config PAGE_TABLE_ISOLATION
bool "Remove the kernel mapping in user mode"
default y
- depends on X86_64 && !UML
+ depends on (X86_64 || X86_PAE) && !UML
help
This feature reduces the number of hardware side channels by
ensuring that the majority of kernel addresses are not mapped
bool "Unix Discretionary Access Controls"
endchoice
-
-config DEFAULT_SECURITY
- string
- default "selinux" if DEFAULT_SECURITY_SELINUX
- default "smack" if DEFAULT_SECURITY_SMACK
- default "tomoyo" if DEFAULT_SECURITY_TOMOYO
- default "apparmor" if DEFAULT_SECURITY_APPARMOR
- default "" if DEFAULT_SECURITY_DAC
-
endmenu
-menu "Security Module Stack"
+menu "Default Security Module or Modules"
visible if SECURITY_STACKING
-choice
- prompt "Stacked 'extreme' security module"
- default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
- default SECURITY_SMACK_STACKED if SECURITY_SMACK
- default SECURITY_APPARMOR_STACKED if SECURITY_APPARMOR
+ config SECURITY_SELINUX_STACKED
+ bool "SELinux" if SECURITY_SELINUX && !SECURITY_SMACK_STACKED
+ help
+ Add the SELinux security module to the stack.
+ Please be sure your user space code is accomodating of
+ this security module.
+ Ensure that your network configuration is compatible
+ with your combination of security modules.
- help
- Enable an extreme security module. These modules cannot
- be used at the same time.
+ Incompatible with Smack being stacked.
- config SECURITY_SELINUX_STACKED
- bool "SELinux" if SECURITY_SELINUX=y
- help
- This option instructs the system to use the SELinux checks.
- At this time the Smack security module is incompatible with this
- module.
- At this time the AppArmor security module is incompatible with this
- module.
+ If you are unsure how to answer this question, answer N
config SECURITY_SMACK_STACKED
- bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
- help
- This option instructs the system to use the Smack checks.
- At this time the SELinux security module is incompatible with this
- module.
- At this time the AppArmor security module is incompatible with this
- module.
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK
+ help
+ Add the Smack security module to the stack.
+ Please be sure your user space code is accomodating of
+ this security module.
+ Ensure that your network configuration is compatible
+ with your combination of security modules.
+
+ Incompatible with SeLinux being stacked.
+
+ If you are unsure how to answer this question, answer
+
+ config SECURITY_TOMOYO_STACKED
+ bool "TOMOYO support is enabled by default" if SECURITY_TOMOYO
+ default n
+ help
+ This option instructs the system to use the TOMOYO checks.
+ If not selected the module will not be invoked.
+ Stacked security modules may interact in unexpected ways.
+
+ If you are unsure how to answer this question, answer N.
config SECURITY_APPARMOR_STACKED
- bool "AppArmor" if SECURITY_APPARMOR=y
- help
- This option instructs the system to use the AppArmor checks.
- At this time the SELinux security module is incompatible with this
- module.
- At this time the Smack security module is incompatible with this
- module.
-
- config SECURITY_NOTHING_STACKED
- bool "Use no 'extreme' security module"
- help
- Use none of the SELinux, Smack or AppArmor security module.
+ bool "AppArmor" if SECURITY_APPARMOR
+ help
+ This option instructs the system to use the AppArmor checks.
-endchoice
+ If you are unsure how to answer this question, answer N.
+
+ config SECURITY_DAC_STACKED
+ bool "Unix Discretionary Access Controls" if !SECURITY_SELINUX_STACKED && !SECURITY_SMACK_STACKED && !SECURITY_TOMOYO_STACKED && !SECURITY_APPARMOR_STACKED
+ default y if !SECURITY_SELINUX_STACKED && !SECURITY_SMACK_STACKED && !SECURITY_TOMOYO_STACKED && !SECURITY_APPARMOR_STACKED
+ help
+ This option instructs the system to not use security modules
+ by default. This choice can be over ridden by specifying
+ the desired module using the security= parameter.
+
+ This option is incompatible with selecting selinux, smack,
+ tomoyo, or apparmor.
+
+ config DEFAULT_SECURITY_SELINUX
+ bool
+ default y if SECURITY_SELINUX_STACKED
+
+ config DEFAULT_SECURITY_SMACK
+ bool
+ default y if SECURITY_SMACK_STACKED
+
+ config DEFAULT_SECURITY_TOMOYO
+ bool
+ default y if SECURITY_TOMOYO_STACKED
+
+ config DEFAULT_SECURITY_APPARMOR
+ bool
+ default y if SECURITY_APPARMOR_STACKED
+
+ config DEFAULT_SECURITY_DAC
+ bool
+ default y if SECURITY_DAC_STACKED
+
+choice
+ depends on SECURITY_STACKING && !SECURITY_DAC_STACKED
+ prompt "Default LSM for legacy interfaces"
+ default SECURITY_DEFAULT_DISPLAY_SELINUX if SECURITY_SELINUX_STACKED
+ default SECURITY_DEFAULT_DISPLAY_SMACK if SECURITY_SMACK_STACKED
+ default SECURITY_DEFAULT_DISPLAY_TOMOYO if SECURITY_TOMOYO_STACKED
+ default SECURITY_DEFAULT_DISPALY_APPARMOR if SECURITY_APPARMOR_STACKED
+ default SECURITY_DEFAULT_DISPLAY_FIRST
-config SECURITY_TOMOYO_STACKED
- bool "TOMOYO support is enabled by default"
- depends on SECURITY_TOMOYO && SECURITY_STACKING
- default n
help
- This option instructs the system to use the TOMOYO checks.
- If not selected the module will not be invoked.
- Stacked security modules may interact in unexpected ways.
+ Select the security module context that will be displayed by
+ default on legacy interfaces if the kernel parameter
+ security.display= is not specified.
- If you are unsure how to answer this question, answer N.
+ config SECURITY_DEFAULT_DISPLAY_SELINUX
+ bool "SELinux" if SECURITY_SELINUX_STACKED=y
+
+ config SECURITY_DEFAULT_DISPLAY_SMACK
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK_STACKED
+
+ config SECURITY_DEFAULT_DISPLAY_TOMOYO
+ bool "TOMOYO" if SECURITY_TOMOYO_STACKED
+
+ config SECURITY_DEFAULT_DISPLAY_APPARMOR
+ bool "AppArmor" if SECURITY_APPARMOR_STACKED
+
+endchoice
+
+config SECURITY_DEFAULT_DISPLAY_NAME
+ string
+ default "selinux" if SECURITY_DEFAULT_DISPLAY_SELINUX
+ default "smack" if SECURITY_DEFAULT_DISPLAY_SMACK
+ default "tomoyo" if SECURITY_DEFAULT_DISPLAY_TOMOYO
+ default "apparmor" if SECURITY_DEFAULT_DISPLAY_APPARMOR
+ default "" if DEFAULT_SECURITY_DAC
endmenu
+config DEFAULT_SECURITY
+ string
+ default "selinux,smack,tomoyo,apparmor" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_TOMOYO && DEFAULT_SECURITY_APPARMOR
+ default "selinux,smack,tomoyo" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_TOMOYO
+ default "selinux,smack,apparmor" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_APPARMOR
+ default "selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_TOMOYO && DEFAULT_SECURITY_APPARMOR
+ default "smack,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_TOMOYO && DEFAULT_SECURITY_APPARMOR
+ default "selinux,smack" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_SMACK
+ default "selinux,tomoyo" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_TOMOYO
+ default "selinux,apparmor" if DEFAULT_SECURITY_SELINUX && DEFAULT_SECURITY_APPARMOR
+ default "smack,tomoyo" if DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_TOMOYO
+ default "smack,apparmor" if DEFAULT_SECURITY_SMACK && DEFAULT_SECURITY_APPARMOR
+ default "tomoyo,apparmor" if DEFAULT_SECURITY_TOMOYO && DEFAULT_SECURITY_APPARMOR
+ default "selinux" if DEFAULT_SECURITY_SELINUX
+ default "smack" if DEFAULT_SECURITY_SMACK
+ default "tomoyo" if DEFAULT_SECURITY_TOMOYO
+ default "apparmor" if DEFAULT_SECURITY_APPARMOR
+ default "" if DEFAULT_SECURITY_DAC
endmenu