security/Kconfig
Source file repositories/reference/linux-study-clean/security/Kconfig
File Facts
- System
- Linux kernel
- Corpus path
security/Kconfig- Extension
[no extension]- Size
- 11007 bytes
- Lines
- 306
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: build/configuration rule
- Status
- atlas-only
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
- No top-level syscall, struct, function, initcall, or export declaration detected by the generator.
Annotated Snippet
# SPDX-License-Identifier: GPL-2.0-only
#
# Security configuration
#
menu "Security options"
source "security/keys/Kconfig"
config SECURITY_DMESG_RESTRICT
bool "Restrict unprivileged access to the kernel syslog"
default n
help
This enforces restrictions on unprivileged users reading the kernel
syslog via dmesg(8).
If this option is not selected, no restrictions will be enforced
unless the dmesg_restrict sysctl is explicitly set to (1).
If you are unsure how to answer this question, answer N.
choice
prompt "Allow /proc/pid/mem access override"
default PROC_MEM_FORCE_PTRACE
help
Traditionally /proc/pid/mem allows users to override memory
permissions for users like ptrace, assuming they have ptrace
capability.
This allows people to limit that - either never override, or
require actual active ptrace attachment (default).
config PROC_MEM_ALWAYS_FORCE
bool "Traditional /proc/pid/mem behavior"
help
This allows /proc/pid/mem accesses to override memory mapping
permissions if you have ptrace access rights.
config PROC_MEM_FORCE_PTRACE
bool "Require active ptrace() use for access override"
help
This allows /proc/pid/mem accesses to override memory mapping
permissions for active ptracers like gdb.
config PROC_MEM_NO_FORCE
bool "Never"
help
Never override memory mapping permissions
endchoice
config MSEAL_SYSTEM_MAPPINGS
bool "mseal system mappings"
depends on 64BIT
depends on ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS
depends on !CHECKPOINT_RESTORE
help
Apply mseal on system mappings.
The system mappings includes vdso, vvar, vvar_vclock,
vectors (arm compat-mode), sigpage (arm compat-mode), uprobes.
A 64-bit kernel is required for the memory sealing feature.
No specific hardware features from the CPU are needed.
WARNING: This feature breaks programs which rely on relocating
or unmapping system mappings. Known broken software at the time
of writing includes CHECKPOINT_RESTORE, UML, gVisor, rr. Therefore
this config can't be enabled universally.
For complete descriptions of memory sealing, please see
Annotation
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.