config PAGE_TABLE_ISOLATION
bool "Remove the kernel mapping in user mode"
default y
- depends on X86_64 && !UML
+ depends on (X86_64 || X86_PAE) && !UML
help
This feature reduces the number of hardware side channels by
ensuring that the majority of kernel addresses are not mapped
turns off various features that might otherwise allow access to the
kernel image (eg. setting MSR registers).
-config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
- bool "Allow the kernel lockdown to be lifted by SysRq"
- depends on LOCK_DOWN_KERNEL && MAGIC_SYSRQ
- help
- Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
- combination on a wired keyboard.
-
config LOCK_DOWN_IN_EFI_SECURE_BOOT
bool "Lock down the kernel in EFI Secure Boot mode"
default n
bool
default y if SECURITY_DAC_STACKED
+choice
+ depends on SECURITY_STACKING && !SECURITY_DAC_STACKED
+ prompt "Default LSM for legacy interfaces"
+ default SECURITY_DEFAULT_DISPLAY_SELINUX if SECURITY_SELINUX_STACKED
+ default SECURITY_DEFAULT_DISPLAY_SMACK if SECURITY_SMACK_STACKED
+ default SECURITY_DEFAULT_DISPLAY_TOMOYO if SECURITY_TOMOYO_STACKED
+ default SECURITY_DEFAULT_DISPALY_APPARMOR if SECURITY_APPARMOR_STACKED
+ default SECURITY_DEFAULT_DISPLAY_FIRST
+
+ help
+ Select the security module context that will be displayed by
+ default on legacy interfaces if the kernel parameter
+ security.display= is not specified.
+
+ config SECURITY_DEFAULT_DISPLAY_SELINUX
+ bool "SELinux" if SECURITY_SELINUX_STACKED=y
+
+ config SECURITY_DEFAULT_DISPLAY_SMACK
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK_STACKED
+
+ config SECURITY_DEFAULT_DISPLAY_TOMOYO
+ bool "TOMOYO" if SECURITY_TOMOYO_STACKED
+
+ config SECURITY_DEFAULT_DISPLAY_APPARMOR
+ bool "AppArmor" if SECURITY_APPARMOR_STACKED
+
+endchoice
+
+config SECURITY_DEFAULT_DISPLAY_NAME
+ string
+ default "selinux" if SECURITY_DEFAULT_DISPLAY_SELINUX
+ default "smack" if SECURITY_DEFAULT_DISPLAY_SMACK
+ default "tomoyo" if SECURITY_DEFAULT_DISPLAY_TOMOYO
+ default "apparmor" if SECURITY_DEFAULT_DISPLAY_APPARMOR
+ default "" if DEFAULT_SECURITY_DAC
+
endmenu
config DEFAULT_SECURITY