config SECURITY_LOCKDOWN_LSM
|
bool "Basic module for enforcing kernel lockdown"
|
depends on SECURITY
|
select MODULE_SIG if MODULES
|
help
|
Build support for an LSM that enforces a coarse kernel lockdown
|
behaviour.
|
|
config SECURITY_LOCKDOWN_LSM_EARLY
|
bool "Enable lockdown LSM early in init"
|
depends on SECURITY_LOCKDOWN_LSM
|
help
|
Enable the lockdown LSM early in boot. This is necessary in order
|
to ensure that lockdown enforcement can be carried out on kernel
|
boot parameters that are otherwise parsed before the security
|
subsystem is fully initialised. If enabled, lockdown will
|
unconditionally be called before any other LSMs.
|
|
choice
|
prompt "Kernel default lockdown mode"
|
default LOCK_DOWN_KERNEL_FORCE_NONE
|
depends on SECURITY_LOCKDOWN_LSM
|
help
|
The kernel can be configured to default to differing levels of
|
lockdown.
|
|
config LOCK_DOWN_KERNEL_FORCE_NONE
|
bool "None"
|
help
|
No lockdown functionality is enabled by default. Lockdown may be
|
enabled via the kernel commandline or /sys/kernel/security/lockdown.
|
|
config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
|
bool "Integrity"
|
help
|
The kernel runs in integrity mode by default. Features that allow
|
the kernel to be modified at runtime are disabled.
|
|
config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
|
bool "Confidentiality"
|
help
|
The kernel runs in confidentiality mode by default. Features that
|
allow the kernel to be modified at runtime or that permit userland
|
code to read confidential material held inside the kernel are
|
disabled.
|
|
endchoice
|
