security/Kconfig

   1 #
   2 # Security configuration
   3 #
   4
   5 menu "Security options"
   6
   7 source security/keys/Kconfig
   8
   9 config SECURITY_DMESG_RESTRICT
  10         bool "Restrict unprivileged access to the kernel syslog"
  11         default n
  12         help
  13           This enforces restrictions on unprivileged users reading the kernel
  14           syslog via dmesg(8).
  15
  16           If this option is not selected, no restrictions will be enforced
  17           unless the dmesg_restrict sysctl is explicitly set to (1).
  18
  19           If you are unsure how to answer this question, answer N.
  20
  21 config SECURITY_PERF_EVENTS_RESTRICT
  22         bool "Restrict unprivileged use of performance events"
  23         depends on PERF_EVENTS
  24         help
  25           If you say Y here, the kernel.perf_event_paranoid sysctl
  26           will be set to 3 by default, and no unprivileged use of the
  27           perf_event_open syscall will be permitted unless it is
  28           changed.
  29
  30 config SECURITY
  31         bool "Enable different security models"
  32         depends on SYSFS
  33         depends on MULTIUSER
  34         help
  35           This allows you to choose different security modules to be
  36           configured into your kernel.
  37
  38           If this option is not selected, the default Linux security
  39           model will be used.
  40
  41           If you are unsure how to answer this question, answer N.
  42
  43 config SECURITY_WRITABLE_HOOKS
  44         depends on SECURITY
  45         bool
  46         default n
  47
  48 config SECURITY_STACKING
  49         bool "Security module stacking"
  50         depends on SECURITY
  51         help
  52           Allows multiple major security modules to be stacked.
  53           Modules are invoked in the order registered with a
  54           "bail on fail" policy, in which the infrastructure
  55           will stop processing once a denial is detected. Not
  56           all modules can be stacked. SELinux and Smack are
  57           known to be incompatible. User space components may
  58           have trouble identifying the security module providing
  59           data in some cases.
  60
  61           If you select this option you will have to select which
  62           of the stackable modules you wish to be active. The
  63           "Default security module" will be ignored. The boot line
  64           "security=" option can be used to specify that one of
  65           the modules identifed for stacking should be used instead
  66           of the entire stack.
  67
  68           If you are unsure how to answer this question, answer N.
  69
  70 config SECURITY_LSM_DEBUG
  71         bool "Enable debugging of the LSM infrastructure"
  72         depends on SECURITY
  73         help
  74           This allows you to choose debug messages related to
  75           security modules configured into your kernel. These
  76           messages may be helpful in determining how a security
  77           module is using security blobs.
  78
  79           If you are unsure how to answer this question, answer N.
  80
  81 config SECURITYFS
  82         bool "Enable the securityfs filesystem"
  83         help
  84           This will build the securityfs filesystem.  It is currently used by
  85           the TPM bios character driver and IMA, an integrity provider.  It is
  86           not used by SELinux or SMACK.
  87
  88           If you are unsure how to answer this question, answer N.
  89
  90 config SECURITY_NETWORK
  91         bool "Socket and Networking Security Hooks"
  92         depends on SECURITY
  93         help
  94           This enables the socket and networking security hooks.
  95           If enabled, a security module can use these hooks to
  96           implement socket and networking access controls.
  97           If you are unsure how to answer this question, answer N.
  98
  99 config PAGE_TABLE_ISOLATION
 100         bool "Remove the kernel mapping in user mode"
 101         default y
 102         depends on X86_64 && !UML
 103         help
 104           This feature reduces the number of hardware side channels by
 105           ensuring that the majority of kernel addresses are not mapped
 106           into userspace.
 107
 108           See Documentation/x86/pti.txt for more details.
 109
 110 config SECURITY_INFINIBAND
 111         bool "Infiniband Security Hooks"
 112         depends on SECURITY && INFINIBAND
 113         help
 114           This enables the Infiniband security hooks.
 115           If enabled, a security module can use these hooks to
 116           implement Infiniband access controls.
 117           If you are unsure how to answer this question, answer N.
 118
 119 config SECURITY_NETWORK_XFRM
 120         bool "XFRM (IPSec) Networking Security Hooks"
 121         depends on XFRM && SECURITY_NETWORK
 122         help
 123           This enables the XFRM (IPSec) networking security hooks.
 124           If enabled, a security module can use these hooks to
 125           implement per-packet access controls based on labels
 126           derived from IPSec policy.  Non-IPSec communications are
 127           designated as unlabelled, and only sockets authorized
 128           to communicate unlabelled data can send without using
 129           IPSec.
 130           If you are unsure how to answer this question, answer N.
 131
 132 config SECURITY_PATH
 133         bool "Security hooks for pathname based access control"
 134         depends on SECURITY
 135         help
 136           This enables the security hooks for pathname based access control.
 137           If enabled, a security module can use these hooks to
 138           implement pathname based access controls.
 139           If you are unsure how to answer this question, answer N.
 140
 141 config INTEL_TXT
 142         bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
 143         depends on HAVE_INTEL_TXT
 144         help
 145           This option enables support for booting the kernel with the
 146           Trusted Boot (tboot) module. This will utilize
 147           Intel(R) Trusted Execution Technology to perform a measured launch
 148           of the kernel. If the system does not support Intel(R) TXT, this
 149           will have no effect.
 150
 151           Intel TXT will provide higher assurance of system configuration and
 152           initial state as well as data reset protection.  This is used to
 153           create a robust initial kernel measurement and verification, which
 154           helps to ensure that kernel security mechanisms are functioning
 155           correctly. This level of protection requires a root of trust outside
 156           of the kernel itself.
 157
 158           Intel TXT also helps solve real end user concerns about having
 159           confidence that their hardware is running the VMM or kernel that
 160           it was configured with, especially since they may be responsible for
 161           providing such assurances to VMs and services running on it.
 162
 163           See <http://www.intel.com/technology/security/> for more information
 164           about Intel(R) TXT.
 165           See <http://tboot.sourceforge.net> for more information about tboot.
 166           See Documentation/intel_txt.txt for a description of how to enable
 167           Intel TXT support in a kernel boot.
 168
 169           If you are unsure as to whether this is required, answer N.
 170
 171 config LSM_MMAP_MIN_ADDR
 172         int "Low address space for LSM to protect from user allocation"
 173         depends on SECURITY && SECURITY_SELINUX
 174         default 32768 if ARM || (ARM64 && COMPAT)
 175         default 65536
 176         help
 177           This is the portion of low virtual memory which should be protected
 178           from userspace allocation.  Keeping a user from writing to low pages
 179           can help reduce the impact of kernel NULL pointer bugs.
 180
 181           For most ia64, ppc64 and x86 users with lots of address space
 182           a value of 65536 is reasonable and should cause no problems.
 183           On arm and other archs it should not be higher than 32768.
 184           Programs which use vm86 functionality or have some need to map
 185           this low address space will need the permission specific to the
 186           systems running LSM.
 187
 188 config HAVE_HARDENED_USERCOPY_ALLOCATOR
 189         bool
 190         help
 191           The heap allocator implements __check_heap_object() for
 192           validating memory ranges against heap object sizes in
 193           support of CONFIG_HARDENED_USERCOPY.
 194
 195 config HARDENED_USERCOPY
 196         bool "Harden memory copies between kernel and userspace"
 197         depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
 198         select BUG
 199         help
 200           This option checks for obviously wrong memory regions when
 201           copying memory to/from the kernel (via copy_to_user() and
 202           copy_from_user() functions) by rejecting memory ranges that
 203           are larger than the specified heap object, span multiple
 204           separately allocated pages, are not on the process stack,
 205           or are part of the kernel text. This kills entire classes
 206           of heap overflow exploits and similar kernel memory exposures.
 207
 208 config HARDENED_USERCOPY_PAGESPAN
 209         bool "Refuse to copy allocations that span multiple pages"
 210         depends on HARDENED_USERCOPY
 211         depends on EXPERT
 212         help
 213           When a multi-page allocation is done without __GFP_COMP,
 214           hardened usercopy will reject attempts to copy it. There are,
 215           however, several cases of this in the kernel that have not all
 216           been removed. This config is intended to be used only while
 217           trying to find such users.
 218
 219 config FORTIFY_SOURCE
 220         bool "Harden common str/mem functions against buffer overflows"
 221         depends on ARCH_HAS_FORTIFY_SOURCE
 222         help
 223           Detect overflows of buffers in common string and memory functions
 224           where the compiler can determine and validate the buffer sizes.
 225
 226 config STATIC_USERMODEHELPER
 227         bool "Force all usermode helper calls through a single binary"
 228         help
 229           By default, the kernel can call many different userspace
 230           binary programs through the "usermode helper" kernel
 231           interface.  Some of these binaries are statically defined
 232           either in the kernel code itself, or as a kernel configuration
 233           option.  However, some of these are dynamically created at
 234           runtime, or can be modified after the kernel has started up.
 235           To provide an additional layer of security, route all of these
 236           calls through a single executable that can not have its name
 237           changed.
 238
 239           Note, it is up to this single binary to then call the relevant
 240           "real" usermode helper binary, based on the first argument
 241           passed to it.  If desired, this program can filter and pick
 242           and choose what real programs are called.
 243
 244           If you wish for all usermode helper programs are to be
 245           disabled, choose this option and then set
 246           STATIC_USERMODEHELPER_PATH to an empty string.
 247
 248 config STATIC_USERMODEHELPER_PATH
 249         string "Path to the static usermode helper binary"
 250         depends on STATIC_USERMODEHELPER
 251         default "/sbin/usermode-helper"
 252         help
 253           The binary called by the kernel when any usermode helper
 254           program is wish to be run.  The "real" application's name will
 255           be in the first argument passed to this program on the command
 256           line.
 257
 258           If you wish for all usermode helper programs to be disabled,
 259           specify an empty string here (i.e. "").
 260
 261 config LOCK_DOWN_KERNEL
 262         bool "Allow the kernel to be 'locked down'"
 263         help
 264           Allow the kernel to be locked down under certain circumstances, for
 265           instance if UEFI secure boot is enabled.  Locking down the kernel
 266           turns off various features that might otherwise allow access to the
 267           kernel image (eg. setting MSR registers).
 268
 269 config ALLOW_LOCKDOWN_LIFT
 270         bool
 271         help
 272           Allow the lockdown on a kernel to be lifted, thereby restoring the
 273           ability of userspace to access the kernel image (eg. by SysRq+x under
 274           x86).
 275
 276 source security/selinux/Kconfig
 277 source security/smack/Kconfig
 278 source security/tomoyo/Kconfig
 279 source security/apparmor/Kconfig
 280 source security/loadpin/Kconfig
 281 source security/yama/Kconfig
 282
 283 source security/integrity/Kconfig
 284
 285 menu "Security Module Selection"
 286         visible if !SECURITY_STACKING
 287
 288 choice
 289         prompt "Default security module"
 290         default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
 291         default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 292         default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 293         default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
 294         default DEFAULT_SECURITY_DAC
 295
 296         help
 297           Select the security module that will be used by default if the
 298           kernel parameter security= is not specified.
 299
 300         config DEFAULT_SECURITY_SELINUX
 301                 bool "SELinux" if SECURITY_SELINUX=y
 302
 303         config DEFAULT_SECURITY_SMACK
 304                 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
 305
 306         config DEFAULT_SECURITY_TOMOYO
 307                 bool "TOMOYO" if SECURITY_TOMOYO=y
 308
 309         config DEFAULT_SECURITY_APPARMOR
 310                 bool "AppArmor" if SECURITY_APPARMOR=y
 311
 312         config DEFAULT_SECURITY_DAC
 313                 bool "Unix Discretionary Access Controls"
 314
 315 endchoice
 316
 317 config DEFAULT_SECURITY
 318         string
 319         default "selinux" if DEFAULT_SECURITY_SELINUX
 320         default "smack" if DEFAULT_SECURITY_SMACK
 321         default "tomoyo" if DEFAULT_SECURITY_TOMOYO
 322         default "apparmor" if DEFAULT_SECURITY_APPARMOR
 323         default "" if DEFAULT_SECURITY_DAC
 324
 325 endmenu
 326
 327 menu "Security Module Stack"
 328         visible if SECURITY_STACKING
 329
 330 choice
 331         prompt "mutually exclusive LSMs"
 332         default SECURITY_NO_EXCLUSIVE_LSM
 333
 334         config SECURITY_NO_EXCLUSIVE_LSM
 335                 bool "none"
 336                 help
 337                   Do no add an LSM to is mutually exclusive to the stack."
 338         config SECURITY_SELINUX_STACKED
 339                 bool "SELinux" if SECURITY_SELINUX=y
 340                 help
 341                   Add the SELinux security module to the stack.
 342                   Please be sure your user space code is accomodating of
 343                   this security module.
 344                   Ensure that your network configuration is compatible
 345                   with your combination of security modules.
 346
 347                   Incompatible with Smack being stacked.
 348
 349                   If you are unsure how to answer this question, answer N.
 350
 351         config SECURITY_SMACK_STACKED
 352                 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
 353                 help
 354                   Add the Smack security module to the stack.
 355                   Please be sure your user space code is accomodating of
 356                   this security module.
 357                   Ensure that your network configuration is compatible
 358                   with your combination of security modules.
 359
 360                   Incompatible with SeLinux being stacked.
 361
 362                   If you are unsure how to answer this question, answer N.
 363 endchoice
 364
 365 config SECURITY_TOMOYO_STACKED
 366         bool "TOMOYO support is enabled by default"
 367         depends on SECURITY_TOMOYO && SECURITY_STACKING
 368         default n
 369         help
 370           This option instructs the system to use the TOMOYO checks.
 371           If not selected the module will not be invoked.
 372           Stacked security modules may interact in unexpected ways.
 373           Please be sure your user space code is accomodating of
 374           multiple security modules.
 375
 376           If you are unsure how to answer this question, answer N.
 377
 378 config SECURITY_APPARMOR_STACKED
 379         bool "AppArmor support is enabled by default"
 380         depends on SECURITY_APPARMOR && SECURITY_STACKING
 381         default n
 382         help
 383           This option instructs the system to use the AppArmor checks.
 384           If not selected the module will not be invoked.
 385           Stacked security modules may interact in unexpected ways.
 386           Please be sure your user space code is accomodating of
 387           multiple security modules.
 388
 389           If you are unsure how to answer this question, answer N.
 390
 391 choice
 392         prompt "Default LSM for legacy interfaces"
 393         default SECURITY_DEFAULT_DISPLAY_SELINUX if SECURITY_SELINUX_STACKED
 394         default SECURITY_DEFAULT_DISPLAY_SMACK if SECURITY_SMACK_STACKED
 395         default SECURITY_DEFAULT_DISPLAY_TOMOYO if SECURITY_TOMOYO_STACKED
 396         default SECURITY_DEFAULT_DISPALY_APPARMOR if SECURITY_APPARMOR_STACKED
 397         default SECURITY_DEFAULT_DISPLAY_FIRST
 398
 399         help
 400           Select the security module context that will be displayed by
 401           default on legacy interfaces if the kernel parameter
 402           security.display= is not specified.
 403
 404         config SECURITY_DEFAULT_DISPLAY_SELINUX
 405                 bool "SELinux" if SECURITY_SELINUX=y
 406
 407         config SECURITY_DEFAULT_DISPLAY_SMACK
 408                 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
 409
 410         config SECURITY_DEFAULT_DISPLAY_TOMOYO
 411                 bool "TOMOYO" if SECURITY_TOMOYO=y
 412
 413         config SECURITY_DEFAULT_DISPLAY_APPARMOR
 414                 bool "AppArmor" if SECURITY_APPARMOR=y
 415
 416         config SECURITY_DEFAULT_DISPLAY_FIRST
 417                 bool "First security module to register"
 418
 419 endchoice
 420
 421 config SECURITY_DEFAULT_DISPLAY_NAME
 422         string
 423         default "selinux" if SECURITY_DEFAULT_DISPLAY_SELINUX
 424         default "smack" if SECURITY_DEFAULT_DISPLAY_SMACK
 425         default "tomoyo" if SECURITY_DEFAULT_DISPLAY_TOMOYO
 426         default "apparmor" if SECURITY_DEFAULT_DISPLAY_APPARMOR
 427         default "" if SECURITY_DEFAULT_DISPLAY_FIRST
 428
 429 endmenu
 430
 431 endmenu