~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,10 +1,11 @@
	1	+# SPDX-License-Identifier: GPL-2.0-only
1	2	#
2	3	# Security configuration
3	4	#
4	5
5	6	menu "Security options"
6	7
7		-source security/keys/Kconfig
	8	+source "security/keys/Kconfig"
8	9
9	10	config SECURITY_DMESG_RESTRICT
10	11	bool "Restrict unprivileged access to the kernel syslog"
..	..	@@ -17,15 +18,6 @@
17	18	unless the dmesg_restrict sysctl is explicitly set to (1).
18	19
19	20	If you are unsure how to answer this question, answer N.
20		-
21		-config SECURITY_PERF_EVENTS_RESTRICT
22		- bool "Restrict unprivileged use of performance events"
23		- depends on PERF_EVENTS
24		- help
25		- If you say Y here, the kernel.perf_event_paranoid sysctl
26		- will be set to 3 by default, and no unprivileged use of the
27		- perf_event_open syscall will be permitted unless it is
28		- changed.
29	21
30	22	config SECURITY
31	23	bool "Enable different security models"
..	..	@@ -49,8 +41,7 @@
49	41	bool "Enable the securityfs filesystem"
50	42	help
51	43	This will build the securityfs filesystem. It is currently used by
52		- the TPM bios character driver and IMA, an integrity provider. It is
53		- not used by SELinux or SMACK.
	44	+ various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM).
54	45
55	46	If you are unsure how to answer this question, answer N.
56	47
..	..	@@ -62,17 +53,6 @@
62	53	If enabled, a security module can use these hooks to
63	54	implement socket and networking access controls.
64	55	If you are unsure how to answer this question, answer N.
65		-
66		-config PAGE_TABLE_ISOLATION
67		- bool "Remove the kernel mapping in user mode"
68		- default y
69		- depends on (X86_64 \|\| X86_PAE) && !UML
70		- help
71		- This feature reduces the number of hardware side channels by
72		- ensuring that the majority of kernel addresses are not mapped
73		- into userspace.
74		-
75		- See Documentation/x86/pti.txt for more details.
76	56
77	57	config SECURITY_INFINIBAND
78	58	bool "Infiniband Security Hooks"
..	..	@@ -127,10 +107,10 @@
127	107	it was configured with, especially since they may be responsible for
128	108	providing such assurances to VMs and services running on it.
129	109
130		- See <http://www.intel.com/technology/security/> for more information
	110	+ See <https://www.intel.com/technology/security/> for more information
131	111	about Intel(R) TXT.
132	112	See <http://tboot.sourceforge.net> for more information about tboot.
133		- See Documentation/intel_txt.txt for a description of how to enable
	113	+ See Documentation/x86/intel_txt.rst for a description of how to enable
134	114	Intel TXT support in a kernel boot.
135	115
136	116	If you are unsure as to whether this is required, answer N.
..	..	@@ -242,18 +222,19 @@
242	222	If you wish for all usermode helper programs to be disabled,
243	223	specify an empty string here (i.e. "").
244	224
245		-source security/selinux/Kconfig
246		-source security/smack/Kconfig
247		-source security/tomoyo/Kconfig
248		-source security/apparmor/Kconfig
249		-source security/loadpin/Kconfig
250		-source security/yama/Kconfig
251		-source security/optee_linuxdriver/Kconfig
	225	+source "security/selinux/Kconfig"
	226	+source "security/smack/Kconfig"
	227	+source "security/tomoyo/Kconfig"
	228	+source "security/apparmor/Kconfig"
	229	+source "security/loadpin/Kconfig"
	230	+source "security/yama/Kconfig"
	231	+source "security/safesetid/Kconfig"
	232	+source "security/lockdown/Kconfig"
252	233
253		-source security/integrity/Kconfig
	234	+source "security/integrity/Kconfig"
254	235
255	236	choice
256		- prompt "Default security module"
	237	+ prompt "First legacy 'major LSM' to be initialized"
257	238	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
258	239	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
259	240	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
..	..	@@ -261,8 +242,13 @@
261	242	default DEFAULT_SECURITY_DAC
262	243
263	244	help
264		- Select the security module that will be used by default if the
265		- kernel parameter security= is not specified.
	245	+ This choice is there only for converting CONFIG_DEFAULT_SECURITY
	246	+ in old kernel configs to CONFIG_LSM in new kernel configs. Don't
	247	+ change this choice unless you are creating a fresh kernel config,
	248	+ for this choice will be ignored after CONFIG_LSM has been set.
	249	+
	250	+ Selects the legacy "major security module" that will be
	251	+ initialized first. Overridden by non-default CONFIG_LSM.
266	252
267	253	config DEFAULT_SECURITY_SELINUX
268	254	bool "SELinux" if SECURITY_SELINUX=y
..	..	@@ -281,13 +267,19 @@
281	267
282	268	endchoice
283	269
284		-config DEFAULT_SECURITY
285		- string
286		- default "selinux" if DEFAULT_SECURITY_SELINUX
287		- default "smack" if DEFAULT_SECURITY_SMACK
288		- default "tomoyo" if DEFAULT_SECURITY_TOMOYO
289		- default "apparmor" if DEFAULT_SECURITY_APPARMOR
290		- default "" if DEFAULT_SECURITY_DAC
	270	+config LSM
	271	+ string "Ordered list of enabled LSMs"
	272	+ default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
	273	+ default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
	274	+ default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
	275	+ default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
	276	+ default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
	277	+ help
	278	+ A comma-separated list of LSMs, in initialization order.
	279	+ Any LSMs left off this list will be ignored. This can be
	280	+ controlled at boot with the "lsm=" parameter.
	281	+
	282	+ If unsure, leave this as the default.
291	283
292	284	source "security/Kconfig.hardening"
293	285