2 # Security configuration
5 menu "Security options"
7 source security/keys/Kconfig
9 config SECURITY_DMESG_RESTRICT
10 bool "Restrict unprivileged access to the kernel syslog"
13 This enforces restrictions on unprivileged users reading the kernel
16 If this option is not selected, no restrictions will be enforced
17 unless the dmesg_restrict sysctl is explicitly set to (1).
19 If you are unsure how to answer this question, answer N.
21 config SECURITY_PERF_EVENTS_RESTRICT
22 bool "Restrict unprivileged use of performance events"
23 depends on PERF_EVENTS
25 If you say Y here, the kernel.perf_event_paranoid sysctl
26 will be set to 3 by default, and no unprivileged use of the
27 perf_event_open syscall will be permitted unless it is
31 bool "Enable different security models"
35 This allows you to choose different security modules to be
36 configured into your kernel.
38 If this option is not selected, the default Linux security
41 If you are unsure how to answer this question, answer N.
43 config SECURITY_WRITABLE_HOOKS
49 bool "Enable the securityfs filesystem"
51 This will build the securityfs filesystem. It is currently used by
52 the TPM bios character driver and IMA, an integrity provider. It is
53 not used by SELinux or SMACK.
55 If you are unsure how to answer this question, answer N.
57 config SECURITY_NETWORK
58 bool "Socket and Networking Security Hooks"
61 This enables the socket and networking security hooks.
62 If enabled, a security module can use these hooks to
63 implement socket and networking access controls.
64 If you are unsure how to answer this question, answer N.
66 config SECURITY_INFINIBAND
67 bool "Infiniband Security Hooks"
68 depends on SECURITY && INFINIBAND
70 This enables the Infiniband security hooks.
71 If enabled, a security module can use these hooks to
72 implement Infiniband access controls.
73 If you are unsure how to answer this question, answer N.
75 config SECURITY_NETWORK_XFRM
76 bool "XFRM (IPSec) Networking Security Hooks"
77 depends on XFRM && SECURITY_NETWORK
79 This enables the XFRM (IPSec) networking security hooks.
80 If enabled, a security module can use these hooks to
81 implement per-packet access controls based on labels
82 derived from IPSec policy. Non-IPSec communications are
83 designated as unlabelled, and only sockets authorized
84 to communicate unlabelled data can send without using
86 If you are unsure how to answer this question, answer N.
89 bool "Security hooks for pathname based access control"
92 This enables the security hooks for pathname based access control.
93 If enabled, a security module can use these hooks to
94 implement pathname based access controls.
95 If you are unsure how to answer this question, answer N.
98 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
99 depends on HAVE_INTEL_TXT
101 This option enables support for booting the kernel with the
102 Trusted Boot (tboot) module. This will utilize
103 Intel(R) Trusted Execution Technology to perform a measured launch
104 of the kernel. If the system does not support Intel(R) TXT, this
107 Intel TXT will provide higher assurance of system configuration and
108 initial state as well as data reset protection. This is used to
109 create a robust initial kernel measurement and verification, which
110 helps to ensure that kernel security mechanisms are functioning
111 correctly. This level of protection requires a root of trust outside
112 of the kernel itself.
114 Intel TXT also helps solve real end user concerns about having
115 confidence that their hardware is running the VMM or kernel that
116 it was configured with, especially since they may be responsible for
117 providing such assurances to VMs and services running on it.
119 See <http://www.intel.com/technology/security/> for more information
121 See <http://tboot.sourceforge.net> for more information about tboot.
122 See Documentation/intel_txt.txt for a description of how to enable
123 Intel TXT support in a kernel boot.
125 If you are unsure as to whether this is required, answer N.
127 config LSM_MMAP_MIN_ADDR
128 int "Low address space for LSM to protect from user allocation"
129 depends on SECURITY && SECURITY_SELINUX
130 default 32768 if ARM || (ARM64 && COMPAT)
133 This is the portion of low virtual memory which should be protected
134 from userspace allocation. Keeping a user from writing to low pages
135 can help reduce the impact of kernel NULL pointer bugs.
137 For most ia64, ppc64 and x86 users with lots of address space
138 a value of 65536 is reasonable and should cause no problems.
139 On arm and other archs it should not be higher than 32768.
140 Programs which use vm86 functionality or have some need to map
141 this low address space will need the permission specific to the
144 config HAVE_HARDENED_USERCOPY_ALLOCATOR
147 The heap allocator implements __check_heap_object() for
148 validating memory ranges against heap object sizes in
149 support of CONFIG_HARDENED_USERCOPY.
151 config HARDENED_USERCOPY
152 bool "Harden memory copies between kernel and userspace"
153 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
156 This option checks for obviously wrong memory regions when
157 copying memory to/from the kernel (via copy_to_user() and
158 copy_from_user() functions) by rejecting memory ranges that
159 are larger than the specified heap object, span multiple
160 separately allocated pages, are not on the process stack,
161 or are part of the kernel text. This kills entire classes
162 of heap overflow exploits and similar kernel memory exposures.
164 config HARDENED_USERCOPY_PAGESPAN
165 bool "Refuse to copy allocations that span multiple pages"
166 depends on HARDENED_USERCOPY
169 When a multi-page allocation is done without __GFP_COMP,
170 hardened usercopy will reject attempts to copy it. There are,
171 however, several cases of this in the kernel that have not all
172 been removed. This config is intended to be used only while
173 trying to find such users.
175 config FORTIFY_SOURCE
176 bool "Harden common str/mem functions against buffer overflows"
177 depends on ARCH_HAS_FORTIFY_SOURCE
179 Detect overflows of buffers in common string and memory functions
180 where the compiler can determine and validate the buffer sizes.
182 config STATIC_USERMODEHELPER
183 bool "Force all usermode helper calls through a single binary"
185 By default, the kernel can call many different userspace
186 binary programs through the "usermode helper" kernel
187 interface. Some of these binaries are statically defined
188 either in the kernel code itself, or as a kernel configuration
189 option. However, some of these are dynamically created at
190 runtime, or can be modified after the kernel has started up.
191 To provide an additional layer of security, route all of these
192 calls through a single executable that can not have its name
195 Note, it is up to this single binary to then call the relevant
196 "real" usermode helper binary, based on the first argument
197 passed to it. If desired, this program can filter and pick
198 and choose what real programs are called.
200 If you wish for all usermode helper programs are to be
201 disabled, choose this option and then set
202 STATIC_USERMODEHELPER_PATH to an empty string.
204 config STATIC_USERMODEHELPER_PATH
205 string "Path to the static usermode helper binary"
206 depends on STATIC_USERMODEHELPER
207 default "/sbin/usermode-helper"
209 The binary called by the kernel when any usermode helper
210 program is wish to be run. The "real" application's name will
211 be in the first argument passed to this program on the command
214 If you wish for all usermode helper programs to be disabled,
215 specify an empty string here (i.e. "").
217 config LOCK_DOWN_KERNEL
218 bool "Allow the kernel to be 'locked down'"
220 Allow the kernel to be locked down under certain circumstances, for
221 instance if UEFI secure boot is enabled. Locking down the kernel
222 turns off various features that might otherwise allow access to the
223 kernel image (eg. setting MSR registers).
225 config ALLOW_LOCKDOWN_LIFT
228 Allow the lockdown on a kernel to be lifted, thereby restoring the
229 ability of userspace to access the kernel image (eg. by SysRq+x under
232 source security/selinux/Kconfig
233 source security/smack/Kconfig
234 source security/tomoyo/Kconfig
235 source security/apparmor/Kconfig
236 source security/loadpin/Kconfig
237 source security/yama/Kconfig
239 source security/integrity/Kconfig
242 prompt "Default security module"
243 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
244 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
245 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
246 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
247 default DEFAULT_SECURITY_DAC
250 Select the security module that will be used by default if the
251 kernel parameter security= is not specified.
253 config DEFAULT_SECURITY_SELINUX
254 bool "SELinux" if SECURITY_SELINUX=y
256 config DEFAULT_SECURITY_SMACK
257 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
259 config DEFAULT_SECURITY_TOMOYO
260 bool "TOMOYO" if SECURITY_TOMOYO=y
262 config DEFAULT_SECURITY_APPARMOR
263 bool "AppArmor" if SECURITY_APPARMOR=y
265 config DEFAULT_SECURITY_DAC
266 bool "Unix Discretionary Access Controls"
270 config DEFAULT_SECURITY
272 default "selinux" if DEFAULT_SECURITY_SELINUX
273 default "smack" if DEFAULT_SECURITY_SMACK
274 default "tomoyo" if DEFAULT_SECURITY_TOMOYO
275 default "apparmor" if DEFAULT_SECURITY_APPARMOR
276 default "" if DEFAULT_SECURITY_DAC