# SPDX-License-Identifier: GPL-2.0-only## Security configuration#menu "Security options"source "security/keys/Kconfig"config SECURITY_DMESG_RESTRICTbool "Restrict unprivileged access to the kernel syslog"default nhelpThis enforces restrictions on unprivileged users reading the kernelsyslog via dmesg(8).If this option is not selected, no restrictions will be enforcedunless the dmesg_restrict sysctl is explicitly set to (1).If you are unsure how to answer this question, answer N.choiceprompt "Allow /proc/pid/mem access override"default PROC_MEM_ALWAYS_FORCEhelpTraditionally /proc/pid/mem allows users to override memorypermissions for users like ptrace, assuming they have ptracecapability.This allows people to limit that - either never override, orrequire actual active ptrace attachment.Defaults to the traditional behavior (for now)config PROC_MEM_ALWAYS_FORCEbool "Traditional /proc/pid/mem behavior"helpThis allows /proc/pid/mem accesses to override memory mappingpermissions if you have ptrace access rights.config PROC_MEM_FORCE_PTRACEbool "Require active ptrace() use for access override"helpThis allows /proc/pid/mem accesses to override memory mappingpermissions for active ptracers like gdb.config PROC_MEM_NO_FORCEbool "Never"helpNever override memory mapping permissionsendchoiceconfig MSEAL_SYSTEM_MAPPINGSbool "mseal system mappings"depends on 64BITdepends on ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGSdepends on !CHECKPOINT_RESTOREhelpApply mseal on system mappings.The system mappings includes vdso, vvar, vvar_vclock,vectors (arm compat-mode), sigpage (arm compat-mode), uprobes.A 64-bit kernel is required for the memory sealing feature.No specific hardware features from the CPU are needed.WARNING: This feature breaks programs which rely on relocatingor unmapping system mappings. Known broken software at the timeof writing includes CHECKPOINT_RESTORE, UML, gVisor, rr. Thereforethis config can't be enabled universally.For complete descriptions of memory sealing, please seeDocumentation/userspace-api/mseal.rstconfig SECURITYbool "Enable different security models"depends on SYSFSdepends on MULTIUSERhelpThis allows you to choose different security modules to beconfigured into your kernel.If this option is not selected, the default Linux securitymodel will be used.If you are unsure how to answer this question, answer N.config HAS_SECURITY_AUDITdef_bool ydepends on AUDITdepends on SECURITYconfig SECURITYFSbool "Enable the securityfs filesystem"helpThis will build the securityfs filesystem. It is currently used byvarious security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM).If you are unsure how to answer this question, answer N.config SECURITY_NETWORKbool "Socket and Networking Security Hooks"depends on SECURITYhelpThis enables the socket and networking security hooks.If enabled, a security module can use these hooks toimplement socket and networking access controls.If you are unsure how to answer this question, answer N.config SECURITY_INFINIBANDbool "Infiniband Security Hooks"depends on SECURITY && INFINIBANDhelpThis enables the Infiniband security hooks.If enabled, a security module can use these hooks toimplement Infiniband access controls.If you are unsure how to answer this question, answer N.config SECURITY_NETWORK_XFRMbool "XFRM (IPSec) Networking Security Hooks"depends on XFRM && SECURITY_NETWORKhelpThis enables the XFRM (IPSec) networking security hooks.If enabled, a security module can use these hooks toimplement per-packet access controls based on labelsderived from IPSec policy. Non-IPSec communications aredesignated as unlabelled, and only sockets authorizedto communicate unlabelled data can send without usingIPSec.If you are unsure how to answer this question, answer N.config SECURITY_PATHbool "Security hooks for pathname based access control"depends on SECURITYhelpThis enables the security hooks for pathname based access control.If enabled, a security module can use these hooks toimplement pathname based access controls.If you are unsure how to answer this question, answer N.config INTEL_TXTbool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"depends on HAVE_INTEL_TXThelpThis option enables support for booting the kernel with theTrusted Boot (tboot) module. This will utilizeIntel(R) Trusted Execution Technology to perform a measured launchof the kernel. If the system does not support Intel(R) TXT, thiswill have no effect.Intel TXT will provide higher assurance of system configuration andinitial state as well as data reset protection. This is used tocreate a robust initial kernel measurement and verification, whichhelps to ensure that kernel security mechanisms are functioningcorrectly. This level of protection requires a root of trust outsideof the kernel itself.Intel TXT also helps solve real end user concerns about havingconfidence that their hardware is running the VMM or kernel thatit was configured with, especially since they may be responsible forproviding such assurances to VMs and services running on it.See <https://www.intel.com/technology/security/> for more informationabout Intel(R) TXT.See <http://tboot.sourceforge.net> for more information about tboot.See Documentation/arch/x86/intel_txt.rst for a description of how to enableIntel TXT support in a kernel boot.If you are unsure as to whether this is required, answer N.config LSM_MMAP_MIN_ADDRint "Low address space for LSM to protect from user allocation"depends on SECURITY && SECURITY_SELINUXdefault 32768 if ARM || (ARM64 && COMPAT)default 65536helpThis is the portion of low virtual memory which should be protectedfrom userspace allocation. Keeping a user from writing to low pagescan help reduce the impact of kernel NULL pointer bugs.For most ia64, ppc64 and x86 users with lots of address spacea value of 65536 is reasonable and should cause no problems.On arm and other archs it should not be higher than 32768.Programs which use vm86 functionality or have some need to mapthis low address space will need the permission specific to thesystems running LSM.config STATIC_USERMODEHELPERbool "Force all usermode helper calls through a single binary"helpBy default, the kernel can call many different userspacebinary programs through the "usermode helper" kernelinterface. Some of these binaries are statically definedeither in the kernel code itself, or as a kernel configurationoption. However, some of these are dynamically created atruntime, or can be modified after the kernel has started up.To provide an additional layer of security, route all of thesecalls through a single executable that can not have its namechanged.Note, it is up to this single binary to then call the relevant"real" usermode helper binary, based on the first argumentpassed to it. If desired, this program can filter and pickand choose what real programs are called.If you wish for all usermode helper programs are to bedisabled, choose this option and then setSTATIC_USERMODEHELPER_PATH to an empty string.config STATIC_USERMODEHELPER_PATHstring "Path to the static usermode helper binary"depends on STATIC_USERMODEHELPERdefault "/sbin/usermode-helper"helpThe binary called by the kernel when any usermode helperprogram is wish to be run. The "real" application's name willbe in the first argument passed to this program on the commandline.If you wish for all usermode helper programs to be disabled,specify an empty string here (i.e. "").source "security/selinux/Kconfig"source "security/smack/Kconfig"source "security/tomoyo/Kconfig"source "security/apparmor/Kconfig"source "security/loadpin/Kconfig"source "security/yama/Kconfig"source "security/safesetid/Kconfig"source "security/lockdown/Kconfig"source "security/landlock/Kconfig"source "security/ipe/Kconfig"source "security/integrity/Kconfig"choiceprompt "First legacy 'major LSM' to be initialized"default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUXdefault DEFAULT_SECURITY_SMACK if SECURITY_SMACKdefault DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYOdefault DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMORdefault DEFAULT_SECURITY_DAChelpThis choice is there only for converting CONFIG_DEFAULT_SECURITYin old kernel configs to CONFIG_LSM in new kernel configs. Don'tchange this choice unless you are creating a fresh kernel config,for this choice will be ignored after CONFIG_LSM has been set.Selects the legacy "major security module" that will beinitialized first. Overridden by non-default CONFIG_LSM.config DEFAULT_SECURITY_SELINUXbool "SELinux" if SECURITY_SELINUX=yconfig DEFAULT_SECURITY_SMACKbool "Simplified Mandatory Access Control" if SECURITY_SMACK=yconfig DEFAULT_SECURITY_TOMOYObool "TOMOYO" if SECURITY_TOMOYO=yconfig DEFAULT_SECURITY_APPARMORbool "AppArmor" if SECURITY_APPARMOR=yconfig DEFAULT_SECURITY_DACbool "Unix Discretionary Access Controls"endchoiceconfig LSMstring "Ordered list of enabled LSMs"default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACKdefault "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMORdefault "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYOdefault "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DACdefault "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"helpA comma-separated list of LSMs, in initialization order.Any LSMs left off this list, except for those with orderLSM_ORDER_FIRST and LSM_ORDER_LAST, which are always enabledif selected in the kernel configuration, will be ignored.This can be controlled at boot with the "lsm=" parameter.If unsure, leave this as the default.source "security/Kconfig.hardening"endmenu
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。