Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / fb75a3791a8032848c987db29b622878d8fe2b1c / . / security / lockdown / Kconfig
blob: e84ddf48401010bcc0829a32db58e6f12bfdedcb [file] [log] [blame]
Matthew Garrett000d3882019-08-19 17:17:39 -0700[diff] [blame]1config SECURITY_LOCKDOWN_LSM
2 bool "Basic module for enforcing kernel lockdown"
3 depends on SECURITY
David Howells49fcf732019-08-19 17:17:40 -0700[diff] [blame]4 select MODULE_SIG if MODULES
Matthew Garrett000d3882019-08-19 17:17:39 -0700[diff] [blame]5 help
6 Build support for an LSM that enforces a coarse kernel lockdown
7 behaviour.
8
9config SECURITY_LOCKDOWN_LSM_EARLY
10 bool "Enable lockdown LSM early in init"
11 depends on SECURITY_LOCKDOWN_LSM
12 help
13 Enable the lockdown LSM early in boot. This is necessary in order
14 to ensure that lockdown enforcement can be carried out on kernel
15 boot parameters that are otherwise parsed before the security
16 subsystem is fully initialised. If enabled, lockdown will
17 unconditionally be called before any other LSMs.
18
19choice
20 prompt "Kernel default lockdown mode"
21 default LOCK_DOWN_KERNEL_FORCE_NONE
22 depends on SECURITY_LOCKDOWN_LSM
23 help
24 The kernel can be configured to default to differing levels of
25 lockdown.
26
27config LOCK_DOWN_KERNEL_FORCE_NONE
28 bool "None"
29 help
30 No lockdown functionality is enabled by default. Lockdown may be
31 enabled via the kernel commandline or /sys/kernel/security/lockdown.
32
33config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
34 bool "Integrity"
35 help
36 The kernel runs in integrity mode by default. Features that allow
37 the kernel to be modified at runtime are disabled.
38
39config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
40 bool "Confidentiality"
41 help
42 The kernel runs in confidentiality mode by default. Features that
43 allow the kernel to be modified at runtime or that permit userland
44 code to read confidential material held inside the kernel are
45 disabled.
46
47endchoice