2 # Security configuration
5 menu "Security options"
7 source security/keys/Kconfig
9 config SECURITY_DMESG_RESTRICT
10 bool "Restrict unprivileged access to the kernel syslog"
13 This enforces restrictions on unprivileged users reading the kernel
16 If this option is not selected, no restrictions will be enforced
17 unless the dmesg_restrict sysctl is explicitly set to (1).
19 If you are unsure how to answer this question, answer N.
21 config SECURITY_PERF_EVENTS_RESTRICT
22 bool "Restrict unprivileged use of performance events"
23 depends on PERF_EVENTS
25 If you say Y here, the kernel.perf_event_paranoid sysctl
26 will be set to 3 by default, and no unprivileged use of the
27 perf_event_open syscall will be permitted unless it is
31 bool "Enable different security models"
35 This allows you to choose different security modules to be
36 configured into your kernel.
38 If this option is not selected, the default Linux security
41 If you are unsure how to answer this question, answer N.
43 config SECURITY_WRITABLE_HOOKS
48 config SECURITY_STACKING
49 bool "Security module stacking"
52 Allows multiple major security modules to be stacked.
53 Modules are invoked in the order registered with a
54 "bail on fail" policy, in which the infrastructure
55 will stop processing once a denial is detected. Not
56 all modules can be stacked. SELinux and Smack are
57 known to be incompatible. User space components may
58 have trouble identifying the security module providing
61 If you select this option you will have to select which
62 of the stackable modules you wish to be active. The
63 "Default security module" will be ignored. The boot line
64 "security=" option can be used to specify that one of
65 the modules identifed for stacking should be used instead
68 If you are unsure how to answer this question, answer N.
70 config SECURITY_LSM_DEBUG
71 bool "Enable debugging of the LSM infrastructure"
74 This allows you to choose debug messages related to
75 security modules configured into your kernel. These
76 messages may be helpful in determining how a security
77 module is using security blobs.
79 If you are unsure how to answer this question, answer N.
82 bool "Enable the securityfs filesystem"
84 This will build the securityfs filesystem. It is currently used by
85 the TPM bios character driver and IMA, an integrity provider. It is
86 not used by SELinux or SMACK.
88 If you are unsure how to answer this question, answer N.
90 config SECURITY_NETWORK
91 bool "Socket and Networking Security Hooks"
94 This enables the socket and networking security hooks.
95 If enabled, a security module can use these hooks to
96 implement socket and networking access controls.
97 If you are unsure how to answer this question, answer N.
99 config PAGE_TABLE_ISOLATION
100 bool "Remove the kernel mapping in user mode"
102 depends on (X86_64 || X86_PAE) && !UML
104 This feature reduces the number of hardware side channels by
105 ensuring that the majority of kernel addresses are not mapped
108 See Documentation/x86/pti.txt for more details.
110 config SECURITY_INFINIBAND
111 bool "Infiniband Security Hooks"
112 depends on SECURITY && INFINIBAND
114 This enables the Infiniband security hooks.
115 If enabled, a security module can use these hooks to
116 implement Infiniband access controls.
117 If you are unsure how to answer this question, answer N.
119 config SECURITY_NETWORK_XFRM
120 bool "XFRM (IPSec) Networking Security Hooks"
121 depends on XFRM && SECURITY_NETWORK
123 This enables the XFRM (IPSec) networking security hooks.
124 If enabled, a security module can use these hooks to
125 implement per-packet access controls based on labels
126 derived from IPSec policy. Non-IPSec communications are
127 designated as unlabelled, and only sockets authorized
128 to communicate unlabelled data can send without using
130 If you are unsure how to answer this question, answer N.
133 bool "Security hooks for pathname based access control"
136 This enables the security hooks for pathname based access control.
137 If enabled, a security module can use these hooks to
138 implement pathname based access controls.
139 If you are unsure how to answer this question, answer N.
142 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
143 depends on HAVE_INTEL_TXT
145 This option enables support for booting the kernel with the
146 Trusted Boot (tboot) module. This will utilize
147 Intel(R) Trusted Execution Technology to perform a measured launch
148 of the kernel. If the system does not support Intel(R) TXT, this
151 Intel TXT will provide higher assurance of system configuration and
152 initial state as well as data reset protection. This is used to
153 create a robust initial kernel measurement and verification, which
154 helps to ensure that kernel security mechanisms are functioning
155 correctly. This level of protection requires a root of trust outside
156 of the kernel itself.
158 Intel TXT also helps solve real end user concerns about having
159 confidence that their hardware is running the VMM or kernel that
160 it was configured with, especially since they may be responsible for
161 providing such assurances to VMs and services running on it.
163 See <http://www.intel.com/technology/security/> for more information
165 See <http://tboot.sourceforge.net> for more information about tboot.
166 See Documentation/intel_txt.txt for a description of how to enable
167 Intel TXT support in a kernel boot.
169 If you are unsure as to whether this is required, answer N.
171 config LSM_MMAP_MIN_ADDR
172 int "Low address space for LSM to protect from user allocation"
173 depends on SECURITY && SECURITY_SELINUX
174 default 32768 if ARM || (ARM64 && COMPAT)
177 This is the portion of low virtual memory which should be protected
178 from userspace allocation. Keeping a user from writing to low pages
179 can help reduce the impact of kernel NULL pointer bugs.
181 For most ia64, ppc64 and x86 users with lots of address space
182 a value of 65536 is reasonable and should cause no problems.
183 On arm and other archs it should not be higher than 32768.
184 Programs which use vm86 functionality or have some need to map
185 this low address space will need the permission specific to the
188 config HAVE_HARDENED_USERCOPY_ALLOCATOR
191 The heap allocator implements __check_heap_object() for
192 validating memory ranges against heap object sizes in
193 support of CONFIG_HARDENED_USERCOPY.
195 config HARDENED_USERCOPY
196 bool "Harden memory copies between kernel and userspace"
197 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
201 This option checks for obviously wrong memory regions when
202 copying memory to/from the kernel (via copy_to_user() and
203 copy_from_user() functions) by rejecting memory ranges that
204 are larger than the specified heap object, span multiple
205 separately allocated pages, are not on the process stack,
206 or are part of the kernel text. This kills entire classes
207 of heap overflow exploits and similar kernel memory exposures.
209 config HARDENED_USERCOPY_PAGESPAN
210 bool "Refuse to copy allocations that span multiple pages"
211 depends on HARDENED_USERCOPY
214 When a multi-page allocation is done without __GFP_COMP,
215 hardened usercopy will reject attempts to copy it. There are,
216 however, several cases of this in the kernel that have not all
217 been removed. This config is intended to be used only while
218 trying to find such users.
220 config FORTIFY_SOURCE
221 bool "Harden common str/mem functions against buffer overflows"
222 depends on ARCH_HAS_FORTIFY_SOURCE
224 Detect overflows of buffers in common string and memory functions
225 where the compiler can determine and validate the buffer sizes.
227 config STATIC_USERMODEHELPER
228 bool "Force all usermode helper calls through a single binary"
230 By default, the kernel can call many different userspace
231 binary programs through the "usermode helper" kernel
232 interface. Some of these binaries are statically defined
233 either in the kernel code itself, or as a kernel configuration
234 option. However, some of these are dynamically created at
235 runtime, or can be modified after the kernel has started up.
236 To provide an additional layer of security, route all of these
237 calls through a single executable that can not have its name
240 Note, it is up to this single binary to then call the relevant
241 "real" usermode helper binary, based on the first argument
242 passed to it. If desired, this program can filter and pick
243 and choose what real programs are called.
245 If you wish for all usermode helper programs are to be
246 disabled, choose this option and then set
247 STATIC_USERMODEHELPER_PATH to an empty string.
249 config STATIC_USERMODEHELPER_PATH
250 string "Path to the static usermode helper binary"
251 depends on STATIC_USERMODEHELPER
252 default "/sbin/usermode-helper"
254 The binary called by the kernel when any usermode helper
255 program is wish to be run. The "real" application's name will
256 be in the first argument passed to this program on the command
259 If you wish for all usermode helper programs to be disabled,
260 specify an empty string here (i.e. "").
262 config LOCK_DOWN_KERNEL
263 bool "Allow the kernel to be 'locked down'"
265 Allow the kernel to be locked down under certain circumstances, for
266 instance if UEFI secure boot is enabled. Locking down the kernel
267 turns off various features that might otherwise allow access to the
268 kernel image (eg. setting MSR registers).
270 config LOCK_DOWN_IN_EFI_SECURE_BOOT
271 bool "Lock down the kernel in EFI Secure Boot mode"
273 select LOCK_DOWN_KERNEL
276 UEFI Secure Boot provides a mechanism for ensuring that the firmware
277 will only load signed bootloaders and kernels. Secure boot mode may
278 be determined from EFI variables provided by the system firmware if
279 not indicated by the boot parameters.
281 Enabling this option turns on results in kernel lockdown being
282 triggered if EFI Secure Boot is set.
285 source security/selinux/Kconfig
286 source security/smack/Kconfig
287 source security/tomoyo/Kconfig
288 source security/apparmor/Kconfig
289 source security/loadpin/Kconfig
290 source security/yama/Kconfig
292 source security/integrity/Kconfig
294 menu "Security Module Selection"
295 visible if !SECURITY_STACKING
298 prompt "Default security module"
299 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
300 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
301 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
302 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
303 default DEFAULT_SECURITY_DAC
306 Select the security module that will be used by default if the
307 kernel parameter security= is not specified.
309 config DEFAULT_SECURITY_SELINUX
310 bool "SELinux" if SECURITY_SELINUX=y
312 config DEFAULT_SECURITY_SMACK
313 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
315 config DEFAULT_SECURITY_TOMOYO
316 bool "TOMOYO" if SECURITY_TOMOYO=y
318 config DEFAULT_SECURITY_APPARMOR
319 bool "AppArmor" if SECURITY_APPARMOR=y
321 config DEFAULT_SECURITY_DAC
322 bool "Unix Discretionary Access Controls"
327 menu "Default Security Module or Modules"
328 visible if SECURITY_STACKING
330 config SECURITY_SELINUX_STACKED
331 bool "SELinux" if SECURITY_SELINUX && !SECURITY_SMACK_STACKED
333 Add the SELinux security module to the stack.
334 Please be sure your user space code is accomodating of
335 this security module.
336 Ensure that your network configuration is compatible
337 with your combination of security modules.
339 Incompatible with Smack being stacked.
341 If you are unsure how to answer this question, answer N
343 config SECURITY_SMACK_STACKED
344 bool "Simplified Mandatory Access Control" if SECURITY_SMACK
346 Add the Smack security module to the stack.
347 Please be sure your user space code is accomodating of
348 this security module.
349 Ensure that your network configuration is compatible
350 with your combination of security modules.
352 Incompatible with SeLinux being stacked.
354 If you are unsure how to answer this question, answer
356 config SECURITY_TOMOYO_STACKED
357 bool "TOMOYO support is enabled by default" if SECURITY_TOMOYO
360 This option instructs the system to use the TOMOYO checks.
361 If not selected the module will not be invoked.
362 Stacked security modules may interact in unexpected ways.
364 If you are unsure how to answer this question, answer N.
366 config SECURITY_APPARMOR_STACKED
367 bool "AppArmor" if SECURITY_APPARMOR
369 This option instructs the system to use the AppArmor checks.
371 If you are unsure how to answer this question, answer N.
373 config SECURITY_DAC_STACKED
374 bool "Unix Discretionary Access Controls" if !SECURITY_SELINUX_STACKED && !SECURITY_SMACK_STACKED && !SECURITY_TOMOYO_STACKED && !SECURITY_APPARMOR_STACKED
375 default y if !SECURITY_SELINUX_STACKED && !SECURITY_SMACK_STACKED && !SECURITY_TOMOYO_STACKED && !SECURITY_APPARMOR_STACKED
377 This option instructs the system to not use security modules
378 by default. This choice can be over ridden by specifying
379 the desired module using the security= parameter.
381 This option is incompatible with selecting selinux, smack,
384 config DEFAULT_SECURITY_SELINUX
386 default y if SECURITY_SELINUX_STACKED
388 config DEFAULT_SECURITY_SMACK
390 default y if SECURITY_SMACK_STACKED
392 config DEFAULT_SECURITY_TOMOYO
394 default y if SECURITY_TOMOYO_STACKED
396 config DEFAULT_SECURITY_APPARMOR
398 default y if SECURITY_APPARMOR_STACKED
400 config DEFAULT_SECURITY_DAC
402 default y if SECURITY_DAC_STACKED
405 depends on SECURITY_STACKING && !SECURITY_DAC_STACKED
406 prompt "Default LSM for legacy interfaces"
407 default SECURITY_DEFAULT_DISPLAY_SELINUX if SECURITY_SELINUX_STACKED
408 default SECURITY_DEFAULT_DISPLAY_SMACK if SECURITY_SMACK_STACKED
409 default SECURITY_DEFAULT_DISPLAY_TOMOYO if SECURITY_TOMOYO_STACKED
410 default SECURITY_DEFAULT_DISPALY_APPARMOR if SECURITY_APPARMOR_STACKED
411 default SECURITY_DEFAULT_DISPLAY_FIRST
414 Select the security module context that will be displayed by
415 default on legacy interfaces if the kernel parameter
416 security.display= is not specified.
418 config SECURITY_DEFAULT_DISPLAY_SELINUX
419 bool "SELinux" if SECURITY_SELINUX_STACKED=y
421 config SECURITY_DEFAULT_DISPLAY_SMACK
422 bool "Simplified Mandatory Access Control" if SECURITY_SMACK_STACKED
424 config SECURITY_DEFAULT_DISPLAY_TOMOYO
425 bool "TOMOYO" if SECURITY_TOMOYO_STACKED
427 config SECURITY_DEFAULT_DISPLAY_APPARMOR
428 bool "AppArmor" if SECURITY_APPARMOR_STACKED
432 config SECURITY_DEFAULT_DISPLAY_NAME
434 default "selinux" if SECURITY_DEFAULT_DISPLAY_SELINUX
435 default "smack" if SECURITY_DEFAULT_DISPLAY_SMACK
436 default "tomoyo" if SECURITY_DEFAULT_DISPLAY_TOMOYO
437 default "apparmor" if SECURITY_DEFAULT_DISPLAY_APPARMOR
438 default "" if DEFAULT_SECURITY_DAC
442 config DEFAULT_SECURITY
444 default "selinux,smack,tomoyo,apparmor" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_TOMOYO && DEFAULT_SECURITY_APPARMOR
445 default "selinux,smack,tomoyo" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_TOMOYO
446 default "selinux,smack,apparmor" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_APPARMOR
447 default "selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_TOMOYO && DEFAULT_SECURITY_APPARMOR
448 default "smack,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_TOMOYO && DEFAULT_SECURITY_APPARMOR
449 default "selinux,smack" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_SMACK
450 default "selinux,tomoyo" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_TOMOYO
451 default "selinux,apparmor" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_APPARMOR
452 default "smack,tomoyo" if DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_TOMOYO
453 default "smack,apparmor" if DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_APPARMOR
454 default "tomoyo,apparmor" if DEFAULT_SECURITY_TOMOYO && DEFAULT_SECURITY_APPARMOR
455 default "selinux" if DEFAULT_SECURITY_SELINUX
456 default "smack" if DEFAULT_SECURITY_SMACK
457 default "tomoyo" if DEFAULT_SECURITY_TOMOYO
458 default "apparmor" if DEFAULT_SECURITY_APPARMOR
459 default "" if DEFAULT_SECURITY_DAC