1 # SPDX-License-Identifier: GPL-2.0-only
3 # Security configuration
6 menu "Security options"
8 source "security/keys/Kconfig"
10 config SECURITY_DMESG_RESTRICT
11 bool "Restrict unprivileged access to the kernel syslog"
14 This enforces restrictions on unprivileged users reading the kernel
17 If this option is not selected, no restrictions will be enforced
18 unless the dmesg_restrict sysctl is explicitly set to (1).
20 If you are unsure how to answer this question, answer N.
22 config SECURITY_PERF_EVENTS_RESTRICT
23 bool "Restrict unprivileged use of performance events"
24 depends on PERF_EVENTS
26 If you say Y here, the kernel.perf_event_paranoid sysctl
27 will be set to 3 by default, and no unprivileged use of the
28 perf_event_open syscall will be permitted unless it is
32 bool "Enable different security models"
36 This allows you to choose different security modules to be
37 configured into your kernel.
39 If this option is not selected, the default Linux security
42 If you are unsure how to answer this question, answer N.
44 config SECURITY_WRITABLE_HOOKS
50 bool "Enable the securityfs filesystem"
52 This will build the securityfs filesystem. It is currently used by
53 various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM).
55 If you are unsure how to answer this question, answer N.
57 config SECURITY_NETWORK
58 bool "Socket and Networking Security Hooks"
61 This enables the socket and networking security hooks.
62 If enabled, a security module can use these hooks to
63 implement socket and networking access controls.
64 If you are unsure how to answer this question, answer N.
66 config SECURITY_INFINIBAND
67 bool "Infiniband Security Hooks"
68 depends on SECURITY && INFINIBAND
70 This enables the Infiniband security hooks.
71 If enabled, a security module can use these hooks to
72 implement Infiniband access controls.
73 If you are unsure how to answer this question, answer N.
75 config SECURITY_NETWORK_XFRM
76 bool "XFRM (IPSec) Networking Security Hooks"
77 depends on XFRM && SECURITY_NETWORK
79 This enables the XFRM (IPSec) networking security hooks.
80 If enabled, a security module can use these hooks to
81 implement per-packet access controls based on labels
82 derived from IPSec policy. Non-IPSec communications are
83 designated as unlabelled, and only sockets authorized
84 to communicate unlabelled data can send without using
86 If you are unsure how to answer this question, answer N.
89 bool "Security hooks for pathname based access control"
92 This enables the security hooks for pathname based access control.
93 If enabled, a security module can use these hooks to
94 implement pathname based access controls.
95 If you are unsure how to answer this question, answer N.
98 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
99 depends on HAVE_INTEL_TXT
101 This option enables support for booting the kernel with the
102 Trusted Boot (tboot) module. This will utilize
103 Intel(R) Trusted Execution Technology to perform a measured launch
104 of the kernel. If the system does not support Intel(R) TXT, this
107 Intel TXT will provide higher assurance of system configuration and
108 initial state as well as data reset protection. This is used to
109 create a robust initial kernel measurement and verification, which
110 helps to ensure that kernel security mechanisms are functioning
111 correctly. This level of protection requires a root of trust outside
112 of the kernel itself.
114 Intel TXT also helps solve real end user concerns about having
115 confidence that their hardware is running the VMM or kernel that
116 it was configured with, especially since they may be responsible for
117 providing such assurances to VMs and services running on it.
119 See <https://www.intel.com/technology/security/> for more information
121 See <http://tboot.sourceforge.net> for more information about tboot.
122 See Documentation/x86/intel_txt.rst for a description of how to enable
123 Intel TXT support in a kernel boot.
125 If you are unsure as to whether this is required, answer N.
127 config LSM_MMAP_MIN_ADDR
128 int "Low address space for LSM to protect from user allocation"
129 depends on SECURITY && SECURITY_SELINUX
130 default 32768 if ARM || (ARM64 && COMPAT)
133 This is the portion of low virtual memory which should be protected
134 from userspace allocation. Keeping a user from writing to low pages
135 can help reduce the impact of kernel NULL pointer bugs.
137 For most ia64, ppc64 and x86 users with lots of address space
138 a value of 65536 is reasonable and should cause no problems.
139 On arm and other archs it should not be higher than 32768.
140 Programs which use vm86 functionality or have some need to map
141 this low address space will need the permission specific to the
144 config HAVE_HARDENED_USERCOPY_ALLOCATOR
147 The heap allocator implements __check_heap_object() for
148 validating memory ranges against heap object sizes in
149 support of CONFIG_HARDENED_USERCOPY.
151 config HARDENED_USERCOPY
152 bool "Harden memory copies between kernel and userspace"
153 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
156 This option checks for obviously wrong memory regions when
157 copying memory to/from the kernel (via copy_to_user() and
158 copy_from_user() functions) by rejecting memory ranges that
159 are larger than the specified heap object, span multiple
160 separately allocated pages, are not on the process stack,
161 or are part of the kernel text. This kills entire classes
162 of heap overflow exploits and similar kernel memory exposures.
164 config HARDENED_USERCOPY_FALLBACK
165 bool "Allow usercopy whitelist violations to fallback to object size"
166 depends on HARDENED_USERCOPY
169 This is a temporary option that allows missing usercopy whitelists
170 to be discovered via a WARN() to the kernel log, instead of
171 rejecting the copy, falling back to non-whitelisted hardened
172 usercopy that checks the slab allocation size instead of the
173 whitelist size. This option will be removed once it seems like
174 all missing usercopy whitelists have been identified and fixed.
175 Booting with "slab_common.usercopy_fallback=Y/N" can change
178 config HARDENED_USERCOPY_PAGESPAN
179 bool "Refuse to copy allocations that span multiple pages"
180 depends on HARDENED_USERCOPY
183 When a multi-page allocation is done without __GFP_COMP,
184 hardened usercopy will reject attempts to copy it. There are,
185 however, several cases of this in the kernel that have not all
186 been removed. This config is intended to be used only while
187 trying to find such users.
189 config FORTIFY_SOURCE
190 bool "Harden common str/mem functions against buffer overflows"
191 depends on ARCH_HAS_FORTIFY_SOURCE
192 # https://bugs.llvm.org/show_bug.cgi?id=50322
193 # https://bugs.llvm.org/show_bug.cgi?id=41459
194 depends on !CC_IS_CLANG
196 Detect overflows of buffers in common string and memory functions
197 where the compiler can determine and validate the buffer sizes.
199 config STATIC_USERMODEHELPER
200 bool "Force all usermode helper calls through a single binary"
202 By default, the kernel can call many different userspace
203 binary programs through the "usermode helper" kernel
204 interface. Some of these binaries are statically defined
205 either in the kernel code itself, or as a kernel configuration
206 option. However, some of these are dynamically created at
207 runtime, or can be modified after the kernel has started up.
208 To provide an additional layer of security, route all of these
209 calls through a single executable that can not have its name
212 Note, it is up to this single binary to then call the relevant
213 "real" usermode helper binary, based on the first argument
214 passed to it. If desired, this program can filter and pick
215 and choose what real programs are called.
217 If you wish for all usermode helper programs are to be
218 disabled, choose this option and then set
219 STATIC_USERMODEHELPER_PATH to an empty string.
221 config STATIC_USERMODEHELPER_PATH
222 string "Path to the static usermode helper binary"
223 depends on STATIC_USERMODEHELPER
224 default "/sbin/usermode-helper"
226 The binary called by the kernel when any usermode helper
227 program is wish to be run. The "real" application's name will
228 be in the first argument passed to this program on the command
231 If you wish for all usermode helper programs to be disabled,
232 specify an empty string here (i.e. "").
234 source "security/selinux/Kconfig"
235 source "security/smack/Kconfig"
236 source "security/tomoyo/Kconfig"
237 source "security/apparmor/Kconfig"
238 source "security/loadpin/Kconfig"
239 source "security/yama/Kconfig"
240 source "security/safesetid/Kconfig"
241 source "security/lockdown/Kconfig"
242 source "security/landlock/Kconfig"
244 source "security/integrity/Kconfig"
247 prompt "First legacy 'major LSM' to be initialized"
248 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
249 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
250 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
251 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
252 default DEFAULT_SECURITY_DAC
255 This choice is there only for converting CONFIG_DEFAULT_SECURITY
256 in old kernel configs to CONFIG_LSM in new kernel configs. Don't
257 change this choice unless you are creating a fresh kernel config,
258 for this choice will be ignored after CONFIG_LSM has been set.
260 Selects the legacy "major security module" that will be
261 initialized first. Overridden by non-default CONFIG_LSM.
263 config DEFAULT_SECURITY_SELINUX
264 bool "SELinux" if SECURITY_SELINUX=y
266 config DEFAULT_SECURITY_SMACK
267 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
269 config DEFAULT_SECURITY_TOMOYO
270 bool "TOMOYO" if SECURITY_TOMOYO=y
272 config DEFAULT_SECURITY_APPARMOR
273 bool "AppArmor" if SECURITY_APPARMOR=y
275 config DEFAULT_SECURITY_DAC
276 bool "Unix Discretionary Access Controls"
281 string "Ordered list of enabled LSMs"
282 default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
283 default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
284 default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
285 default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
286 default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
288 A comma-separated list of LSMs, in initialization order.
289 Any LSMs left off this list will be ignored. This can be
290 controlled at boot with the "lsm=" parameter.
292 If unsure, leave this as the default.
294 source "security/Kconfig.hardening"