X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=security%2FKconfig;h=62032b46f5b2179db736bd3bb1d86ac8af39656e;hb=7a90fc39af684a1e75da45a0337d330baf8a7596;hp=b0cb9a5f94480d2c5aaf290b31fd15e6c5930ec2;hpb=8dd903d2cf7b6dfe98be7c19f891882583c7266e;p=mirror_ubuntu-bionic-kernel.git diff --git a/security/Kconfig b/security/Kconfig index b0cb9a5f9448..62032b46f5b2 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. +config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the + perf_event_open syscall will be permitted unless it is + changed. + config SECURITY bool "Enable different security models" depends on SYSFS @@ -36,6 +45,17 @@ config SECURITY_WRITABLE_HOOKS bool default n +config SECURITY_LSM_DEBUG + bool "Enable debugging of the LSM infrastructure" + depends on SECURITY + help + This allows you to choose debug messages related to + security modules configured into your kernel. These + messages may be helpful in determining how a security + module is using security blobs. + + If you are unsure how to answer this question, answer N. + config SECURITYFS bool "Enable the securityfs filesystem" help @@ -154,6 +174,7 @@ config HARDENED_USERCOPY bool "Harden memory copies between kernel and userspace" depends on HAVE_HARDENED_USERCOPY_ALLOCATOR select BUG + imply STRICT_DEVMEM help This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and @@ -216,6 +237,36 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). +config LOCK_DOWN_KERNEL + bool "Allow the kernel to be 'locked down'" + help + Allow the kernel to be locked down under certain circumstances, for + instance if UEFI secure boot is enabled. Locking down the kernel + turns off various features that might otherwise allow access to the + kernel image (eg. setting MSR registers). + +config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ + bool "Allow the kernel lockdown to be lifted by SysRq" + depends on LOCK_DOWN_KERNEL && MAGIC_SYSRQ + help + Allow the lockdown on a kernel to be lifted, by pressing a SysRq key + combination on a wired keyboard. + +config LOCK_DOWN_IN_EFI_SECURE_BOOT + bool "Lock down the kernel in EFI Secure Boot mode" + default n + select LOCK_DOWN_KERNEL + depends on EFI + help + UEFI Secure Boot provides a mechanism for ensuring that the firmware + will only load signed bootloaders and kernels. Secure boot mode may + be determined from EFI variables provided by the system firmware if + not indicated by the boot parameters. + + Enabling this option turns on results in kernel lockdown being + triggered if EFI Secure Boot is set. + + source security/selinux/Kconfig source security/smack/Kconfig source security/tomoyo/Kconfig