Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | # |
3 | # Security configuration | |
4 | # | |
5 | ||
6 | menu "Security options" | |
7 | ||
8636a1f9 | 8 | source "security/keys/Kconfig" |
1da177e4 | 9 | |
eaf06b24 DR |
10 | config SECURITY_DMESG_RESTRICT |
11 | bool "Restrict unprivileged access to the kernel syslog" | |
12 | default n | |
13 | help | |
14 | This enforces restrictions on unprivileged users reading the kernel | |
15 | syslog via dmesg(8). | |
16 | ||
17 | If this option is not selected, no restrictions will be enforced | |
18 | unless the dmesg_restrict sysctl is explicitly set to (1). | |
19 | ||
20 | If you are unsure how to answer this question, answer N. | |
21 | ||
41e8149c AR |
22 | choice |
23 | prompt "Allow /proc/pid/mem access override" | |
24 | default PROC_MEM_ALWAYS_FORCE | |
25 | help | |
26 | Traditionally /proc/pid/mem allows users to override memory | |
27 | permissions for users like ptrace, assuming they have ptrace | |
28 | capability. | |
29 | ||
30 | This allows people to limit that - either never override, or | |
31 | require actual active ptrace attachment. | |
32 | ||
33 | Defaults to the traditional behavior (for now) | |
34 | ||
35 | config PROC_MEM_ALWAYS_FORCE | |
36 | bool "Traditional /proc/pid/mem behavior" | |
37 | help | |
38 | This allows /proc/pid/mem accesses to override memory mapping | |
39 | permissions if you have ptrace access rights. | |
40 | ||
41 | config PROC_MEM_FORCE_PTRACE | |
42 | bool "Require active ptrace() use for access override" | |
43 | help | |
44 | This allows /proc/pid/mem accesses to override memory mapping | |
45 | permissions for active ptracers like gdb. | |
46 | ||
47 | config PROC_MEM_NO_FORCE | |
48 | bool "Never" | |
49 | help | |
50 | Never override memory mapping permissions | |
51 | ||
52 | endchoice | |
53 | ||
1da177e4 LT |
54 | config SECURITY |
55 | bool "Enable different security models" | |
2c40579b | 56 | depends on SYSFS |
2813893f | 57 | depends on MULTIUSER |
1da177e4 LT |
58 | help |
59 | This allows you to choose different security modules to be | |
60 | configured into your kernel. | |
61 | ||
62 | If this option is not selected, the default Linux security | |
63 | model will be used. | |
64 | ||
65 | If you are unsure how to answer this question, answer N. | |
66 | ||
da31894e EP |
67 | config SECURITYFS |
68 | bool "Enable the securityfs filesystem" | |
69 | help | |
70 | This will build the securityfs filesystem. It is currently used by | |
b102c11e | 71 | various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). |
da31894e EP |
72 | |
73 | If you are unsure how to answer this question, answer N. | |
74 | ||
1da177e4 LT |
75 | config SECURITY_NETWORK |
76 | bool "Socket and Networking Security Hooks" | |
77 | depends on SECURITY | |
78 | help | |
79 | This enables the socket and networking security hooks. | |
80 | If enabled, a security module can use these hooks to | |
81 | implement socket and networking access controls. | |
82 | If you are unsure how to answer this question, answer N. | |
df71837d | 83 | |
d291f1a6 DJ |
84 | config SECURITY_INFINIBAND |
85 | bool "Infiniband Security Hooks" | |
86 | depends on SECURITY && INFINIBAND | |
87 | help | |
88 | This enables the Infiniband security hooks. | |
89 | If enabled, a security module can use these hooks to | |
90 | implement Infiniband access controls. | |
91 | If you are unsure how to answer this question, answer N. | |
92 | ||
df71837d TJ |
93 | config SECURITY_NETWORK_XFRM |
94 | bool "XFRM (IPSec) Networking Security Hooks" | |
95 | depends on XFRM && SECURITY_NETWORK | |
96 | help | |
97 | This enables the XFRM (IPSec) networking security hooks. | |
98 | If enabled, a security module can use these hooks to | |
99 | implement per-packet access controls based on labels | |
100 | derived from IPSec policy. Non-IPSec communications are | |
101 | designated as unlabelled, and only sockets authorized | |
102 | to communicate unlabelled data can send without using | |
103 | IPSec. | |
104 | If you are unsure how to answer this question, answer N. | |
1da177e4 | 105 | |
be6d3e56 KT |
106 | config SECURITY_PATH |
107 | bool "Security hooks for pathname based access control" | |
108 | depends on SECURITY | |
109 | help | |
110 | This enables the security hooks for pathname based access control. | |
111 | If enabled, a security module can use these hooks to | |
112 | implement pathname based access controls. | |
113 | If you are unsure how to answer this question, answer N. | |
114 | ||
31625340 JC |
115 | config INTEL_TXT |
116 | bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" | |
69575d38 | 117 | depends on HAVE_INTEL_TXT |
31625340 JC |
118 | help |
119 | This option enables support for booting the kernel with the | |
120 | Trusted Boot (tboot) module. This will utilize | |
121 | Intel(R) Trusted Execution Technology to perform a measured launch | |
122 | of the kernel. If the system does not support Intel(R) TXT, this | |
123 | will have no effect. | |
124 | ||
3c556e41 | 125 | Intel TXT will provide higher assurance of system configuration and |
31625340 JC |
126 | initial state as well as data reset protection. This is used to |
127 | create a robust initial kernel measurement and verification, which | |
128 | helps to ensure that kernel security mechanisms are functioning | |
129 | correctly. This level of protection requires a root of trust outside | |
130 | of the kernel itself. | |
131 | ||
132 | Intel TXT also helps solve real end user concerns about having | |
133 | confidence that their hardware is running the VMM or kernel that | |
3c556e41 | 134 | it was configured with, especially since they may be responsible for |
31625340 JC |
135 | providing such assurances to VMs and services running on it. |
136 | ||
c9fecf50 | 137 | See <https://www.intel.com/technology/security/> for more information |
31625340 JC |
138 | about Intel(R) TXT. |
139 | See <http://tboot.sourceforge.net> for more information about tboot. | |
ff61f079 | 140 | See Documentation/arch/x86/intel_txt.rst for a description of how to enable |
31625340 JC |
141 | Intel TXT support in a kernel boot. |
142 | ||
143 | If you are unsure as to whether this is required, answer N. | |
144 | ||
788084ab | 145 | config LSM_MMAP_MIN_ADDR |
024e6cb4 | 146 | int "Low address space for LSM to protect from user allocation" |
788084ab | 147 | depends on SECURITY && SECURITY_SELINUX |
530b099d | 148 | default 32768 if ARM || (ARM64 && COMPAT) |
a58578e4 | 149 | default 65536 |
788084ab EP |
150 | help |
151 | This is the portion of low virtual memory which should be protected | |
152 | from userspace allocation. Keeping a user from writing to low pages | |
153 | can help reduce the impact of kernel NULL pointer bugs. | |
154 | ||
155 | For most ia64, ppc64 and x86 users with lots of address space | |
156 | a value of 65536 is reasonable and should cause no problems. | |
157 | On arm and other archs it should not be higher than 32768. | |
158 | Programs which use vm86 functionality or have some need to map | |
159 | this low address space will need the permission specific to the | |
160 | systems running LSM. | |
161 | ||
f5509cc1 KC |
162 | config HARDENED_USERCOPY |
163 | bool "Harden memory copies between kernel and userspace" | |
22ec1a2a | 164 | imply STRICT_DEVMEM |
f5509cc1 KC |
165 | help |
166 | This option checks for obviously wrong memory regions when | |
167 | copying memory to/from the kernel (via copy_to_user() and | |
168 | copy_from_user() functions) by rejecting memory ranges that | |
169 | are larger than the specified heap object, span multiple | |
99c55fb1 | 170 | separately allocated pages, are not on the process stack, |
1109a5d9 | 171 | or are part of the kernel text. This prevents entire classes |
f5509cc1 KC |
172 | of heap overflow exploits and similar kernel memory exposures. |
173 | ||
6974f0c4 DM |
174 | config FORTIFY_SOURCE |
175 | bool "Harden common str/mem functions against buffer overflows" | |
176 | depends on ARCH_HAS_FORTIFY_SOURCE | |
281d0c96 KC |
177 | # https://github.com/llvm/llvm-project/issues/53645 |
178 | depends on !CC_IS_CLANG || !X86_32 | |
6974f0c4 DM |
179 | help |
180 | Detect overflows of buffers in common string and memory functions | |
181 | where the compiler can determine and validate the buffer sizes. | |
182 | ||
64e90a8a GKH |
183 | config STATIC_USERMODEHELPER |
184 | bool "Force all usermode helper calls through a single binary" | |
185 | help | |
186 | By default, the kernel can call many different userspace | |
187 | binary programs through the "usermode helper" kernel | |
188 | interface. Some of these binaries are statically defined | |
189 | either in the kernel code itself, or as a kernel configuration | |
190 | option. However, some of these are dynamically created at | |
191 | runtime, or can be modified after the kernel has started up. | |
192 | To provide an additional layer of security, route all of these | |
193 | calls through a single executable that can not have its name | |
194 | changed. | |
195 | ||
196 | Note, it is up to this single binary to then call the relevant | |
197 | "real" usermode helper binary, based on the first argument | |
198 | passed to it. If desired, this program can filter and pick | |
199 | and choose what real programs are called. | |
200 | ||
201 | If you wish for all usermode helper programs are to be | |
202 | disabled, choose this option and then set | |
203 | STATIC_USERMODEHELPER_PATH to an empty string. | |
204 | ||
205 | config STATIC_USERMODEHELPER_PATH | |
206 | string "Path to the static usermode helper binary" | |
207 | depends on STATIC_USERMODEHELPER | |
208 | default "/sbin/usermode-helper" | |
209 | help | |
210 | The binary called by the kernel when any usermode helper | |
211 | program is wish to be run. The "real" application's name will | |
212 | be in the first argument passed to this program on the command | |
213 | line. | |
214 | ||
215 | If you wish for all usermode helper programs to be disabled, | |
216 | specify an empty string here (i.e. ""). | |
217 | ||
8636a1f9 MY |
218 | source "security/selinux/Kconfig" |
219 | source "security/smack/Kconfig" | |
220 | source "security/tomoyo/Kconfig" | |
221 | source "security/apparmor/Kconfig" | |
222 | source "security/loadpin/Kconfig" | |
223 | source "security/yama/Kconfig" | |
aeca4e2c | 224 | source "security/safesetid/Kconfig" |
000d388e | 225 | source "security/lockdown/Kconfig" |
90945448 | 226 | source "security/landlock/Kconfig" |
03115077 | 227 | source "security/ipe/Kconfig" |
1da177e4 | 228 | |
8636a1f9 | 229 | source "security/integrity/Kconfig" |
3323eec9 | 230 | |
2623c4fb KC |
231 | choice |
232 | prompt "First legacy 'major LSM' to be initialized" | |
233 | default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX | |
234 | default DEFAULT_SECURITY_SMACK if SECURITY_SMACK | |
235 | default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO | |
236 | default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR | |
237 | default DEFAULT_SECURITY_DAC | |
238 | ||
239 | help | |
240 | This choice is there only for converting CONFIG_DEFAULT_SECURITY | |
241 | in old kernel configs to CONFIG_LSM in new kernel configs. Don't | |
242 | change this choice unless you are creating a fresh kernel config, | |
243 | for this choice will be ignored after CONFIG_LSM has been set. | |
244 | ||
245 | Selects the legacy "major security module" that will be | |
246 | initialized first. Overridden by non-default CONFIG_LSM. | |
247 | ||
248 | config DEFAULT_SECURITY_SELINUX | |
249 | bool "SELinux" if SECURITY_SELINUX=y | |
250 | ||
251 | config DEFAULT_SECURITY_SMACK | |
252 | bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y | |
253 | ||
254 | config DEFAULT_SECURITY_TOMOYO | |
255 | bool "TOMOYO" if SECURITY_TOMOYO=y | |
256 | ||
257 | config DEFAULT_SECURITY_APPARMOR | |
258 | bool "AppArmor" if SECURITY_APPARMOR=y | |
259 | ||
260 | config DEFAULT_SECURITY_DAC | |
261 | bool "Unix Discretionary Access Controls" | |
262 | ||
263 | endchoice | |
264 | ||
13e735c0 KC |
265 | config LSM |
266 | string "Ordered list of enabled LSMs" | |
03115077 DB |
267 | default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK |
268 | default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR | |
269 | default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO | |
270 | default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC | |
271 | default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf" | |
13e735c0 KC |
272 | help |
273 | A comma-separated list of LSMs, in initialization order. | |
b9b8701b RS |
274 | Any LSMs left off this list, except for those with order |
275 | LSM_ORDER_FIRST and LSM_ORDER_LAST, which are always enabled | |
276 | if selected in the kernel configuration, will be ignored. | |
277 | This can be controlled at boot with the "lsm=" parameter. | |
13e735c0 KC |
278 | |
279 | If unsure, leave this as the default. | |
280 | ||
9f671e58 KC |
281 | source "security/Kconfig.hardening" |
282 | ||
1da177e4 LT |
283 | endmenu |
284 |