android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
000d388ed3
android_kernel_xiaomi_sm8450/security/lockdown/Kconfig
Matthew Garrett 000d388ed3 security: Add a static lockdown policy LSM 
While existing LSMs can be extended to handle lockdown policy,
distributions generally want to be able to apply a straightforward
static policy. This patch adds a simple LSM that can be configured to
reject either integrity or all lockdown queries, and can be configured
at runtime (through securityfs), boot time (via a kernel parameter) or
build time (via a kconfig option). Based on initial code by David
Howells.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
2019-08-19 21:54:15 -07:00

47 lines
1.5 KiB
Plaintext
Raw Blame History

config SECURITY_LOCKDOWN_LSM
bool "Basic module for enforcing kernel lockdown"
depends on SECURITY
help
Build support for an LSM that enforces a coarse kernel lockdown
behaviour.
config SECURITY_LOCKDOWN_LSM_EARLY
bool "Enable lockdown LSM early in init"
depends on SECURITY_LOCKDOWN_LSM
help
Enable the lockdown LSM early in boot. This is necessary in order
to ensure that lockdown enforcement can be carried out on kernel
boot parameters that are otherwise parsed before the security
subsystem is fully initialised. If enabled, lockdown will
unconditionally be called before any other LSMs.
choice
prompt "Kernel default lockdown mode"
default LOCK_DOWN_KERNEL_FORCE_NONE
depends on SECURITY_LOCKDOWN_LSM
help
The kernel can be configured to default to differing levels of
lockdown.
config LOCK_DOWN_KERNEL_FORCE_NONE
bool "None"
help
No lockdown functionality is enabled by default. Lockdown may be
enabled via the kernel commandline or /sys/kernel/security/lockdown.
config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
bool "Integrity"
help
The kernel runs in integrity mode by default. Features that allow
the kernel to be modified at runtime are disabled.
config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
bool "Confidentiality"
help
The kernel runs in confidentiality mode by default. Features that
allow the kernel to be modified at runtime or that permit userland
code to read confidential material held inside the kernel are
disabled.
endchoice
Reference in New Issue View Git Blame Copy Permalink