implement socket and networking access controls.
If you are unsure how to answer this question, answer N.
+config PAGE_TABLE_ISOLATION
+ bool "Remove the kernel mapping in user mode"
+ default y
+ depends on X86_64 && !UML
+ help
+ This feature reduces the number of hardware side channels by
+ ensuring that the majority of kernel addresses are not mapped
+ into userspace.
+
+ See Documentation/x86/pti.txt for more details.
+
config SECURITY_INFINIBAND
bool "Infiniband Security Hooks"
depends on SECURITY && INFINIBAND
visible if SECURITY_STACKING
choice
- prompt "Stacked 'extreme' security module"
- default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
- default SECURITY_SMACK_STACKED if SECURITY_SMACK
-
- help
- Enable an extreme security module. These modules cannot
- be used at the same time.
+ prompt "mutually exclusive LSMs"
+ default SECURITY_NO_EXCLUSIVE_LSM
+ config SECURITY_NO_EXCLUSIVE_LSM
+ bool "none"
+ help
+ Do no add an LSM to is mutually exclusive to the stack."
config SECURITY_SELINUX_STACKED
bool "SELinux" if SECURITY_SELINUX=y
- help
- Add the SELinux security module to the stack. At this
- time the Smack security module is incompatible with this
- module.
- Please be sure your user space code is accomodating of
- this security module.
+ help
+ Add the SELinux security module to the stack.
+ Please be sure your user space code is accomodating of
+ this security module.
+ Ensure that your network configuration is compatible
+ with your combination of security modules.
+
+ Incompatible with Smack being stacked.
+
+ If you are unsure how to answer this question, answer N.
config SECURITY_SMACK_STACKED
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
- help
- Add the Smack security module to the stack. At this
- time the SELinux security module is incompatible with this
- module.
- Please be sure your user space code is accomodating of
- this security module.
+ help
+ Add the Smack security module to the stack.
+ Please be sure your user space code is accomodating of
+ this security module.
+ Ensure that your network configuration is compatible
+ with your combination of security modules.
- config SECURITY_NOTHING_STACKED
- bool "Use no 'extreme' security module"
- help
- Add neither the SELinux security module nor the Smack security
- module to the stack.
- Please be sure your user space code does not require either of
- these security modules.
+ Incompatible with SeLinux being stacked.
+ If you are unsure how to answer this question, answer N.
endchoice
config SECURITY_TOMOYO_STACKED
If you are unsure how to answer this question, answer N.
+choice
+ prompt "Default LSM for legacy interfaces"
+ default SECURITY_DEFAULT_DISPLAY_SELINUX if SECURITY_SELINUX_STACKED
+ default SECURITY_DEFAULT_DISPLAY_SMACK if SECURITY_SMACK_STACKED
+ default SECURITY_DEFAULT_DISPLAY_TOMOYO if SECURITY_TOMOYO_STACKED
+ default SECURITY_DEFAULT_DISPALY_APPARMOR if SECURITY_APPARMOR_STACKED
+ default SECURITY_DEFAULT_DISPLAY_FIRST
+
+ help
+ Select the security module context that will be displayed by
+ default on legacy interfaces if the kernel parameter
+ security.display= is not specified.
+
+ config SECURITY_DEFAULT_DISPLAY_SELINUX
+ bool "SELinux" if SECURITY_SELINUX=y
+
+ config SECURITY_DEFAULT_DISPLAY_SMACK
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+
+ config SECURITY_DEFAULT_DISPLAY_TOMOYO
+ bool "TOMOYO" if SECURITY_TOMOYO=y
+
+ config SECURITY_DEFAULT_DISPLAY_APPARMOR
+ bool "AppArmor" if SECURITY_APPARMOR=y
+
+ config SECURITY_DEFAULT_DISPLAY_FIRST
+ bool "First security module to register"
+
+endchoice
+
+config SECURITY_DEFAULT_DISPLAY_NAME
+ string
+ default "selinux" if SECURITY_DEFAULT_DISPLAY_SELINUX
+ default "smack" if SECURITY_DEFAULT_DISPLAY_SMACK
+ default "tomoyo" if SECURITY_DEFAULT_DISPLAY_TOMOYO
+ default "apparmor" if SECURITY_DEFAULT_DISPLAY_APPARMOR
+ default "" if SECURITY_DEFAULT_DISPLAY_FIRST
+
endmenu
endmenu