linux/security/Kconfig
<<
>>
Prefs
   1#
   2# Security configuration
   3#
   4
   5menu "Security options"
   6
   7source security/keys/Kconfig
   8
   9config SECURITY_DMESG_RESTRICT
  10        bool "Restrict unprivileged access to the kernel syslog"
  11        default n
  12        help
  13          This enforces restrictions on unprivileged users reading the kernel
  14          syslog via dmesg(8).
  15
  16          If this option is not selected, no restrictions will be enforced
  17          unless the dmesg_restrict sysctl is explicitly set to (1).
  18
  19          If you are unsure how to answer this question, answer N.
  20
  21config SECURITY
  22        bool "Enable different security models"
  23        depends on SYSFS
  24        help
  25          This allows you to choose different security modules to be
  26          configured into your kernel.
  27
  28          If this option is not selected, the default Linux security
  29          model will be used.
  30
  31          If you are unsure how to answer this question, answer N.
  32
  33config SECURITYFS
  34        bool "Enable the securityfs filesystem"
  35        help
  36          This will build the securityfs filesystem.  It is currently used by
  37          the TPM bios character driver and IMA, an integrity provider.  It is
  38          not used by SELinux or SMACK.
  39
  40          If you are unsure how to answer this question, answer N.
  41
  42config SECURITY_NETWORK
  43        bool "Socket and Networking Security Hooks"
  44        depends on SECURITY
  45        help
  46          This enables the socket and networking security hooks.
  47          If enabled, a security module can use these hooks to
  48          implement socket and networking access controls.
  49          If you are unsure how to answer this question, answer N.
  50
  51config SECURITY_NETWORK_XFRM
  52        bool "XFRM (IPSec) Networking Security Hooks"
  53        depends on XFRM && SECURITY_NETWORK
  54        help
  55          This enables the XFRM (IPSec) networking security hooks.
  56          If enabled, a security module can use these hooks to
  57          implement per-packet access controls based on labels
  58          derived from IPSec policy.  Non-IPSec communications are
  59          designated as unlabelled, and only sockets authorized
  60          to communicate unlabelled data can send without using
  61          IPSec.
  62          If you are unsure how to answer this question, answer N.
  63
  64config SECURITY_PATH
  65        bool "Security hooks for pathname based access control"
  66        depends on SECURITY
  67        help
  68          This enables the security hooks for pathname based access control.
  69          If enabled, a security module can use these hooks to
  70          implement pathname based access controls.
  71          If you are unsure how to answer this question, answer N.
  72
  73config INTEL_TXT
  74        bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
  75        depends on HAVE_INTEL_TXT
  76        help
  77          This option enables support for booting the kernel with the
  78          Trusted Boot (tboot) module. This will utilize
  79          Intel(R) Trusted Execution Technology to perform a measured launch
  80          of the kernel. If the system does not support Intel(R) TXT, this
  81          will have no effect.
  82
  83          Intel TXT will provide higher assurance of system configuration and
  84          initial state as well as data reset protection.  This is used to
  85          create a robust initial kernel measurement and verification, which
  86          helps to ensure that kernel security mechanisms are functioning
  87          correctly. This level of protection requires a root of trust outside
  88          of the kernel itself.
  89
  90          Intel TXT also helps solve real end user concerns about having
  91          confidence that their hardware is running the VMM or kernel that
  92          it was configured with, especially since they may be responsible for
  93          providing such assurances to VMs and services running on it.
  94
  95          See <http://www.intel.com/technology/security/> for more information
  96          about Intel(R) TXT.
  97          See <http://tboot.sourceforge.net> for more information about tboot.
  98          See Documentation/intel_txt.txt for a description of how to enable
  99          Intel TXT support in a kernel boot.
 100
 101          If you are unsure as to whether this is required, answer N.
 102
 103config LSM_MMAP_MIN_ADDR
 104        int "Low address space for LSM to protect from user allocation"
 105        depends on SECURITY && SECURITY_SELINUX
 106        default 32768 if ARM
 107        default 65536
 108        help
 109          This is the portion of low virtual memory which should be protected
 110          from userspace allocation.  Keeping a user from writing to low pages
 111          can help reduce the impact of kernel NULL pointer bugs.
 112
 113          For most ia64, ppc64 and x86 users with lots of address space
 114          a value of 65536 is reasonable and should cause no problems.
 115          On arm and other archs it should not be higher than 32768.
 116          Programs which use vm86 functionality or have some need to map
 117          this low address space will need the permission specific to the
 118          systems running LSM.
 119
 120source security/selinux/Kconfig
 121source security/smack/Kconfig
 122source security/tomoyo/Kconfig
 123source security/apparmor/Kconfig
 124source security/yama/Kconfig
 125
 126source security/integrity/Kconfig
 127
 128choice
 129        prompt "Default security module"
 130        default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
 131        default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 132        default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 133        default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
 134        default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
 135        default DEFAULT_SECURITY_DAC
 136
 137        help
 138          Select the security module that will be used by default if the
 139          kernel parameter security= is not specified.
 140
 141        config DEFAULT_SECURITY_SELINUX
 142                bool "SELinux" if SECURITY_SELINUX=y
 143
 144        config DEFAULT_SECURITY_SMACK
 145                bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
 146
 147        config DEFAULT_SECURITY_TOMOYO
 148                bool "TOMOYO" if SECURITY_TOMOYO=y
 149
 150        config DEFAULT_SECURITY_APPARMOR
 151                bool "AppArmor" if SECURITY_APPARMOR=y
 152
 153        config DEFAULT_SECURITY_YAMA
 154                bool "Yama" if SECURITY_YAMA=y
 155
 156        config DEFAULT_SECURITY_DAC
 157                bool "Unix Discretionary Access Controls"
 158
 159endchoice
 160
 161config DEFAULT_SECURITY
 162        string
 163        default "selinux" if DEFAULT_SECURITY_SELINUX
 164        default "smack" if DEFAULT_SECURITY_SMACK
 165        default "tomoyo" if DEFAULT_SECURITY_TOMOYO
 166        default "apparmor" if DEFAULT_SECURITY_APPARMOR
 167        default "yama" if DEFAULT_SECURITY_YAMA
 168        default "" if DEFAULT_SECURITY_DAC
 169
 170endmenu
 171
 172
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.