0001 config SECURITY_LOCKDOWN_LSM
0002 bool "Basic module for enforcing kernel lockdown"
0003 depends on SECURITY
0004 select MODULE_SIG if MODULES
0005 help
0006 Build support for an LSM that enforces a coarse kernel lockdown
0007 behaviour.
0008
0009 config SECURITY_LOCKDOWN_LSM_EARLY
0010 bool "Enable lockdown LSM early in init"
0011 depends on SECURITY_LOCKDOWN_LSM
0012 help
0013 Enable the lockdown LSM early in boot. This is necessary in order
0014 to ensure that lockdown enforcement can be carried out on kernel
0015 boot parameters that are otherwise parsed before the security
0016 subsystem is fully initialised. If enabled, lockdown will
0017 unconditionally be called before any other LSMs.
0018
0019 choice
0020 prompt "Kernel default lockdown mode"
0021 default LOCK_DOWN_KERNEL_FORCE_NONE
0022 depends on SECURITY_LOCKDOWN_LSM
0023 help
0024 The kernel can be configured to default to differing levels of
0025 lockdown.
0026
0027 config LOCK_DOWN_KERNEL_FORCE_NONE
0028 bool "None"
0029 help
0030 No lockdown functionality is enabled by default. Lockdown may be
0031 enabled via the kernel commandline or /sys/kernel/security/lockdown.
0032
0033 config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
0034 bool "Integrity"
0035 help
0036 The kernel runs in integrity mode by default. Features that allow
0037 the kernel to be modified at runtime are disabled.
0038
0039 config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
0040 bool "Confidentiality"
0041 help
0042 The kernel runs in confidentiality mode by default. Features that
0043 allow the kernel to be modified at runtime or that permit userland
0044 code to read confidential material held inside the kernel are
0045 disabled.
0046
0047 endchoice
