]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blob - security/lockdown/Kconfig
Merge tag 'timers-v5.9' of https://git.linaro.org/people/daniel.lezcano/linux into...
[mirror_ubuntu-hirsute-kernel.git] / security / lockdown / Kconfig
1 config SECURITY_LOCKDOWN_LSM
2 bool "Basic module for enforcing kernel lockdown"
3 depends on SECURITY
4 select MODULE_SIG if MODULES
5 help
6 Build support for an LSM that enforces a coarse kernel lockdown
7 behaviour.
8
9 config SECURITY_LOCKDOWN_LSM_EARLY
10 bool "Enable lockdown LSM early in init"
11 depends on SECURITY_LOCKDOWN_LSM
12 help
13 Enable the lockdown LSM early in boot. This is necessary in order
14 to ensure that lockdown enforcement can be carried out on kernel
15 boot parameters that are otherwise parsed before the security
16 subsystem is fully initialised. If enabled, lockdown will
17 unconditionally be called before any other LSMs.
18
19 choice
20 prompt "Kernel default lockdown mode"
21 default LOCK_DOWN_KERNEL_FORCE_NONE
22 depends on SECURITY_LOCKDOWN_LSM
23 help
24 The kernel can be configured to default to differing levels of
25 lockdown.
26
27 config LOCK_DOWN_KERNEL_FORCE_NONE
28 bool "None"
29 help
30 No lockdown functionality is enabled by default. Lockdown may be
31 enabled via the kernel commandline or /sys/kernel/security/lockdown.
32
33 config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
34 bool "Integrity"
35 help
36 The kernel runs in integrity mode by default. Features that allow
37 the kernel to be modified at runtime are disabled.
38
39 config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
40 bool "Confidentiality"
41 help
42 The kernel runs in confidentiality mode by default. Features that
43 allow the kernel to be modified at runtime or that permit userland
44 code to read confidential material held inside the kernel are
45 disabled.
46
47 endchoice