1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0-only 2*4882a593Smuzhiyun# 3*4882a593Smuzhiyun# Security configuration 4*4882a593Smuzhiyun# 5*4882a593Smuzhiyun 6*4882a593Smuzhiyunmenu "Security options" 7*4882a593Smuzhiyun 8*4882a593Smuzhiyunsource "security/keys/Kconfig" 9*4882a593Smuzhiyun 10*4882a593Smuzhiyunconfig SECURITY_DMESG_RESTRICT 11*4882a593Smuzhiyun bool "Restrict unprivileged access to the kernel syslog" 12*4882a593Smuzhiyun default n 13*4882a593Smuzhiyun help 14*4882a593Smuzhiyun This enforces restrictions on unprivileged users reading the kernel 15*4882a593Smuzhiyun syslog via dmesg(8). 16*4882a593Smuzhiyun 17*4882a593Smuzhiyun If this option is not selected, no restrictions will be enforced 18*4882a593Smuzhiyun unless the dmesg_restrict sysctl is explicitly set to (1). 19*4882a593Smuzhiyun 20*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 21*4882a593Smuzhiyun 22*4882a593Smuzhiyunconfig SECURITY 23*4882a593Smuzhiyun bool "Enable different security models" 24*4882a593Smuzhiyun depends on SYSFS 25*4882a593Smuzhiyun depends on MULTIUSER 26*4882a593Smuzhiyun help 27*4882a593Smuzhiyun This allows you to choose different security modules to be 28*4882a593Smuzhiyun configured into your kernel. 29*4882a593Smuzhiyun 30*4882a593Smuzhiyun If this option is not selected, the default Linux security 31*4882a593Smuzhiyun model will be used. 32*4882a593Smuzhiyun 33*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 34*4882a593Smuzhiyun 35*4882a593Smuzhiyunconfig SECURITY_WRITABLE_HOOKS 36*4882a593Smuzhiyun depends on SECURITY 37*4882a593Smuzhiyun bool 38*4882a593Smuzhiyun default n 39*4882a593Smuzhiyun 40*4882a593Smuzhiyunconfig SECURITYFS 41*4882a593Smuzhiyun bool "Enable the securityfs filesystem" 42*4882a593Smuzhiyun help 43*4882a593Smuzhiyun This will build the securityfs filesystem. It is currently used by 44*4882a593Smuzhiyun various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). 45*4882a593Smuzhiyun 46*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 47*4882a593Smuzhiyun 48*4882a593Smuzhiyunconfig SECURITY_NETWORK 49*4882a593Smuzhiyun bool "Socket and Networking Security Hooks" 50*4882a593Smuzhiyun depends on SECURITY 51*4882a593Smuzhiyun help 52*4882a593Smuzhiyun This enables the socket and networking security hooks. 53*4882a593Smuzhiyun If enabled, a security module can use these hooks to 54*4882a593Smuzhiyun implement socket and networking access controls. 55*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 56*4882a593Smuzhiyun 57*4882a593Smuzhiyunconfig SECURITY_INFINIBAND 58*4882a593Smuzhiyun bool "Infiniband Security Hooks" 59*4882a593Smuzhiyun depends on SECURITY && INFINIBAND 60*4882a593Smuzhiyun help 61*4882a593Smuzhiyun This enables the Infiniband security hooks. 62*4882a593Smuzhiyun If enabled, a security module can use these hooks to 63*4882a593Smuzhiyun implement Infiniband access controls. 64*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 65*4882a593Smuzhiyun 66*4882a593Smuzhiyunconfig SECURITY_NETWORK_XFRM 67*4882a593Smuzhiyun bool "XFRM (IPSec) Networking Security Hooks" 68*4882a593Smuzhiyun depends on XFRM && SECURITY_NETWORK 69*4882a593Smuzhiyun help 70*4882a593Smuzhiyun This enables the XFRM (IPSec) networking security hooks. 71*4882a593Smuzhiyun If enabled, a security module can use these hooks to 72*4882a593Smuzhiyun implement per-packet access controls based on labels 73*4882a593Smuzhiyun derived from IPSec policy. Non-IPSec communications are 74*4882a593Smuzhiyun designated as unlabelled, and only sockets authorized 75*4882a593Smuzhiyun to communicate unlabelled data can send without using 76*4882a593Smuzhiyun IPSec. 77*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 78*4882a593Smuzhiyun 79*4882a593Smuzhiyunconfig SECURITY_PATH 80*4882a593Smuzhiyun bool "Security hooks for pathname based access control" 81*4882a593Smuzhiyun depends on SECURITY 82*4882a593Smuzhiyun help 83*4882a593Smuzhiyun This enables the security hooks for pathname based access control. 84*4882a593Smuzhiyun If enabled, a security module can use these hooks to 85*4882a593Smuzhiyun implement pathname based access controls. 86*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 87*4882a593Smuzhiyun 88*4882a593Smuzhiyunconfig INTEL_TXT 89*4882a593Smuzhiyun bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 90*4882a593Smuzhiyun depends on HAVE_INTEL_TXT 91*4882a593Smuzhiyun help 92*4882a593Smuzhiyun This option enables support for booting the kernel with the 93*4882a593Smuzhiyun Trusted Boot (tboot) module. This will utilize 94*4882a593Smuzhiyun Intel(R) Trusted Execution Technology to perform a measured launch 95*4882a593Smuzhiyun of the kernel. If the system does not support Intel(R) TXT, this 96*4882a593Smuzhiyun will have no effect. 97*4882a593Smuzhiyun 98*4882a593Smuzhiyun Intel TXT will provide higher assurance of system configuration and 99*4882a593Smuzhiyun initial state as well as data reset protection. This is used to 100*4882a593Smuzhiyun create a robust initial kernel measurement and verification, which 101*4882a593Smuzhiyun helps to ensure that kernel security mechanisms are functioning 102*4882a593Smuzhiyun correctly. This level of protection requires a root of trust outside 103*4882a593Smuzhiyun of the kernel itself. 104*4882a593Smuzhiyun 105*4882a593Smuzhiyun Intel TXT also helps solve real end user concerns about having 106*4882a593Smuzhiyun confidence that their hardware is running the VMM or kernel that 107*4882a593Smuzhiyun it was configured with, especially since they may be responsible for 108*4882a593Smuzhiyun providing such assurances to VMs and services running on it. 109*4882a593Smuzhiyun 110*4882a593Smuzhiyun See <https://www.intel.com/technology/security/> for more information 111*4882a593Smuzhiyun about Intel(R) TXT. 112*4882a593Smuzhiyun See <http://tboot.sourceforge.net> for more information about tboot. 113*4882a593Smuzhiyun See Documentation/x86/intel_txt.rst for a description of how to enable 114*4882a593Smuzhiyun Intel TXT support in a kernel boot. 115*4882a593Smuzhiyun 116*4882a593Smuzhiyun If you are unsure as to whether this is required, answer N. 117*4882a593Smuzhiyun 118*4882a593Smuzhiyunconfig LSM_MMAP_MIN_ADDR 119*4882a593Smuzhiyun int "Low address space for LSM to protect from user allocation" 120*4882a593Smuzhiyun depends on SECURITY && SECURITY_SELINUX 121*4882a593Smuzhiyun default 32768 if ARM || (ARM64 && COMPAT) 122*4882a593Smuzhiyun default 65536 123*4882a593Smuzhiyun help 124*4882a593Smuzhiyun This is the portion of low virtual memory which should be protected 125*4882a593Smuzhiyun from userspace allocation. Keeping a user from writing to low pages 126*4882a593Smuzhiyun can help reduce the impact of kernel NULL pointer bugs. 127*4882a593Smuzhiyun 128*4882a593Smuzhiyun For most ia64, ppc64 and x86 users with lots of address space 129*4882a593Smuzhiyun a value of 65536 is reasonable and should cause no problems. 130*4882a593Smuzhiyun On arm and other archs it should not be higher than 32768. 131*4882a593Smuzhiyun Programs which use vm86 functionality or have some need to map 132*4882a593Smuzhiyun this low address space will need the permission specific to the 133*4882a593Smuzhiyun systems running LSM. 134*4882a593Smuzhiyun 135*4882a593Smuzhiyunconfig HAVE_HARDENED_USERCOPY_ALLOCATOR 136*4882a593Smuzhiyun bool 137*4882a593Smuzhiyun help 138*4882a593Smuzhiyun The heap allocator implements __check_heap_object() for 139*4882a593Smuzhiyun validating memory ranges against heap object sizes in 140*4882a593Smuzhiyun support of CONFIG_HARDENED_USERCOPY. 141*4882a593Smuzhiyun 142*4882a593Smuzhiyunconfig HARDENED_USERCOPY 143*4882a593Smuzhiyun bool "Harden memory copies between kernel and userspace" 144*4882a593Smuzhiyun depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 145*4882a593Smuzhiyun imply STRICT_DEVMEM 146*4882a593Smuzhiyun help 147*4882a593Smuzhiyun This option checks for obviously wrong memory regions when 148*4882a593Smuzhiyun copying memory to/from the kernel (via copy_to_user() and 149*4882a593Smuzhiyun copy_from_user() functions) by rejecting memory ranges that 150*4882a593Smuzhiyun are larger than the specified heap object, span multiple 151*4882a593Smuzhiyun separately allocated pages, are not on the process stack, 152*4882a593Smuzhiyun or are part of the kernel text. This kills entire classes 153*4882a593Smuzhiyun of heap overflow exploits and similar kernel memory exposures. 154*4882a593Smuzhiyun 155*4882a593Smuzhiyunconfig HARDENED_USERCOPY_FALLBACK 156*4882a593Smuzhiyun bool "Allow usercopy whitelist violations to fallback to object size" 157*4882a593Smuzhiyun depends on HARDENED_USERCOPY 158*4882a593Smuzhiyun default y 159*4882a593Smuzhiyun help 160*4882a593Smuzhiyun This is a temporary option that allows missing usercopy whitelists 161*4882a593Smuzhiyun to be discovered via a WARN() to the kernel log, instead of 162*4882a593Smuzhiyun rejecting the copy, falling back to non-whitelisted hardened 163*4882a593Smuzhiyun usercopy that checks the slab allocation size instead of the 164*4882a593Smuzhiyun whitelist size. This option will be removed once it seems like 165*4882a593Smuzhiyun all missing usercopy whitelists have been identified and fixed. 166*4882a593Smuzhiyun Booting with "slab_common.usercopy_fallback=Y/N" can change 167*4882a593Smuzhiyun this setting. 168*4882a593Smuzhiyun 169*4882a593Smuzhiyunconfig HARDENED_USERCOPY_PAGESPAN 170*4882a593Smuzhiyun bool "Refuse to copy allocations that span multiple pages" 171*4882a593Smuzhiyun depends on HARDENED_USERCOPY 172*4882a593Smuzhiyun depends on EXPERT 173*4882a593Smuzhiyun help 174*4882a593Smuzhiyun When a multi-page allocation is done without __GFP_COMP, 175*4882a593Smuzhiyun hardened usercopy will reject attempts to copy it. There are, 176*4882a593Smuzhiyun however, several cases of this in the kernel that have not all 177*4882a593Smuzhiyun been removed. This config is intended to be used only while 178*4882a593Smuzhiyun trying to find such users. 179*4882a593Smuzhiyun 180*4882a593Smuzhiyunconfig FORTIFY_SOURCE 181*4882a593Smuzhiyun bool "Harden common str/mem functions against buffer overflows" 182*4882a593Smuzhiyun depends on ARCH_HAS_FORTIFY_SOURCE 183*4882a593Smuzhiyun # https://bugs.llvm.org/show_bug.cgi?id=50322 184*4882a593Smuzhiyun # https://bugs.llvm.org/show_bug.cgi?id=41459 185*4882a593Smuzhiyun depends on !CC_IS_CLANG 186*4882a593Smuzhiyun help 187*4882a593Smuzhiyun Detect overflows of buffers in common string and memory functions 188*4882a593Smuzhiyun where the compiler can determine and validate the buffer sizes. 189*4882a593Smuzhiyun 190*4882a593Smuzhiyunconfig STATIC_USERMODEHELPER 191*4882a593Smuzhiyun bool "Force all usermode helper calls through a single binary" 192*4882a593Smuzhiyun help 193*4882a593Smuzhiyun By default, the kernel can call many different userspace 194*4882a593Smuzhiyun binary programs through the "usermode helper" kernel 195*4882a593Smuzhiyun interface. Some of these binaries are statically defined 196*4882a593Smuzhiyun either in the kernel code itself, or as a kernel configuration 197*4882a593Smuzhiyun option. However, some of these are dynamically created at 198*4882a593Smuzhiyun runtime, or can be modified after the kernel has started up. 199*4882a593Smuzhiyun To provide an additional layer of security, route all of these 200*4882a593Smuzhiyun calls through a single executable that can not have its name 201*4882a593Smuzhiyun changed. 202*4882a593Smuzhiyun 203*4882a593Smuzhiyun Note, it is up to this single binary to then call the relevant 204*4882a593Smuzhiyun "real" usermode helper binary, based on the first argument 205*4882a593Smuzhiyun passed to it. If desired, this program can filter and pick 206*4882a593Smuzhiyun and choose what real programs are called. 207*4882a593Smuzhiyun 208*4882a593Smuzhiyun If you wish for all usermode helper programs are to be 209*4882a593Smuzhiyun disabled, choose this option and then set 210*4882a593Smuzhiyun STATIC_USERMODEHELPER_PATH to an empty string. 211*4882a593Smuzhiyun 212*4882a593Smuzhiyunconfig STATIC_USERMODEHELPER_PATH 213*4882a593Smuzhiyun string "Path to the static usermode helper binary" 214*4882a593Smuzhiyun depends on STATIC_USERMODEHELPER 215*4882a593Smuzhiyun default "/sbin/usermode-helper" 216*4882a593Smuzhiyun help 217*4882a593Smuzhiyun The binary called by the kernel when any usermode helper 218*4882a593Smuzhiyun program is wish to be run. The "real" application's name will 219*4882a593Smuzhiyun be in the first argument passed to this program on the command 220*4882a593Smuzhiyun line. 221*4882a593Smuzhiyun 222*4882a593Smuzhiyun If you wish for all usermode helper programs to be disabled, 223*4882a593Smuzhiyun specify an empty string here (i.e. ""). 224*4882a593Smuzhiyun 225*4882a593Smuzhiyunsource "security/selinux/Kconfig" 226*4882a593Smuzhiyunsource "security/smack/Kconfig" 227*4882a593Smuzhiyunsource "security/tomoyo/Kconfig" 228*4882a593Smuzhiyunsource "security/apparmor/Kconfig" 229*4882a593Smuzhiyunsource "security/loadpin/Kconfig" 230*4882a593Smuzhiyunsource "security/yama/Kconfig" 231*4882a593Smuzhiyunsource "security/safesetid/Kconfig" 232*4882a593Smuzhiyunsource "security/lockdown/Kconfig" 233*4882a593Smuzhiyun 234*4882a593Smuzhiyunsource "security/integrity/Kconfig" 235*4882a593Smuzhiyun 236*4882a593Smuzhiyunchoice 237*4882a593Smuzhiyun prompt "First legacy 'major LSM' to be initialized" 238*4882a593Smuzhiyun default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX 239*4882a593Smuzhiyun default DEFAULT_SECURITY_SMACK if SECURITY_SMACK 240*4882a593Smuzhiyun default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO 241*4882a593Smuzhiyun default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR 242*4882a593Smuzhiyun default DEFAULT_SECURITY_DAC 243*4882a593Smuzhiyun 244*4882a593Smuzhiyun help 245*4882a593Smuzhiyun This choice is there only for converting CONFIG_DEFAULT_SECURITY 246*4882a593Smuzhiyun in old kernel configs to CONFIG_LSM in new kernel configs. Don't 247*4882a593Smuzhiyun change this choice unless you are creating a fresh kernel config, 248*4882a593Smuzhiyun for this choice will be ignored after CONFIG_LSM has been set. 249*4882a593Smuzhiyun 250*4882a593Smuzhiyun Selects the legacy "major security module" that will be 251*4882a593Smuzhiyun initialized first. Overridden by non-default CONFIG_LSM. 252*4882a593Smuzhiyun 253*4882a593Smuzhiyun config DEFAULT_SECURITY_SELINUX 254*4882a593Smuzhiyun bool "SELinux" if SECURITY_SELINUX=y 255*4882a593Smuzhiyun 256*4882a593Smuzhiyun config DEFAULT_SECURITY_SMACK 257*4882a593Smuzhiyun bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y 258*4882a593Smuzhiyun 259*4882a593Smuzhiyun config DEFAULT_SECURITY_TOMOYO 260*4882a593Smuzhiyun bool "TOMOYO" if SECURITY_TOMOYO=y 261*4882a593Smuzhiyun 262*4882a593Smuzhiyun config DEFAULT_SECURITY_APPARMOR 263*4882a593Smuzhiyun bool "AppArmor" if SECURITY_APPARMOR=y 264*4882a593Smuzhiyun 265*4882a593Smuzhiyun config DEFAULT_SECURITY_DAC 266*4882a593Smuzhiyun bool "Unix Discretionary Access Controls" 267*4882a593Smuzhiyun 268*4882a593Smuzhiyunendchoice 269*4882a593Smuzhiyun 270*4882a593Smuzhiyunconfig LSM 271*4882a593Smuzhiyun string "Ordered list of enabled LSMs" 272*4882a593Smuzhiyun default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK 273*4882a593Smuzhiyun default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR 274*4882a593Smuzhiyun default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO 275*4882a593Smuzhiyun default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC 276*4882a593Smuzhiyun default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" 277*4882a593Smuzhiyun help 278*4882a593Smuzhiyun A comma-separated list of LSMs, in initialization order. 279*4882a593Smuzhiyun Any LSMs left off this list will be ignored. This can be 280*4882a593Smuzhiyun controlled at boot with the "lsm=" parameter. 281*4882a593Smuzhiyun 282*4882a593Smuzhiyun If unsure, leave this as the default. 283*4882a593Smuzhiyun 284*4882a593Smuzhiyunsource "security/Kconfig.hardening" 285*4882a593Smuzhiyun 286*4882a593Smuzhiyunendmenu 287*4882a593Smuzhiyun 288