which use vm86 functionality or have some need to map
	174	this low address space will need the permission specific to the
	175	systems running LSM.
	176
f5509cc1 KC	177	config HAVE_HARDENED_USERCOPY_ALLOCATOR
	178	bool
	179	help
	180	The heap allocator implements __check_heap_object() for
	181	validating memory ranges against heap object sizes in
	182	support of CONFIG_HARDENED_USERCOPY.
	183
f5509cc1 KC	184	config HARDENED_USERCOPY
f5509cc1 KC	185	bool "Harden memory copies between kernel and userspace"
6040e576	186	depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
f5509cc1 KC	187	select BUG
	188	help
	189	This option checks for obviously wrong memory regions when
	190	copying memory to/from the kernel (via copy_to_user() and
	191	copy_from_user() functions) by rejecting memory ranges that
	192	are larger than the specified heap object, span multiple
99c55fb1	193	separately allocated pages, are not on the process stack,
f5509cc1 KC	194	or are part of the kernel text. This kills entire classes
	195	of heap overflow exploits and similar kernel memory exposures.
	196
8e1f74ea KC	197	config HARDENED_USERCOPY_PAGESPAN
	198	bool "Refuse to copy allocations that span multiple pages"
	199	depends on HARDENED_USERCOPY
80a77045	200	depends on EXPERT
8e1f74ea KC	201	help
	202	When a multi-page allocation is done without __GFP_COMP,
	203	hardened usercopy will reject attempts to copy it. There are,
	204	however, several cases of this in the kernel that have not all
	205	been removed. This config is intended to be used only while
	206	trying to find such users.
	207
6974f0c4 DM	208	config FORTIFY_SOURCE
	209	bool "Harden common str/mem functions against buffer overflows"
	210	depends on ARCH_HAS_FORTIFY_SOURCE
	211	help
	212	Detect overflows of buffers in common string and memory functions
	213	where the compiler can determine and validate the buffer sizes.
	214
64e90a8a GKH	215	config STATIC_USERMODEHELPER
	216	bool "Force all usermode helper calls through a single binary"
	217	help
	218	By default, the kernel can call many different userspace
	219	binary programs through the "usermode helper" kernel
	220	interface. Some of these binaries are statically defined
	221	either in the kernel code itself, or as a kernel configuration
	222	option. However, some of these are dynamically created at
	223	runtime, or can be modified after the kernel has started up.
	224	To provide an additional layer of security, route all of these
	225	calls through a single executable that can not have its name
	226	changed.
	227
	228	Note, it is up to this single binary to then call the relevant
	229	"real" usermode helper binary, based on the first argument
	230	passed to it. If desired, this program can filter and pick
	231	and choose what real programs are called.
	232
	233	If you wish for all usermode helper programs are to be
	234	disabled, choose this option and then set
	235	STATIC_USERMODEHELPER_PATH to an empty string.
	236
	237	config STATIC_USERMODEHELPER_PATH
	238	string "Path to the static usermode helper binary"
	239	depends on STATIC_USERMODEHELPER
	240	default "/sbin/usermode-helper"
	241	help
	242	The binary called by the kernel when any usermode helper
	243	program is wish to be run. The "real" application's name will
	244	be in the first argument passed to this program on the command
	245	line.
	246
	247	If you wish for all usermode helper programs to be disabled,
	248	specify an empty string here (i.e. "").
	249
99f9ef18 DH	250	config LOCK_DOWN_KERNEL
	251	bool "Allow the kernel to be 'locked down'"
	252	help
	253	Allow the kernel to be locked down under certain circumstances, for
	254	instance if UEFI secure boot is enabled. Locking down the kernel
	255	turns off various features that might otherwise allow access to the
	256	kernel image (eg. setting MSR registers).
	257
	258	config ALLOW_LOCKDOWN_LIFT
	259	bool
	260	help
	261	Allow the lockdown on a kernel to be lifted, thereby restoring the
	262	ability of userspace to access the kernel image (eg. by SysRq+x under
	263	x86).
	264
1da177e4	265	source security/selinux/Kconfig
e114e473	266	source security/smack/Kconfig
00d7d6f8	267	source security/tomoyo/Kconfig
f9ad1af5	268	source security/apparmor/Kconfig
9b091556	269	source security/loadpin/Kconfig
2d514487	270	source security/yama/Kconfig
1da177e4	271
f381c272	272	source security/integrity/Kconfig
3323eec9	273
a3c3cde2 CS	274	menu "Security Module Selection"
	275	visible if !SECURITY_STACKING
	276
6e65f92f JJ	277	choice
	278	prompt "Default security module"
	279	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
	280	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
	281	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
f9ad1af5	282	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
6e65f92f JJ	283	default DEFAULT_SECURITY_DAC
	284
	285	help
	286	Select the security module that will be used by default if the
	287	kernel parameter security= is not specified.
	288
	289	config DEFAULT_SECURITY_SELINUX
	290	bool "SELinux" if SECURITY_SELINUX=y
	291
	292	config DEFAULT_SECURITY_SMACK
	293	bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
	294
	295	config DEFAULT_SECURITY_TOMOYO
	296	bool "TOMOYO" if SECURITY_TOMOYO=y
	297
f9ad1af5 JJ	298	config DEFAULT_SECURITY_APPARMOR
	299	bool "AppArmor" if SECURITY_APPARMOR=y
	300
6e65f92f JJ	301	config DEFAULT_SECURITY_DAC
	302	bool "Unix Discretionary Access Controls"
	303
	304	endchoice
	305
	306	config DEFAULT_SECURITY
	307	string
	308	default "selinux" if DEFAULT_SECURITY_SELINUX
	309	default "smack" if DEFAULT_SECURITY_SMACK
	310	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
f9ad1af5	311	default "apparmor" if DEFAULT_SECURITY_APPARMOR
6e65f92f JJ	312	default "" if DEFAULT_SECURITY_DAC
6e65f92f JJ	313
1da177e4 LT	314	endmenu
1da177e4 LT	315
a3c3cde2 CS	316	menu "Security Module Stack"
	317	visible if SECURITY_STACKING
	318
	319	choice
bc7e09e5 JJ	320	prompt "mutually exclusive LSMs"
bc7e09e5 JJ	321	default SECURITY_NO_EXCLUSIVE_LSM
a3c3cde2	322
bc7e09e5 JJ	323	config SECURITY_NO_EXCLUSIVE_LSM
	324	bool "none"
	325	help
	326	Do no add an LSM to is mutually exclusive to the stack."
a3c3cde2 CS	327	config SECURITY_SELINUX_STACKED
a3c3cde2 CS	328	bool "SELinux" if SECURITY_SELINUX=y
bc7e09e5 JJ	329	help
	330	Add the SELinux security module to the stack.
	331	Please be sure your user space code is accomodating of
	332	this security module.
	333	Ensure that your network configuration is compatible
	334	with your combination of security modules.
	335
	336	Incompatible with Smack being stacked.
	337
	338	If you are unsure how to answer this question, answer N.
a3c3cde2 CS	339
	340	config SECURITY_SMACK_STACKED
	341	bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
bc7e09e5 JJ	342	help
	343	Add the Smack security module to the stack.
	344	Please be sure your user space code is accomodating of
	345	this security module.
	346	Ensure that your network configuration is compatible
	347	with your combination of security modules.
a3c3cde2	348
bc7e09e5	349	Incompatible with SeLinux being stacked.
a3c3cde2	350
bc7e09e5	351	If you are unsure how to answer this question, answer N.
a3c3cde2 CS	352	endchoice
	353
	354	config SECURITY_TOMOYO_STACKED
	355	bool "TOMOYO support is enabled by default"
	356	depends on SECURITY_TOMOYO && SECURITY_STACKING
	357	default n
	358	help
	359	This option instructs the system to use the TOMOYO checks.
	360	If not selected the module will not be invoked.
	361	Stacked security modules may interact in unexpected ways.
	362	Please be sure your user space code is accomodating of
	363	multiple security modules.
	364
	365	If you are unsure how to answer this question, answer N.
	366
	367	config SECURITY_APPARMOR_STACKED
	368	bool "AppArmor support is enabled by default"
	369	depends on SECURITY_APPARMOR && SECURITY_STACKING
	370	default n
	371	help
	372	This option instructs the system to use the AppArmor checks.
	373	If not selected the module will not be invoked.
	374	Stacked security modules may interact in unexpected ways.
	375	Please be sure your user space code is accomodating of
	376	multiple security modules.
	377
	378	If you are unsure how to answer this question, answer N.
	379
d637d5bd JJ	380	choice
	381	prompt "Default LSM for legacy interfaces"
	382	default SECURITY_DEFAULT_DISPLAY_SELINUX if SECURITY_SELINUX_STACKED
	383	default SECURITY_DEFAULT_DISPLAY_SMACK if SECURITY_SMACK_STACKED
	384	default SECURITY_DEFAULT_DISPLAY_TOMOYO if SECURITY_TOMOYO_STACKED
	385	default SECURITY_DEFAULT_DISPALY_APPARMOR if SECURITY_APPARMOR_STACKED
	386	default SECURITY_DEFAULT_DISPLAY_FIRST
	387
	388	help
	389	Select the security module context that will be displayed by
	390	default on legacy interfaces if the kernel parameter
	391	security.display= is not specified.
	392
	393	config SECURITY_DEFAULT_DISPLAY_SELINUX
	394	bool "SELinux" if SECURITY_SELINUX=y
	395
	396	config SECURITY_DEFAULT_DISPLAY_SMACK
	397	bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
	398
	399	config SECURITY_DEFAULT_DISPLAY_TOMOYO
	400	bool "TOMOYO" if SECURITY_TOMOYO=y
	401
	402	config SECURITY_DEFAULT_DISPLAY_APPARMOR
	403	bool "AppArmor" if SECURITY_APPARMOR=y
	404
	405	config SECURITY_DEFAULT_DISPLAY_FIRST
	406	bool "First security module to register"
	407
	408	endchoice
	409
	410	config SECURITY_DEFAULT_DISPLAY_NAME
	411	string
	412	default "selinux" if SECURITY_DEFAULT_DISPLAY_SELINUX
	413	default "smack" if SECURITY_DEFAULT_DISPLAY_SMACK
	414	default "tomoyo" if SECURITY_DEFAULT_DISPLAY_TOMOYO
	415	default "apparmor" if SECURITY_DEFAULT_DISPLAY_APPARMOR
	416	default "" if SECURITY_DEFAULT_DISPLAY_FIRST
	417
a3c3cde2 CS	418	endmenu
	419
	420	endmenu