forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
47 lines
1.5 KiB
47 lines
1.5 KiB
config SECURITY_LOCKDOWN_LSM |
|
bool "Basic module for enforcing kernel lockdown" |
|
depends on SECURITY |
|
select MODULE_SIG if MODULES |
|
help |
|
Build support for an LSM that enforces a coarse kernel lockdown |
|
behaviour. |
|
|
|
config SECURITY_LOCKDOWN_LSM_EARLY |
|
bool "Enable lockdown LSM early in init" |
|
depends on SECURITY_LOCKDOWN_LSM |
|
help |
|
Enable the lockdown LSM early in boot. This is necessary in order |
|
to ensure that lockdown enforcement can be carried out on kernel |
|
boot parameters that are otherwise parsed before the security |
|
subsystem is fully initialised. If enabled, lockdown will |
|
unconditionally be called before any other LSMs. |
|
|
|
choice |
|
prompt "Kernel default lockdown mode" |
|
default LOCK_DOWN_KERNEL_FORCE_NONE |
|
depends on SECURITY_LOCKDOWN_LSM |
|
help |
|
The kernel can be configured to default to differing levels of |
|
lockdown. |
|
|
|
config LOCK_DOWN_KERNEL_FORCE_NONE |
|
bool "None" |
|
help |
|
No lockdown functionality is enabled by default. Lockdown may be |
|
enabled via the kernel commandline or /sys/kernel/security/lockdown. |
|
|
|
config LOCK_DOWN_KERNEL_FORCE_INTEGRITY |
|
bool "Integrity" |
|
help |
|
The kernel runs in integrity mode by default. Features that allow |
|
the kernel to be modified at runtime are disabled. |
|
|
|
config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY |
|
bool "Confidentiality" |
|
help |
|
The kernel runs in confidentiality mode by default. Features that |
|
allow the kernel to be modified at runtime or that permit userland |
|
code to read confidential material held inside the kernel are |
|
disabled. |
|
|
|
endchoice
|
|
|