2 # Security configuration
5 menu "Security options"
7 source security/keys/Kconfig
9 config SECURITY_DMESG_RESTRICT
10 bool "Restrict unprivileged access to the kernel syslog"
13 This enforces restrictions on unprivileged users reading the kernel
16 If this option is not selected, no restrictions will be enforced
17 unless the dmesg_restrict sysctl is explicitly set to (1).
19 If you are unsure how to answer this question, answer N.
21 config SECURITY_PERF_EVENTS_RESTRICT
22 bool "Restrict unprivileged use of performance events"
23 depends on PERF_EVENTS
25 If you say Y here, the kernel.perf_event_paranoid sysctl
26 will be set to 3 by default, and no unprivileged use of the
27 perf_event_open syscall will be permitted unless it is
31 bool "Enable different security models"
35 This allows you to choose different security modules to be
36 configured into your kernel.
38 If this option is not selected, the default Linux security
41 If you are unsure how to answer this question, answer N.
43 config SECURITY_WRITABLE_HOOKS
48 config SECURITY_LSM_DEBUG
49 bool "Enable debugging of the LSM infrastructure"
52 This allows you to choose debug messages related to
53 security modules configured into your kernel. These
54 messages may be helpful in determining how a security
55 module is using security blobs.
57 If you are unsure how to answer this question, answer N.
60 bool "Enable the securityfs filesystem"
62 This will build the securityfs filesystem. It is currently used by
63 the TPM bios character driver and IMA, an integrity provider. It is
64 not used by SELinux or SMACK.
66 If you are unsure how to answer this question, answer N.
68 config SECURITY_NETWORK
69 bool "Socket and Networking Security Hooks"
72 This enables the socket and networking security hooks.
73 If enabled, a security module can use these hooks to
74 implement socket and networking access controls.
75 If you are unsure how to answer this question, answer N.
77 config PAGE_TABLE_ISOLATION
78 bool "Remove the kernel mapping in user mode"
80 depends on X86_64 && !UML
82 This feature reduces the number of hardware side channels by
83 ensuring that the majority of kernel addresses are not mapped
86 See Documentation/x86/pti.txt for more details.
88 config SECURITY_INFINIBAND
89 bool "Infiniband Security Hooks"
90 depends on SECURITY && INFINIBAND
92 This enables the Infiniband security hooks.
93 If enabled, a security module can use these hooks to
94 implement Infiniband access controls.
95 If you are unsure how to answer this question, answer N.
97 config SECURITY_NETWORK_XFRM
98 bool "XFRM (IPSec) Networking Security Hooks"
99 depends on XFRM && SECURITY_NETWORK
101 This enables the XFRM (IPSec) networking security hooks.
102 If enabled, a security module can use these hooks to
103 implement per-packet access controls based on labels
104 derived from IPSec policy. Non-IPSec communications are
105 designated as unlabelled, and only sockets authorized
106 to communicate unlabelled data can send without using
108 If you are unsure how to answer this question, answer N.
111 bool "Security hooks for pathname based access control"
114 This enables the security hooks for pathname based access control.
115 If enabled, a security module can use these hooks to
116 implement pathname based access controls.
117 If you are unsure how to answer this question, answer N.
120 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
121 depends on HAVE_INTEL_TXT
123 This option enables support for booting the kernel with the
124 Trusted Boot (tboot) module. This will utilize
125 Intel(R) Trusted Execution Technology to perform a measured launch
126 of the kernel. If the system does not support Intel(R) TXT, this
129 Intel TXT will provide higher assurance of system configuration and
130 initial state as well as data reset protection. This is used to
131 create a robust initial kernel measurement and verification, which
132 helps to ensure that kernel security mechanisms are functioning
133 correctly. This level of protection requires a root of trust outside
134 of the kernel itself.
136 Intel TXT also helps solve real end user concerns about having
137 confidence that their hardware is running the VMM or kernel that
138 it was configured with, especially since they may be responsible for
139 providing such assurances to VMs and services running on it.
141 See <http://www.intel.com/technology/security/> for more information
143 See <http://tboot.sourceforge.net> for more information about tboot.
144 See Documentation/intel_txt.txt for a description of how to enable
145 Intel TXT support in a kernel boot.
147 If you are unsure as to whether this is required, answer N.
149 config LSM_MMAP_MIN_ADDR
150 int "Low address space for LSM to protect from user allocation"
151 depends on SECURITY && SECURITY_SELINUX
152 default 32768 if ARM || (ARM64 && COMPAT)
155 This is the portion of low virtual memory which should be protected
156 from userspace allocation. Keeping a user from writing to low pages
157 can help reduce the impact of kernel NULL pointer bugs.
159 For most ia64, ppc64 and x86 users with lots of address space
160 a value of 65536 is reasonable and should cause no problems.
161 On arm and other archs it should not be higher than 32768.
162 Programs which use vm86 functionality or have some need to map
163 this low address space will need the permission specific to the
166 config HAVE_HARDENED_USERCOPY_ALLOCATOR
169 The heap allocator implements __check_heap_object() for
170 validating memory ranges against heap object sizes in
171 support of CONFIG_HARDENED_USERCOPY.
173 config HARDENED_USERCOPY
174 bool "Harden memory copies between kernel and userspace"
175 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
179 This option checks for obviously wrong memory regions when
180 copying memory to/from the kernel (via copy_to_user() and
181 copy_from_user() functions) by rejecting memory ranges that
182 are larger than the specified heap object, span multiple
183 separately allocated pages, are not on the process stack,
184 or are part of the kernel text. This kills entire classes
185 of heap overflow exploits and similar kernel memory exposures.
187 config HARDENED_USERCOPY_PAGESPAN
188 bool "Refuse to copy allocations that span multiple pages"
189 depends on HARDENED_USERCOPY
192 When a multi-page allocation is done without __GFP_COMP,
193 hardened usercopy will reject attempts to copy it. There are,
194 however, several cases of this in the kernel that have not all
195 been removed. This config is intended to be used only while
196 trying to find such users.
198 config FORTIFY_SOURCE
199 bool "Harden common str/mem functions against buffer overflows"
200 depends on ARCH_HAS_FORTIFY_SOURCE
202 Detect overflows of buffers in common string and memory functions
203 where the compiler can determine and validate the buffer sizes.
205 config STATIC_USERMODEHELPER
206 bool "Force all usermode helper calls through a single binary"
208 By default, the kernel can call many different userspace
209 binary programs through the "usermode helper" kernel
210 interface. Some of these binaries are statically defined
211 either in the kernel code itself, or as a kernel configuration
212 option. However, some of these are dynamically created at
213 runtime, or can be modified after the kernel has started up.
214 To provide an additional layer of security, route all of these
215 calls through a single executable that can not have its name
218 Note, it is up to this single binary to then call the relevant
219 "real" usermode helper binary, based on the first argument
220 passed to it. If desired, this program can filter and pick
221 and choose what real programs are called.
223 If you wish for all usermode helper programs are to be
224 disabled, choose this option and then set
225 STATIC_USERMODEHELPER_PATH to an empty string.
227 config STATIC_USERMODEHELPER_PATH
228 string "Path to the static usermode helper binary"
229 depends on STATIC_USERMODEHELPER
230 default "/sbin/usermode-helper"
232 The binary called by the kernel when any usermode helper
233 program is wish to be run. The "real" application's name will
234 be in the first argument passed to this program on the command
237 If you wish for all usermode helper programs to be disabled,
238 specify an empty string here (i.e. "").
240 config LOCK_DOWN_KERNEL
241 bool "Allow the kernel to be 'locked down'"
243 Allow the kernel to be locked down under certain circumstances, for
244 instance if UEFI secure boot is enabled. Locking down the kernel
245 turns off various features that might otherwise allow access to the
246 kernel image (eg. setting MSR registers).
248 config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
249 bool "Allow the kernel lockdown to be lifted by SysRq"
250 depends on LOCK_DOWN_KERNEL && MAGIC_SYSRQ
252 Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
253 combination on a wired keyboard.
255 config LOCK_DOWN_IN_EFI_SECURE_BOOT
256 bool "Lock down the kernel in EFI Secure Boot mode"
258 select LOCK_DOWN_KERNEL
261 UEFI Secure Boot provides a mechanism for ensuring that the firmware
262 will only load signed bootloaders and kernels. Secure boot mode may
263 be determined from EFI variables provided by the system firmware if
264 not indicated by the boot parameters.
266 Enabling this option turns on results in kernel lockdown being
267 triggered if EFI Secure Boot is set.
270 source security/selinux/Kconfig
271 source security/smack/Kconfig
272 source security/tomoyo/Kconfig
273 source security/apparmor/Kconfig
274 source security/loadpin/Kconfig
275 source security/yama/Kconfig
277 source security/integrity/Kconfig
280 prompt "Default security module"
281 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
282 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
283 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
284 default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
285 default DEFAULT_SECURITY_DAC
288 Select the security module that will be used by default if the
289 kernel parameter security= is not specified.
291 config DEFAULT_SECURITY_SELINUX
292 bool "SELinux" if SECURITY_SELINUX=y
294 config DEFAULT_SECURITY_SMACK
295 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
297 config DEFAULT_SECURITY_TOMOYO
298 bool "TOMOYO" if SECURITY_TOMOYO=y
300 config DEFAULT_SECURITY_APPARMOR
301 bool "AppArmor" if SECURITY_APPARMOR=y
303 config DEFAULT_SECURITY_DAC
304 bool "Unix Discretionary Access Controls"
308 config DEFAULT_SECURITY
310 default "selinux" if DEFAULT_SECURITY_SELINUX
311 default "smack" if DEFAULT_SECURITY_SMACK
312 default "tomoyo" if DEFAULT_SECURITY_TOMOYO
313 default "apparmor" if DEFAULT_SECURITY_APPARMOR
314 default "" if DEFAULT_SECURITY_DAC