security/Kconfig

   1 #
   2 # Security configuration
   3 #
   4
   5 menu "Security options"
   6
   7 source security/keys/Kconfig
   8
   9 config SECURITY_DMESG_RESTRICT
  10         bool "Restrict unprivileged access to the kernel syslog"
  11         default n
  12         help
  13           This enforces restrictions on unprivileged users reading the kernel
  14           syslog via dmesg(8).
  15
  16           If this option is not selected, no restrictions will be enforced
  17           unless the dmesg_restrict sysctl is explicitly set to (1).
  18
  19           If you are unsure how to answer this question, answer N.
  20
  21 config SECURITY_PERF_EVENTS_RESTRICT
  22         bool "Restrict unprivileged use of performance events"
  23         depends on PERF_EVENTS
  24         help
  25           If you say Y here, the kernel.perf_event_paranoid sysctl
  26           will be set to 3 by default, and no unprivileged use of the
  27           perf_event_open syscall will be permitted unless it is
  28           changed.
  29
  30 config SECURITY
  31         bool "Enable different security models"
  32         depends on SYSFS
  33         depends on MULTIUSER
  34         help
  35           This allows you to choose different security modules to be
  36           configured into your kernel.
  37
  38           If this option is not selected, the default Linux security
  39           model will be used.
  40
  41           If you are unsure how to answer this question, answer N.
  42
  43 config SECURITY_WRITABLE_HOOKS
  44         depends on SECURITY
  45         bool
  46         default n
  47
  48 config SECURITY_STACKING
  49         bool "Security module stacking"
  50         depends on SECURITY
  51         help
  52           Allows multiple major security modules to be stacked.
  53           Modules are invoked in the order registered with a
  54           "bail on fail" policy, in which the infrastructure
  55           will stop processing once a denial is detected. Not
  56           all modules can be stacked. SELinux and Smack are
  57           known to be incompatible. User space components may
  58           have trouble identifying the security module providing
  59           data in some cases.
  60
  61           If you select this option you will have to select which
  62           of the stackable modules you wish to be active. The
  63           "Default security module" will be ignored. The boot line
  64           "security=" option can be used to specify that one of
  65           the modules identifed for stacking should be used instead
  66           of the entire stack.
  67
  68           If you are unsure how to answer this question, answer N.
  69
  70 config SECURITY_LSM_DEBUG
  71         bool "Enable debugging of the LSM infrastructure"
  72         depends on SECURITY
  73         help
  74           This allows you to choose debug messages related to
  75           security modules configured into your kernel. These
  76           messages may be helpful in determining how a security
  77           module is using security blobs.
  78
  79           If you are unsure how to answer this question, answer N.
  80
  81 config SECURITYFS
  82         bool "Enable the securityfs filesystem"
  83         help
  84           This will build the securityfs filesystem.  It is currently used by
  85           the TPM bios character driver and IMA, an integrity provider.  It is
  86           not used by SELinux or SMACK.
  87
  88           If you are unsure how to answer this question, answer N.
  89
  90 config SECURITY_NETWORK
  91         bool "Socket and Networking Security Hooks"
  92         depends on SECURITY
  93         help
  94           This enables the socket and networking security hooks.
  95           If enabled, a security module can use these hooks to
  96           implement socket and networking access controls.
  97           If you are unsure how to answer this question, answer N.
  98
  99 config PAGE_TABLE_ISOLATION
 100         bool "Remove the kernel mapping in user mode"
 101         depends on X86_64 && !UML
 102         help
 103           This feature reduces the number of hardware side channels by
 104           ensuring that the majority of kernel addresses are not mapped
 105           into userspace.
 106
 107           See Documentation/x86/pagetable-isolation.txt for more details.
 108
 109 config SECURITY_INFINIBAND
 110         bool "Infiniband Security Hooks"
 111         depends on SECURITY && INFINIBAND
 112         help
 113           This enables the Infiniband security hooks.
 114           If enabled, a security module can use these hooks to
 115           implement Infiniband access controls.
 116           If you are unsure how to answer this question, answer N.
 117
 118 config SECURITY_NETWORK_XFRM
 119         bool "XFRM (IPSec) Networking Security Hooks"
 120         depends on XFRM && SECURITY_NETWORK
 121         help
 122           This enables the XFRM (IPSec) networking security hooks.
 123           If enabled, a security module can use these hooks to
 124           implement per-packet access controls based on labels
 125           derived from IPSec policy.  Non-IPSec communications are
 126           designated as unlabelled, and only sockets authorized
 127           to communicate unlabelled data can send without using
 128           IPSec.
 129           If you are unsure how to answer this question, answer N.
 130
 131 config SECURITY_PATH
 132         bool "Security hooks for pathname based access control"
 133         depends on SECURITY
 134         help
 135           This enables the security hooks for pathname based access control.
 136           If enabled, a security module can use these hooks to
 137           implement pathname based access controls.
 138           If you are unsure how to answer this question, answer N.
 139
 140 config INTEL_TXT
 141         bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
 142         depends on HAVE_INTEL_TXT
 143         help
 144           This option enables support for booting the kernel with the
 145           Trusted Boot (tboot) module. This will utilize
 146           Intel(R) Trusted Execution Technology to perform a measured launch
 147           of the kernel. If the system does not support Intel(R) TXT, this
 148           will have no effect.
 149
 150           Intel TXT will provide higher assurance of system configuration and
 151           initial state as well as data reset protection.  This is used to
 152           create a robust initial kernel measurement and verification, which
 153           helps to ensure that kernel security mechanisms are functioning
 154           correctly. This level of protection requires a root of trust outside
 155           of the kernel itself.
 156
 157           Intel TXT also helps solve real end user concerns about having
 158           confidence that their hardware is running the VMM or kernel that
 159           it was configured with, especially since they may be responsible for
 160           providing such assurances to VMs and services running on it.
 161
 162           See <http://www.intel.com/technology/security/> for more information
 163           about Intel(R) TXT.
 164           See <http://tboot.sourceforge.net> for more information about tboot.
 165           See Documentation/intel_txt.txt for a description of how to enable
 166           Intel TXT support in a kernel boot.
 167
 168           If you are unsure as to whether this is required, answer N.
 169
 170 config LSM_MMAP_MIN_ADDR
 171         int "Low address space for LSM to protect from user allocation"
 172         depends on SECURITY && SECURITY_SELINUX
 173         default 32768 if ARM || (ARM64 && COMPAT)
 174         default 65536
 175         help
 176           This is the portion of low virtual memory which should be protected
 177           from userspace allocation.  Keeping a user from writing to low pages
 178           can help reduce the impact of kernel NULL pointer bugs.
 179
 180           For most ia64, ppc64 and x86 users with lots of address space
 181           a value of 65536 is reasonable and should cause no problems.
 182           On arm and other archs it should not be higher than 32768.
 183           Programs which use vm86 functionality or have some need to map
 184           this low address space will need the permission specific to the
 185           systems running LSM.
 186
 187 config HAVE_HARDENED_USERCOPY_ALLOCATOR
 188         bool
 189         help
 190           The heap allocator implements __check_heap_object() for
 191           validating memory ranges against heap object sizes in
 192           support of CONFIG_HARDENED_USERCOPY.
 193
 194 config HARDENED_USERCOPY
 195         bool "Harden memory copies between kernel and userspace"
 196         depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
 197         select BUG
 198         help
 199           This option checks for obviously wrong memory regions when
 200           copying memory to/from the kernel (via copy_to_user() and
 201           copy_from_user() functions) by rejecting memory ranges that
 202           are larger than the specified heap object, span multiple
 203           separately allocated pages, are not on the process stack,
 204           or are part of the kernel text. This kills entire classes
 205           of heap overflow exploits and similar kernel memory exposures.
 206
 207 config HARDENED_USERCOPY_PAGESPAN
 208         bool "Refuse to copy allocations that span multiple pages"
 209         depends on HARDENED_USERCOPY
 210         depends on EXPERT
 211         help
 212           When a multi-page allocation is done without __GFP_COMP,
 213           hardened usercopy will reject attempts to copy it. There are,
 214           however, several cases of this in the kernel that have not all
 215           been removed. This config is intended to be used only while
 216           trying to find such users.
 217
 218 config FORTIFY_SOURCE
 219         bool "Harden common str/mem functions against buffer overflows"
 220         depends on ARCH_HAS_FORTIFY_SOURCE
 221         help
 222           Detect overflows of buffers in common string and memory functions
 223           where the compiler can determine and validate the buffer sizes.
 224
 225 config STATIC_USERMODEHELPER
 226         bool "Force all usermode helper calls through a single binary"
 227         help
 228           By default, the kernel can call many different userspace
 229           binary programs through the "usermode helper" kernel
 230           interface.  Some of these binaries are statically defined
 231           either in the kernel code itself, or as a kernel configuration
 232           option.  However, some of these are dynamically created at
 233           runtime, or can be modified after the kernel has started up.
 234           To provide an additional layer of security, route all of these
 235           calls through a single executable that can not have its name
 236           changed.
 237
 238           Note, it is up to this single binary to then call the relevant
 239           "real" usermode helper binary, based on the first argument
 240           passed to it.  If desired, this program can filter and pick
 241           and choose what real programs are called.
 242
 243           If you wish for all usermode helper programs are to be
 244           disabled, choose this option and then set
 245           STATIC_USERMODEHELPER_PATH to an empty string.
 246
 247 config STATIC_USERMODEHELPER_PATH
 248         string "Path to the static usermode helper binary"
 249         depends on STATIC_USERMODEHELPER
 250         default "/sbin/usermode-helper"
 251         help
 252           The binary called by the kernel when any usermode helper
 253           program is wish to be run.  The "real" application's name will
 254           be in the first argument passed to this program on the command
 255           line.
 256
 257           If you wish for all usermode helper programs to be disabled,
 258           specify an empty string here (i.e. "").
 259
 260 config LOCK_DOWN_KERNEL
 261         bool "Allow the kernel to be 'locked down'"
 262         help
 263           Allow the kernel to be locked down under certain circumstances, for
 264           instance if UEFI secure boot is enabled.  Locking down the kernel
 265           turns off various features that might otherwise allow access to the
 266           kernel image (eg. setting MSR registers).
 267
 268 config ALLOW_LOCKDOWN_LIFT
 269         bool
 270         help
 271           Allow the lockdown on a kernel to be lifted, thereby restoring the
 272           ability of userspace to access the kernel image (eg. by SysRq+x under
 273           x86).
 274
 275 source security/selinux/Kconfig
 276 source security/smack/Kconfig
 277 source security/tomoyo/Kconfig
 278 source security/apparmor/Kconfig
 279 source security/loadpin/Kconfig
 280 source security/yama/Kconfig
 281
 282 source security/integrity/Kconfig
 283
 284 menu "Security Module Selection"
 285         visible if !SECURITY_STACKING
 286
 287 choice
 288         prompt "Default security module"
 289         default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
 290         default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 291         default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 292         default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
 293         default DEFAULT_SECURITY_DAC
 294
 295         help
 296           Select the security module that will be used by default if the
 297           kernel parameter security= is not specified.
 298
 299         config DEFAULT_SECURITY_SELINUX
 300                 bool "SELinux" if SECURITY_SELINUX=y
 301
 302         config DEFAULT_SECURITY_SMACK
 303                 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
 304
 305         config DEFAULT_SECURITY_TOMOYO
 306                 bool "TOMOYO" if SECURITY_TOMOYO=y
 307
 308         config DEFAULT_SECURITY_APPARMOR
 309                 bool "AppArmor" if SECURITY_APPARMOR=y
 310
 311         config DEFAULT_SECURITY_DAC
 312                 bool "Unix Discretionary Access Controls"
 313
 314 endchoice
 315
 316 config DEFAULT_SECURITY
 317         string
 318         default "selinux" if DEFAULT_SECURITY_SELINUX
 319         default "smack" if DEFAULT_SECURITY_SMACK
 320         default "tomoyo" if DEFAULT_SECURITY_TOMOYO
 321         default "apparmor" if DEFAULT_SECURITY_APPARMOR
 322         default "" if DEFAULT_SECURITY_DAC
 323
 324 endmenu
 325
 326 menu "Security Module Stack"
 327         visible if SECURITY_STACKING
 328
 329 choice
 330         prompt "mutually exclusive LSMs"
 331         default SECURITY_NO_EXCLUSIVE_LSM
 332
 333         config SECURITY_NO_EXCLUSIVE_LSM
 334                 bool "none"
 335                 help
 336                   Do no add an LSM to is mutually exclusive to the stack."
 337         config SECURITY_SELINUX_STACKED
 338                 bool "SELinux" if SECURITY_SELINUX=y
 339                 help
 340                   Add the SELinux security module to the stack.
 341                   Please be sure your user space code is accomodating of
 342                   this security module.
 343                   Ensure that your network configuration is compatible
 344                   with your combination of security modules.
 345
 346                   Incompatible with Smack being stacked.
 347
 348                   If you are unsure how to answer this question, answer N.
 349
 350         config SECURITY_SMACK_STACKED
 351                 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
 352                 help
 353                   Add the Smack security module to the stack.
 354                   Please be sure your user space code is accomodating of
 355                   this security module.
 356                   Ensure that your network configuration is compatible
 357                   with your combination of security modules.
 358
 359                   Incompatible with SeLinux being stacked.
 360
 361                   If you are unsure how to answer this question, answer N.
 362 endchoice
 363
 364 config SECURITY_TOMOYO_STACKED
 365         bool "TOMOYO support is enabled by default"
 366         depends on SECURITY_TOMOYO && SECURITY_STACKING
 367         default n
 368         help
 369           This option instructs the system to use the TOMOYO checks.
 370           If not selected the module will not be invoked.
 371           Stacked security modules may interact in unexpected ways.
 372           Please be sure your user space code is accomodating of
 373           multiple security modules.
 374
 375           If you are unsure how to answer this question, answer N.
 376
 377 config SECURITY_APPARMOR_STACKED
 378         bool "AppArmor support is enabled by default"
 379         depends on SECURITY_APPARMOR && SECURITY_STACKING
 380         default n
 381         help
 382           This option instructs the system to use the AppArmor checks.
 383           If not selected the module will not be invoked.
 384           Stacked security modules may interact in unexpected ways.
 385           Please be sure your user space code is accomodating of
 386           multiple security modules.
 387
 388           If you are unsure how to answer this question, answer N.
 389
 390 choice
 391         prompt "Default LSM for legacy interfaces"
 392         default SECURITY_DEFAULT_DISPLAY_SELINUX if SECURITY_SELINUX_STACKED
 393         default SECURITY_DEFAULT_DISPLAY_SMACK if SECURITY_SMACK_STACKED
 394         default SECURITY_DEFAULT_DISPLAY_TOMOYO if SECURITY_TOMOYO_STACKED
 395         default SECURITY_DEFAULT_DISPALY_APPARMOR if SECURITY_APPARMOR_STACKED
 396         default SECURITY_DEFAULT_DISPLAY_FIRST
 397
 398         help
 399           Select the security module context that will be displayed by
 400           default on legacy interfaces if the kernel parameter
 401           security.display= is not specified.
 402
 403         config SECURITY_DEFAULT_DISPLAY_SELINUX
 404                 bool "SELinux" if SECURITY_SELINUX=y
 405
 406         config SECURITY_DEFAULT_DISPLAY_SMACK
 407                 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
 408
 409         config SECURITY_DEFAULT_DISPLAY_TOMOYO
 410                 bool "TOMOYO" if SECURITY_TOMOYO=y
 411
 412         config SECURITY_DEFAULT_DISPLAY_APPARMOR
 413                 bool "AppArmor" if SECURITY_APPARMOR=y
 414
 415         config SECURITY_DEFAULT_DISPLAY_FIRST
 416                 bool "First security module to register"
 417
 418 endchoice
 419
 420 config SECURITY_DEFAULT_DISPLAY_NAME
 421         string
 422         default "selinux" if SECURITY_DEFAULT_DISPLAY_SELINUX
 423         default "smack" if SECURITY_DEFAULT_DISPLAY_SMACK
 424         default "tomoyo" if SECURITY_DEFAULT_DISPLAY_TOMOYO
 425         default "apparmor" if SECURITY_DEFAULT_DISPLAY_APPARMOR
 426         default "" if SECURITY_DEFAULT_DISPLAY_FIRST
 427
 428 endmenu
 429
 430 endmenu