forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2023-12-11 d2ccde1c8e90d38cee87a1b0309ad2827f3fd30d 
 kernel/security/Kconfig
....@@ -1,10 +1,11 @@
1
+# SPDX-License-Identifier: GPL-2.0-only
12 #
23 # Security configuration
34 #
45 
56 menu "Security options"
67 
7
-source security/keys/Kconfig
8
+source "security/keys/Kconfig"
89 
910 config SECURITY_DMESG_RESTRICT
1011 	bool "Restrict unprivileged access to the kernel syslog"
....@@ -17,15 +18,6 @@
1718 	  unless the dmesg_restrict sysctl is explicitly set to (1).
1819 
1920 	  If you are unsure how to answer this question, answer N.
20
-
21
-config SECURITY_PERF_EVENTS_RESTRICT
22
-	bool "Restrict unprivileged use of performance events"
23
-	depends on PERF_EVENTS
24
-	help
25
-	  If you say Y here, the kernel.perf_event_paranoid sysctl
26
-	  will be set to 3 by default, and no unprivileged use of the
27
-	  perf_event_open syscall will be permitted unless it is
28
-	  changed.
2921 
3022 config SECURITY
3123 	bool "Enable different security models"
....@@ -49,8 +41,7 @@
4941 	bool "Enable the securityfs filesystem"
5042 	help
5143 	  This will build the securityfs filesystem.  It is currently used by
52
-	  the TPM bios character driver and IMA, an integrity provider.  It is
53
-	  not used by SELinux or SMACK.
44
+	  various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM).
5445 
5546 	  If you are unsure how to answer this question, answer N.
5647 
....@@ -62,17 +53,6 @@
6253 	  If enabled, a security module can use these hooks to
6354 	  implement socket and networking access controls.
6455 	  If you are unsure how to answer this question, answer N.
65
-
66
-config PAGE_TABLE_ISOLATION
67
-	bool "Remove the kernel mapping in user mode"
68
-	default y
69
-	depends on (X86_64 || X86_PAE) && !UML
70
-	help
71
-	  This feature reduces the number of hardware side channels by
72
-	  ensuring that the majority of kernel addresses are not mapped
73
-	  into userspace.
74
-
75
-	  See Documentation/x86/pti.txt for more details.
7656 
7757 config SECURITY_INFINIBAND
7858 	bool "Infiniband Security Hooks"
....@@ -127,10 +107,10 @@
127107 	  it was configured with, especially since they may be responsible for
128108 	  providing such assurances to VMs and services running on it.
129109 
130
-	  See <http://www.intel.com/technology/security/> for more information
110
+	  See <https://www.intel.com/technology/security/> for more information
131111 	  about Intel(R) TXT.
132112 	  See <http://tboot.sourceforge.net> for more information about tboot.
133
-	  See Documentation/intel_txt.txt for a description of how to enable
113
+	  See Documentation/x86/intel_txt.rst for a description of how to enable
134114 	  Intel TXT support in a kernel boot.
135115 
136116 	  If you are unsure as to whether this is required, answer N.
....@@ -242,18 +222,19 @@
242222 	  If you wish for all usermode helper programs to be disabled,
243223 	  specify an empty string here (i.e. "").
244224 
245
-source security/selinux/Kconfig
246
-source security/smack/Kconfig
247
-source security/tomoyo/Kconfig
248
-source security/apparmor/Kconfig
249
-source security/loadpin/Kconfig
250
-source security/yama/Kconfig
251
-source security/optee_linuxdriver/Kconfig
225
+source "security/selinux/Kconfig"
226
+source "security/smack/Kconfig"
227
+source "security/tomoyo/Kconfig"
228
+source "security/apparmor/Kconfig"
229
+source "security/loadpin/Kconfig"
230
+source "security/yama/Kconfig"
231
+source "security/safesetid/Kconfig"
232
+source "security/lockdown/Kconfig"
252233 
253
-source security/integrity/Kconfig
234
+source "security/integrity/Kconfig"
254235 
255236 choice
256
-	prompt "Default security module"
237
+	prompt "First legacy 'major LSM' to be initialized"
257238 	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
258239 	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
259240 	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
....@@ -261,8 +242,13 @@
261242 	default DEFAULT_SECURITY_DAC
262243 
263244 	help
264
-	  Select the security module that will be used by default if the
265
-	  kernel parameter security= is not specified.
245
+	  This choice is there only for converting CONFIG_DEFAULT_SECURITY
246
+	  in old kernel configs to CONFIG_LSM in new kernel configs. Don't
247
+	  change this choice unless you are creating a fresh kernel config,
248
+	  for this choice will be ignored after CONFIG_LSM has been set.
249
+
250
+	  Selects the legacy "major security module" that will be
251
+	  initialized first. Overridden by non-default CONFIG_LSM.
266252 
267253 	config DEFAULT_SECURITY_SELINUX
268254 		bool "SELinux" if SECURITY_SELINUX=y
....@@ -281,13 +267,19 @@
281267 
282268 endchoice
283269 
284
-config DEFAULT_SECURITY
285
-	string
286
-	default "selinux" if DEFAULT_SECURITY_SELINUX
287
-	default "smack" if DEFAULT_SECURITY_SMACK
288
-	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
289
-	default "apparmor" if DEFAULT_SECURITY_APPARMOR
290
-	default "" if DEFAULT_SECURITY_DAC
270
+config LSM
271
+	string "Ordered list of enabled LSMs"
272
+	default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
273
+	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
274
+	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
275
+	default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
276
+	default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
277
+	help
278
+	  A comma-separated list of LSMs, in initialization order.
279
+	  Any LSMs left off this list will be ignored. This can be
280
+	  controlled at boot with the "lsm=" parameter.
281
+
282
+	  If unsure, leave this as the default.
291283 
292284 source "security/Kconfig.hardening"
293285