Root/security/Kconfig

1#
2# Security configuration
3#
4
5menu "Security options"
6
7source security/keys/Kconfig
8
9config SECURITY_DMESG_RESTRICT
10    bool "Restrict unprivileged access to the kernel syslog"
11    default n
12    help
13      This enforces restrictions on unprivileged users reading the kernel
14      syslog via dmesg(8).
15
16      If this option is not selected, no restrictions will be enforced
17      unless the dmesg_restrict sysctl is explicitly set to (1).
18
19      If you are unsure how to answer this question, answer N.
20
21config SECURITY
22    bool "Enable different security models"
23    depends on SYSFS
24    help
25      This allows you to choose different security modules to be
26      configured into your kernel.
27
28      If this option is not selected, the default Linux security
29      model will be used.
30
31      If you are unsure how to answer this question, answer N.
32
33config SECURITYFS
34    bool "Enable the securityfs filesystem"
35    help
36      This will build the securityfs filesystem. It is currently used by
37      the TPM bios character driver and IMA, an integrity provider. It is
38      not used by SELinux or SMACK.
39
40      If you are unsure how to answer this question, answer N.
41
42config SECURITY_NETWORK
43    bool "Socket and Networking Security Hooks"
44    depends on SECURITY
45    help
46      This enables the socket and networking security hooks.
47      If enabled, a security module can use these hooks to
48      implement socket and networking access controls.
49      If you are unsure how to answer this question, answer N.
50
51config SECURITY_NETWORK_XFRM
52    bool "XFRM (IPSec) Networking Security Hooks"
53    depends on XFRM && SECURITY_NETWORK
54    help
55      This enables the XFRM (IPSec) networking security hooks.
56      If enabled, a security module can use these hooks to
57      implement per-packet access controls based on labels
58      derived from IPSec policy. Non-IPSec communications are
59      designated as unlabelled, and only sockets authorized
60      to communicate unlabelled data can send without using
61      IPSec.
62      If you are unsure how to answer this question, answer N.
63
64config SECURITY_PATH
65    bool "Security hooks for pathname based access control"
66    depends on SECURITY
67    help
68      This enables the security hooks for pathname based access control.
69      If enabled, a security module can use these hooks to
70      implement pathname based access controls.
71      If you are unsure how to answer this question, answer N.
72
73config INTEL_TXT
74    bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
75    depends on HAVE_INTEL_TXT
76    help
77      This option enables support for booting the kernel with the
78      Trusted Boot (tboot) module. This will utilize
79      Intel(R) Trusted Execution Technology to perform a measured launch
80      of the kernel. If the system does not support Intel(R) TXT, this
81      will have no effect.
82
83      Intel TXT will provide higher assurance of system configuration and
84      initial state as well as data reset protection. This is used to
85      create a robust initial kernel measurement and verification, which
86      helps to ensure that kernel security mechanisms are functioning
87      correctly. This level of protection requires a root of trust outside
88      of the kernel itself.
89
90      Intel TXT also helps solve real end user concerns about having
91      confidence that their hardware is running the VMM or kernel that
92      it was configured with, especially since they may be responsible for
93      providing such assurances to VMs and services running on it.
94
95      See <http://www.intel.com/technology/security/> for more information
96      about Intel(R) TXT.
97      See <http://tboot.sourceforge.net> for more information about tboot.
98      See Documentation/intel_txt.txt for a description of how to enable
99      Intel TXT support in a kernel boot.
100
101      If you are unsure as to whether this is required, answer N.
102
103config LSM_MMAP_MIN_ADDR
104    int "Low address space for LSM to protect from user allocation"
105    depends on SECURITY && SECURITY_SELINUX
106    default 32768 if ARM
107    default 65536
108    help
109      This is the portion of low virtual memory which should be protected
110      from userspace allocation. Keeping a user from writing to low pages
111      can help reduce the impact of kernel NULL pointer bugs.
112
113      For most ia64, ppc64 and x86 users with lots of address space
114      a value of 65536 is reasonable and should cause no problems.
115      On arm and other archs it should not be higher than 32768.
116      Programs which use vm86 functionality or have some need to map
117      this low address space will need the permission specific to the
118      systems running LSM.
119
120source security/selinux/Kconfig
121source security/smack/Kconfig
122source security/tomoyo/Kconfig
123source security/apparmor/Kconfig
124source security/yama/Kconfig
125
126source security/integrity/Kconfig
127
128choice
129    prompt "Default security module"
130    default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
131    default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
132    default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
133    default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
134    default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
135    default DEFAULT_SECURITY_DAC
136
137    help
138      Select the security module that will be used by default if the
139      kernel parameter security= is not specified.
140
141    config DEFAULT_SECURITY_SELINUX
142        bool "SELinux" if SECURITY_SELINUX=y
143
144    config DEFAULT_SECURITY_SMACK
145        bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
146
147    config DEFAULT_SECURITY_TOMOYO
148        bool "TOMOYO" if SECURITY_TOMOYO=y
149
150    config DEFAULT_SECURITY_APPARMOR
151        bool "AppArmor" if SECURITY_APPARMOR=y
152
153    config DEFAULT_SECURITY_YAMA
154        bool "Yama" if SECURITY_YAMA=y
155
156    config DEFAULT_SECURITY_DAC
157        bool "Unix Discretionary Access Controls"
158
159endchoice
160
161config DEFAULT_SECURITY
162    string
163    default "selinux" if DEFAULT_SECURITY_SELINUX
164    default "smack" if DEFAULT_SECURITY_SMACK
165    default "tomoyo" if DEFAULT_SECURITY_TOMOYO
166    default "apparmor" if DEFAULT_SECURITY_APPARMOR
167    default "yama" if DEFAULT_SECURITY_YAMA
168    default "" if DEFAULT_SECURITY_DAC
169
170endmenu
171
172

Archive Download this file



interactive