security/Kconfig

Source file repositories/reference/linux-study-clean/security/Kconfig

File Facts

System
Linux kernel
Corpus path
security/Kconfig
Extension
[no extension]
Size
11007 bytes
Lines
306
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: build/configuration rule
Status
atlas-only

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

# SPDX-License-Identifier: GPL-2.0-only
#
# Security configuration
#

menu "Security options"

source "security/keys/Kconfig"

config SECURITY_DMESG_RESTRICT
	bool "Restrict unprivileged access to the kernel syslog"
	default n
	help
	  This enforces restrictions on unprivileged users reading the kernel
	  syslog via dmesg(8).

	  If this option is not selected, no restrictions will be enforced
	  unless the dmesg_restrict sysctl is explicitly set to (1).

	  If you are unsure how to answer this question, answer N.

choice
	prompt "Allow /proc/pid/mem access override"
	default PROC_MEM_FORCE_PTRACE
	help
	  Traditionally /proc/pid/mem allows users to override memory
	  permissions for users like ptrace, assuming they have ptrace
	  capability.

	  This allows people to limit that - either never override, or
	  require actual active ptrace attachment (default).

config PROC_MEM_ALWAYS_FORCE
	bool "Traditional /proc/pid/mem behavior"
	help
	  This allows /proc/pid/mem accesses to override memory mapping
	  permissions if you have ptrace access rights.

config PROC_MEM_FORCE_PTRACE
	bool "Require active ptrace() use for access override"
	help
	  This allows /proc/pid/mem accesses to override memory mapping
	  permissions for active ptracers like gdb.

config PROC_MEM_NO_FORCE
	bool "Never"
	help
	  Never override memory mapping permissions

endchoice

config MSEAL_SYSTEM_MAPPINGS
	bool "mseal system mappings"
	depends on 64BIT
	depends on ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS
	depends on !CHECKPOINT_RESTORE
	help
	  Apply mseal on system mappings.
	  The system mappings includes vdso, vvar, vvar_vclock,
	  vectors (arm compat-mode), sigpage (arm compat-mode), uprobes.

	  A 64-bit kernel is required for the memory sealing feature.
	  No specific hardware features from the CPU are needed.

	  WARNING: This feature breaks programs which rely on relocating
	  or unmapping system mappings. Known broken software at the time
	  of writing includes CHECKPOINT_RESTORE, UML, gVisor, rr. Therefore
	  this config can't be enabled universally.

	  For complete descriptions of memory sealing, please see

Annotation

Implementation Notes