]>
Commit | Line | Data |
---|---|---|
000d388e MG |
1 | config SECURITY_LOCKDOWN_LSM |
2 | bool "Basic module for enforcing kernel lockdown" | |
3 | depends on SECURITY | |
49fcf732 | 4 | select MODULE_SIG if MODULES |
000d388e MG |
5 | help |
6 | Build support for an LSM that enforces a coarse kernel lockdown | |
7 | behaviour. | |
8 | ||
9 | config SECURITY_LOCKDOWN_LSM_EARLY | |
10 | bool "Enable lockdown LSM early in init" | |
11 | depends on SECURITY_LOCKDOWN_LSM | |
12 | help | |
13 | Enable the lockdown LSM early in boot. This is necessary in order | |
14 | to ensure that lockdown enforcement can be carried out on kernel | |
15 | boot parameters that are otherwise parsed before the security | |
16 | subsystem is fully initialised. If enabled, lockdown will | |
17 | unconditionally be called before any other LSMs. | |
18 | ||
19 | choice | |
20 | prompt "Kernel default lockdown mode" | |
21 | default LOCK_DOWN_KERNEL_FORCE_NONE | |
22 | depends on SECURITY_LOCKDOWN_LSM | |
23 | help | |
24 | The kernel can be configured to default to differing levels of | |
25 | lockdown. | |
26 | ||
27 | config LOCK_DOWN_KERNEL_FORCE_NONE | |
28 | bool "None" | |
29 | help | |
30 | No lockdown functionality is enabled by default. Lockdown may be | |
31 | enabled via the kernel commandline or /sys/kernel/security/lockdown. | |
32 | ||
33 | config LOCK_DOWN_KERNEL_FORCE_INTEGRITY | |
34 | bool "Integrity" | |
35 | help | |
36 | The kernel runs in integrity mode by default. Features that allow | |
37 | the kernel to be modified at runtime are disabled. | |
38 | ||
39 | config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY | |
40 | bool "Confidentiality" | |
41 | help | |
42 | The kernel runs in confidentiality mode by default. Features that | |
43 | allow the kernel to be modified at runtime or that permit userland | |
44 | code to read confidential material held inside the kernel are | |
45 | disabled. | |
46 | ||
47 | endchoice |