Root/security/Kconfig

1#
2# Security configuration
3#
4
5menu "Security options"
6
7config KEYS
8    bool "Enable access key retention support"
9    help
10      This option provides support for retaining authentication tokens and
11      access keys in the kernel.
12
13      It also includes provision of methods by which such keys might be
14      associated with a process so that network filesystems, encryption
15      support and the like can find them.
16
17      Furthermore, a special type of key is available that acts as keyring:
18      a searchable sequence of keys. Each process is equipped with access
19      to five standard keyrings: UID-specific, GID-specific, session,
20      process and thread.
21
22      If you are unsure as to whether this is required, answer N.
23
24config KEYS_DEBUG_PROC_KEYS
25    bool "Enable the /proc/keys file by which keys may be viewed"
26    depends on KEYS
27    help
28      This option turns on support for the /proc/keys file - through which
29      can be listed all the keys on the system that are viewable by the
30      reading process.
31
32      The only keys included in the list are those that grant View
33      permission to the reading process whether or not it possesses them.
34      Note that LSM security checks are still performed, and may further
35      filter out keys that the current process is not authorised to view.
36
37      Only key attributes are listed here; key payloads are not included in
38      the resulting table.
39
40      If you are unsure as to whether this is required, answer N.
41
42config SECURITY
43    bool "Enable different security models"
44    depends on SYSFS
45    help
46      This allows you to choose different security modules to be
47      configured into your kernel.
48
49      If this option is not selected, the default Linux security
50      model will be used.
51
52      If you are unsure how to answer this question, answer N.
53
54config SECURITYFS
55    bool "Enable the securityfs filesystem"
56    help
57      This will build the securityfs filesystem. It is currently used by
58      the TPM bios character driver and IMA, an integrity provider. It is
59      not used by SELinux or SMACK.
60
61      If you are unsure how to answer this question, answer N.
62
63config SECURITY_NETWORK
64    bool "Socket and Networking Security Hooks"
65    depends on SECURITY
66    help
67      This enables the socket and networking security hooks.
68      If enabled, a security module can use these hooks to
69      implement socket and networking access controls.
70      If you are unsure how to answer this question, answer N.
71
72config SECURITY_NETWORK_XFRM
73    bool "XFRM (IPSec) Networking Security Hooks"
74    depends on XFRM && SECURITY_NETWORK
75    help
76      This enables the XFRM (IPSec) networking security hooks.
77      If enabled, a security module can use these hooks to
78      implement per-packet access controls based on labels
79      derived from IPSec policy. Non-IPSec communications are
80      designated as unlabelled, and only sockets authorized
81      to communicate unlabelled data can send without using
82      IPSec.
83      If you are unsure how to answer this question, answer N.
84
85config SECURITY_PATH
86    bool "Security hooks for pathname based access control"
87    depends on SECURITY
88    help
89      This enables the security hooks for pathname based access control.
90      If enabled, a security module can use these hooks to
91      implement pathname based access controls.
92      If you are unsure how to answer this question, answer N.
93
94config INTEL_TXT
95    bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
96    depends on HAVE_INTEL_TXT
97    help
98      This option enables support for booting the kernel with the
99      Trusted Boot (tboot) module. This will utilize
100      Intel(R) Trusted Execution Technology to perform a measured launch
101      of the kernel. If the system does not support Intel(R) TXT, this
102      will have no effect.
103
104      Intel TXT will provide higher assurance of system configuration and
105      initial state as well as data reset protection. This is used to
106      create a robust initial kernel measurement and verification, which
107      helps to ensure that kernel security mechanisms are functioning
108      correctly. This level of protection requires a root of trust outside
109      of the kernel itself.
110
111      Intel TXT also helps solve real end user concerns about having
112      confidence that their hardware is running the VMM or kernel that
113      it was configured with, especially since they may be responsible for
114      providing such assurances to VMs and services running on it.
115
116      See <http://www.intel.com/technology/security/> for more information
117      about Intel(R) TXT.
118      See <http://tboot.sourceforge.net> for more information about tboot.
119      See Documentation/intel_txt.txt for a description of how to enable
120      Intel TXT support in a kernel boot.
121
122      If you are unsure as to whether this is required, answer N.
123
124config LSM_MMAP_MIN_ADDR
125    int "Low address space for LSM to protect from user allocation"
126    depends on SECURITY && SECURITY_SELINUX
127    default 65536
128    help
129      This is the portion of low virtual memory which should be protected
130      from userspace allocation. Keeping a user from writing to low pages
131      can help reduce the impact of kernel NULL pointer bugs.
132
133      For most ia64, ppc64 and x86 users with lots of address space
134      a value of 65536 is reasonable and should cause no problems.
135      On arm and other archs it should not be higher than 32768.
136      Programs which use vm86 functionality or have some need to map
137      this low address space will need the permission specific to the
138      systems running LSM.
139
140source security/selinux/Kconfig
141source security/smack/Kconfig
142source security/tomoyo/Kconfig
143source security/apparmor/Kconfig
144
145source security/integrity/ima/Kconfig
146
147choice
148    prompt "Default security module"
149    default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
150    default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
151    default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
152    default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
153    default DEFAULT_SECURITY_DAC
154
155    help
156      Select the security module that will be used by default if the
157      kernel parameter security= is not specified.
158
159    config DEFAULT_SECURITY_SELINUX
160        bool "SELinux" if SECURITY_SELINUX=y
161
162    config DEFAULT_SECURITY_SMACK
163        bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
164
165    config DEFAULT_SECURITY_TOMOYO
166        bool "TOMOYO" if SECURITY_TOMOYO=y
167
168    config DEFAULT_SECURITY_APPARMOR
169        bool "AppArmor" if SECURITY_APPARMOR=y
170
171    config DEFAULT_SECURITY_DAC
172        bool "Unix Discretionary Access Controls"
173
174endchoice
175
176config DEFAULT_SECURITY
177    string
178    default "selinux" if DEFAULT_SECURITY_SELINUX
179    default "smack" if DEFAULT_SECURITY_SMACK
180    default "tomoyo" if DEFAULT_SECURITY_TOMOYO
181    default "apparmor" if DEFAULT_SECURITY_APPARMOR
182    default "" if DEFAULT_SECURITY_DAC
183
184endmenu
185
186

Archive Download this file



interactive