Файловый менеджер

Файловый менеджер - Редактировать - /var/www/xthruster/html/wp-content/uploads/flags/security.tar

Назад
smack/Kconfig��0000644��00000003770�14722053644�0007163 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only config SECURITY_SMACK bool "Simplified Mandatory Access Control Kernel Support" depends on NET depends on INET depends on SECURITY select NETLABEL select SECURITY_NETWORK default n help This selects the Simplified Mandatory Access Control Kernel. Smack is useful for sensitivity, integrity, and a variety of other mandatory security schemes. If you are unsure how to answer this question, answer N. config SECURITY_SMACK_BRINGUP bool "Reporting on access granted by Smack rules" depends on SECURITY_SMACK default n help Enable the bring-up ("b") access mode in Smack rules. When access is granted by a rule with the "b" mode a message about the access requested is generated. The intention is that a process can be granted a wide set of access initially with the bringup mode set on the rules. The developer can use the information to identify which rules are necessary and what accesses may be inappropriate. The developer can reduce the access rule set once the behavior is well understood. This is a superior mechanism to the oft abused "permissive" mode of other systems. If you are unsure how to answer this question, answer N. config SECURITY_SMACK_NETFILTER bool "Packet marking using secmarks for netfilter" depends on SECURITY_SMACK depends on NETWORK_SECMARK depends on NETFILTER default n help This enables security marking of network packets using Smack labels. If you are unsure how to answer this question, answer N. config SECURITY_SMACK_APPEND_SIGNALS bool "Treat delivering signals as an append operation" depends on SECURITY_SMACK default n help Sending a signal has been treated as a write operation to the receiving process. If this option is selected, the delivery will be an append operation instead. This makes it possible to differentiate between delivering a network packet and delivering a signal in the Smack rules. If you are unsure how to answer this question, answer N. ��smack/Makefile��0000644��00000000341�14722053644�0007307 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only # # Makefile for the SMACK LSM # obj-$(CONFIG_SECURITY_SMACK) := smack.o smack-y := smack_lsm.o smack_access.o smackfs.o smack-$(CONFIG_SECURITY_SMACK_NETFILTER) += smack_netfilter.o ��yama/Kconfig��0000644��00000001023�14722053644�0007001 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only config SECURITY_YAMA bool "Yama support" depends on SECURITY default n help This selects Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. Currently available is ptrace scope restriction. Like capabilities, this security module stacks with other LSMs. Further information can be found in Documentation/admin-guide/LSM/Yama.rst. If you are unsure how to answer this question, answer N. ��yama/Makefile��0000644��00000000144�14722053644�0007141 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only obj-$(CONFIG_SECURITY_YAMA) := yama.o yama-y := yama_lsm.o ��Kconfig.hardening��0000644��00000017661�14722053644�0010027 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only menu "Kernel hardening options" config GCC_PLUGIN_STRUCTLEAK bool help While the kernel is built with warnings enabled for any missed stack variable initializations, this warning is silenced for anything passed by reference to another function, under the occasionally misguided assumption that the function will do the initialization. As this regularly leads to exploitable flaws, this plugin is available to identify and zero-initialize such variables, depending on the chosen level of coverage. This plugin was originally ported from grsecurity/PaX. More information at: * https://grsecurity.net/ * https://pax.grsecurity.net/ menu "Memory initialization" config CC_HAS_AUTO_VAR_INIT def_bool $(cc-option,-ftrivial-auto-var-init=pattern) choice prompt "Initialize kernel stack variables at function entry" default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT default INIT_STACK_NONE help This option enables initialization of stack variables at function entry time. This has the possibility to have the greatest coverage (since all functions can have their variables initialized), but the performance impact depends on the function calling complexity of a given workload's syscalls. This chooses the level of coverage over classes of potentially uninitialized variables. The selected class will be initialized before use in a function. config INIT_STACK_NONE bool "no automatic initialization (weakest)" help Disable automatic stack variable initialization. This leaves the kernel vulnerable to the standard classes of uninitialized stack variable exploits and information exposures. config GCC_PLUGIN_STRUCTLEAK_USER bool "zero-init structs marked for userspace (weak)" depends on GCC_PLUGINS select GCC_PLUGIN_STRUCTLEAK help Zero-initialize any structures on the stack containing a __user attribute. This can prevent some classes of uninitialized stack variable exploits and information exposures, like CVE-2013-2141: https://git.kernel.org/linus/b9e146d8eb3b9eca config GCC_PLUGIN_STRUCTLEAK_BYREF bool "zero-init structs passed by reference (strong)" depends on GCC_PLUGINS depends on !(KASAN && KASAN_STACK=1) select GCC_PLUGIN_STRUCTLEAK help Zero-initialize any structures on the stack that may be passed by reference and had not already been explicitly initialized. This can prevent most classes of uninitialized stack variable exploits and information exposures, like CVE-2017-1000410: https://git.kernel.org/linus/06e7e776ca4d3654 As a side-effect, this keeps a lot of variables on the stack that can otherwise be optimized out, so combining this with CONFIG_KASAN_STACK can lead to a stack overflow and is disallowed. config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL bool "zero-init anything passed by reference (very strong)" depends on GCC_PLUGINS depends on !(KASAN && KASAN_STACK=1) select GCC_PLUGIN_STRUCTLEAK help Zero-initialize any stack variables that may be passed by reference and had not already been explicitly initialized. This is intended to eliminate all classes of uninitialized stack variable exploits and information exposures. config INIT_STACK_ALL bool "0xAA-init everything on the stack (strongest)" depends on CC_HAS_AUTO_VAR_INIT help Initializes everything on the stack with a 0xAA pattern. This is intended to eliminate all classes of uninitialized stack variable exploits and information exposures, even variables that were warned to have been left uninitialized. endchoice config GCC_PLUGIN_STRUCTLEAK_VERBOSE bool "Report forcefully initialized variables" depends on GCC_PLUGIN_STRUCTLEAK depends on !COMPILE_TEST # too noisy help This option will cause a warning to be printed each time the structleak plugin finds a variable it thinks needs to be initialized. Since not all existing initializers are detected by the plugin, this can produce false positive warnings. config GCC_PLUGIN_STACKLEAK bool "Poison kernel stack before returning from syscalls" depends on GCC_PLUGINS depends on HAVE_ARCH_STACKLEAK help This option makes the kernel erase the kernel stack before returning from system calls. This has the effect of leaving the stack initialized to the poison value, which both reduces the lifetime of any sensitive stack contents and reduces potential for uninitialized stack variable exploits or information exposures (it does not cover functions reaching the same stack depth as prior functions during the same syscall). This blocks most uninitialized stack variable attacks, with the performance impact being driven by the depth of the stack usage, rather than the function calling complexity. The performance impact on a single CPU system kernel compilation sees a 1% slowdown, other systems and workloads may vary and you are advised to test this feature on your expected workload before deploying it. This plugin was ported from grsecurity/PaX. More information at: * https://grsecurity.net/ * https://pax.grsecurity.net/ config STACKLEAK_TRACK_MIN_SIZE int "Minimum stack frame size of functions tracked by STACKLEAK" default 100 range 0 4096 depends on GCC_PLUGIN_STACKLEAK help The STACKLEAK gcc plugin instruments the kernel code for tracking the lowest border of the kernel stack (and for some other purposes). It inserts the stackleak_track_stack() call for the functions with a stack frame size greater than or equal to this parameter. If unsure, leave the default value 100. config STACKLEAK_METRICS bool "Show STACKLEAK metrics in the /proc file system" depends on GCC_PLUGIN_STACKLEAK depends on PROC_FS help If this is set, STACKLEAK metrics for every task are available in the /proc file system. In particular, /proc/<pid>/stack_depth shows the maximum kernel stack consumption for the current and previous syscalls. Although this information is not precise, it can be useful for estimating the STACKLEAK performance impact for your workloads. config STACKLEAK_RUNTIME_DISABLE bool "Allow runtime disabling of kernel stack erasing" depends on GCC_PLUGIN_STACKLEAK help This option provides 'stack_erasing' sysctl, which can be used in runtime to control kernel stack erasing for kernels built with CONFIG_GCC_PLUGIN_STACKLEAK. config INIT_ON_ALLOC_DEFAULT_ON bool "Enable heap memory zeroing on allocation by default" help This has the effect of setting "init_on_alloc=1" on the kernel command line. This can be disabled with "init_on_alloc=0". When "init_on_alloc" is enabled, all page allocator and slab allocator memory will be zeroed when allocated, eliminating many kinds of "uninitialized heap memory" flaws, especially heap content exposures. The performance impact varies by workload, but most cases see <1% impact. Some synthetic workloads have measured as high as 7%. config INIT_ON_FREE_DEFAULT_ON bool "Enable heap memory zeroing on free by default" help This has the effect of setting "init_on_free=1" on the kernel command line. This can be disabled with "init_on_free=0". Similar to "init_on_alloc", when "init_on_free" is enabled, all page allocator and slab allocator memory will be zeroed when freed, eliminating many kinds of "uninitialized heap memory" flaws, especially heap content exposures. The primary difference with "init_on_free" is that data lifetime in memory is reduced, as anything freed is wiped immediately, making live forensics or cold boot memory attacks unable to recover freed memory contents. The performance impact varies by workload, but is more expensive than "init_on_alloc" due to the negative cache effects of touching "cold" memory areas. Most cases see 3-5% impact. Some synthetic workloads have measured as high as 8%. endmenu endmenu ��lockdown/Kconfig��0000644��00000003753�14722053644�0007706 0��ustar�00��config SECURITY_LOCKDOWN_LSM bool "Basic module for enforcing kernel lockdown" depends on SECURITY select MODULE_SIG if MODULES help Build support for an LSM that enforces a coarse kernel lockdown behaviour. config SECURITY_LOCKDOWN_LSM_EARLY bool "Enable lockdown LSM early in init" depends on SECURITY_LOCKDOWN_LSM help Enable the lockdown LSM early in boot. This is necessary in order to ensure that lockdown enforcement can be carried out on kernel boot parameters that are otherwise parsed before the security subsystem is fully initialised. If enabled, lockdown will unconditionally be called before any other LSMs. config LOCK_DOWN_IN_SECURE_BOOT bool "Lock down the kernel in Secure Boot mode" default n depends on (EFI \|\| S390 \|\| PPC) && SECURITY_LOCKDOWN_LSM_EARLY help Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Secure boot mode determination is platform-specific; examples include EFI secure boot and SIPL on s390. Enabling this option results in kernel lockdown being triggered if booted under secure boot. choice prompt "Kernel default lockdown mode" default LOCK_DOWN_KERNEL_FORCE_NONE depends on SECURITY_LOCKDOWN_LSM help The kernel can be configured to default to differing levels of lockdown. config LOCK_DOWN_KERNEL_FORCE_NONE bool "None" help No lockdown functionality is enabled by default. Lockdown may be enabled via the kernel commandline or /sys/kernel/security/lockdown. config LOCK_DOWN_KERNEL_FORCE_INTEGRITY bool "Integrity" help The kernel runs in integrity mode by default. Features that allow the kernel to be modified at runtime are disabled. config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY bool "Confidentiality" help The kernel runs in confidentiality mode by default. Features that allow the kernel to be modified at runtime or that permit userland code to read confidential material held inside the kernel are disabled. endchoice ��lockdown/Makefile��0000644��00000000062�14722053644�0010031 0��ustar�00��obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown.o ��loadpin/Kconfig��0000644��00000001465�14722053644�0007512 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only config SECURITY_LOADPIN bool "Pin load of kernel files (modules, fw, etc) to one filesystem" depends on SECURITY && BLOCK help Any files read through the kernel file reading interface (kernel modules, firmware, kexec images, security policy) can be pinned to the first filesystem used for loading. When enabled, any files that come from other filesystems will be rejected. This is best used on systems without an initrd that have a root filesystem backed by a read-only device such as dm-verity or a CDROM. config SECURITY_LOADPIN_ENFORCE bool "Enforce LoadPin at boot" depends on SECURITY_LOADPIN help If selected, LoadPin will enforce pinning at boot. If not selected, it can be enabled at boot with the kernel parameter "loadpin.enforce=1". ��loadpin/Makefile��0000644��00000000124�14722053644�0007636 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only obj-$(CONFIG_SECURITY_LOADPIN) += loadpin.o ��Kconfig��0000644��00000026203�14722053644�0006061 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only # # Security configuration # menu "Security options" source "security/keys/Kconfig" config SECURITY_DMESG_RESTRICT bool "Restrict unprivileged access to the kernel syslog" default n help This enforces restrictions on unprivileged users reading the kernel syslog via dmesg(8). If this option is not selected, no restrictions will be enforced unless the dmesg_restrict sysctl is explicitly set to (1). If you are unsure how to answer this question, answer N. config SECURITY_PERF_EVENTS_RESTRICT bool "Restrict unprivileged use of performance events" depends on PERF_EVENTS help If you say Y here, the kernel.perf_event_paranoid sysctl will be set to 3 by default, and no unprivileged use of the perf_event_open syscall will be permitted unless it is changed. config SECURITY bool "Enable different security models" depends on SYSFS depends on MULTIUSER help This allows you to choose different security modules to be configured into your kernel. If this option is not selected, the default Linux security model will be used. If you are unsure how to answer this question, answer N. config SECURITY_WRITABLE_HOOKS depends on SECURITY bool default n config SECURITYFS bool "Enable the securityfs filesystem" help This will build the securityfs filesystem. It is currently used by various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). If you are unsure how to answer this question, answer N. config SECURITY_NETWORK bool "Socket and Networking Security Hooks" depends on SECURITY help This enables the socket and networking security hooks. If enabled, a security module can use these hooks to implement socket and networking access controls. If you are unsure how to answer this question, answer N. config PAGE_TABLE_ISOLATION bool "Remove the kernel mapping in user mode" default y depends on (X86_64 \|\| X86_PAE) && !UML help This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. See Documentation/x86/pti.rst for more details. config SECURITY_INFINIBAND bool "Infiniband Security Hooks" depends on SECURITY && INFINIBAND help This enables the Infiniband security hooks. If enabled, a security module can use these hooks to implement Infiniband access controls. If you are unsure how to answer this question, answer N. config SECURITY_NETWORK_XFRM bool "XFRM (IPSec) Networking Security Hooks" depends on XFRM && SECURITY_NETWORK help This enables the XFRM (IPSec) networking security hooks. If enabled, a security module can use these hooks to implement per-packet access controls based on labels derived from IPSec policy. Non-IPSec communications are designated as unlabelled, and only sockets authorized to communicate unlabelled data can send without using IPSec. If you are unsure how to answer this question, answer N. config SECURITY_PATH bool "Security hooks for pathname based access control" depends on SECURITY help This enables the security hooks for pathname based access control. If enabled, a security module can use these hooks to implement pathname based access controls. If you are unsure how to answer this question, answer N. config INTEL_TXT bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" depends on HAVE_INTEL_TXT help This option enables support for booting the kernel with the Trusted Boot (tboot) module. This will utilize Intel(R) Trusted Execution Technology to perform a measured launch of the kernel. If the system does not support Intel(R) TXT, this will have no effect. Intel TXT will provide higher assurance of system configuration and initial state as well as data reset protection. This is used to create a robust initial kernel measurement and verification, which helps to ensure that kernel security mechanisms are functioning correctly. This level of protection requires a root of trust outside of the kernel itself. Intel TXT also helps solve real end user concerns about having confidence that their hardware is running the VMM or kernel that it was configured with, especially since they may be responsible for providing such assurances to VMs and services running on it. See <http://www.intel.com/technology/security/> for more information about Intel(R) TXT. See <http://tboot.sourceforge.net> for more information about tboot. See Documentation/x86/intel_txt.rst for a description of how to enable Intel TXT support in a kernel boot. If you are unsure as to whether this is required, answer N. config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX default 32768 if ARM \|\| (ARM64 && COMPAT) default 65536 help This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs. For most ia64, ppc64 and x86 users with lots of address space a value of 65536 is reasonable and should cause no problems. On arm and other archs it should not be higher than 32768. Programs which use vm86 functionality or have some need to map this low address space will need the permission specific to the systems running LSM. config HAVE_HARDENED_USERCOPY_ALLOCATOR bool help The heap allocator implements __check_heap_object() for validating memory ranges against heap object sizes in support of CONFIG_HARDENED_USERCOPY. config HARDENED_USERCOPY bool "Harden memory copies between kernel and userspace" depends on HAVE_HARDENED_USERCOPY_ALLOCATOR imply STRICT_DEVMEM help This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the specified heap object, span multiple separately allocated pages, are not on the process stack, or are part of the kernel text. This kills entire classes of heap overflow exploits and similar kernel memory exposures. config HARDENED_USERCOPY_FALLBACK bool "Allow usercopy whitelist violations to fallback to object size" depends on HARDENED_USERCOPY default y help This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log, instead of rejecting the copy, falling back to non-whitelisted hardened usercopy that checks the slab allocation size instead of the whitelist size. This option will be removed once it seems like all missing usercopy whitelists have been identified and fixed. Booting with "slab_common.usercopy_fallback=Y/N" can change this setting. config HARDENED_USERCOPY_PAGESPAN bool "Refuse to copy allocations that span multiple pages" depends on HARDENED_USERCOPY depends on EXPERT help When a multi-page allocation is done without __GFP_COMP, hardened usercopy will reject attempts to copy it. There are, however, several cases of this in the kernel that have not all been removed. This config is intended to be used only while trying to find such users. config FORTIFY_SOURCE bool "Harden common str/mem functions against buffer overflows" depends on ARCH_HAS_FORTIFY_SOURCE # https://bugs.llvm.org/show_bug.cgi?id=50322 # https://bugs.llvm.org/show_bug.cgi?id=41459 depends on !CC_IS_CLANG help Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. config STATIC_USERMODEHELPER bool "Force all usermode helper calls through a single binary" help By default, the kernel can call many different userspace binary programs through the "usermode helper" kernel interface. Some of these binaries are statically defined either in the kernel code itself, or as a kernel configuration option. However, some of these are dynamically created at runtime, or can be modified after the kernel has started up. To provide an additional layer of security, route all of these calls through a single executable that can not have its name changed. Note, it is up to this single binary to then call the relevant "real" usermode helper binary, based on the first argument passed to it. If desired, this program can filter and pick and choose what real programs are called. If you wish for all usermode helper programs are to be disabled, choose this option and then set STATIC_USERMODEHELPER_PATH to an empty string. config STATIC_USERMODEHELPER_PATH string "Path to the static usermode helper binary" depends on STATIC_USERMODEHELPER default "/sbin/usermode-helper" help The binary called by the kernel when any usermode helper program is wish to be run. The "real" application's name will be in the first argument passed to this program on the command line. If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). source "security/selinux/Kconfig" source "security/smack/Kconfig" source "security/tomoyo/Kconfig" source "security/apparmor/Kconfig" source "security/loadpin/Kconfig" source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/integrity/Kconfig" choice prompt "First legacy 'major LSM' to be initialized" default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX default DEFAULT_SECURITY_SMACK if SECURITY_SMACK default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR default DEFAULT_SECURITY_DAC help This choice is there only for converting CONFIG_DEFAULT_SECURITY in old kernel configs to CONFIG_LSM in new kernel configs. Don't change this choice unless you are creating a fresh kernel config, for this choice will be ignored after CONFIG_LSM has been set. Selects the legacy "major security module" that will be initialized first. Overridden by non-default CONFIG_LSM. config DEFAULT_SECURITY_SELINUX bool "SELinux" if SECURITY_SELINUX=y config DEFAULT_SECURITY_SMACK bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y config DEFAULT_SECURITY_TOMOYO bool "TOMOYO" if SECURITY_TOMOYO=y config DEFAULT_SECURITY_APPARMOR bool "AppArmor" if SECURITY_APPARMOR=y config DEFAULT_SECURITY_DAC bool "Unix Discretionary Access Controls" endchoice config LSM string "Ordered list of enabled LSMs" default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be controlled at boot with the "lsm=" parameter. If unsure, leave this as the default. source "security/Kconfig.hardening" endmenu ��selinux/Kconfig��0000644��00000006662�14722053644�0007557 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only config SECURITY_SELINUX bool "NSA SELinux Support" depends on SECURITY_NETWORK && AUDIT && NET && INET select NETWORK_SECMARK default n help This selects NSA Security-Enhanced Linux (SELinux). You will also need a policy configuration and a labeled filesystem. If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_BOOTPARAM bool "NSA SELinux boot parameter" depends on SECURITY_SELINUX default n help This option adds a kernel parameter 'selinux', which allows SELinux to be disabled at boot. If this option is selected, SELinux functionality can be disabled with selinux=0 on the kernel command line. The purpose of this option is to allow a single kernel image to be distributed with SELinux built in, but not necessarily enabled. If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_DISABLE bool "NSA SELinux runtime disable" depends on SECURITY_SELINUX select SECURITY_WRITABLE_HOOKS default n help This option enables writing to a selinuxfs node 'disable', which allows SELinux to be disabled at runtime prior to the policy load. SELinux will then remain disabled until the next boot. This option is similar to the selinux=0 boot parameter, but is to support runtime disabling of SELinux, e.g. from /sbin/init, for portability across platforms where boot parameters are difficult to employ. NOTE: selecting this option will disable the '__ro_after_init' kernel hardening feature for security hooks. Please consider using the selinux=0 boot parameter instead of enabling this option. If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_DEVELOP bool "NSA SELinux Development Support" depends on SECURITY_SELINUX default y help This enables the development support option of NSA SELinux, which is useful for experimenting with SELinux and developing policies. If unsure, say Y. With this option enabled, the kernel will start in permissive mode (log everything, deny nothing) unless you specify enforcing=1 on the kernel command line. You can interactively toggle the kernel between enforcing mode and permissive mode (if permitted by the policy) via /selinux/enforce. config SECURITY_SELINUX_AVC_STATS bool "NSA SELinux AVC Statistics" depends on SECURITY_SELINUX default y help This option collects access vector cache statistics to /selinux/avc/cache_stats, which may be monitored via tools such as avcstat. config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX range 0 1 default 0 help This option sets the default value for the 'checkreqprot' flag that determines whether SELinux checks the protection requested by the application or the protection that will be applied by the kernel (including any implied execute for read-implies-exec) for mmap and mprotect calls. If this option is set to 0 (zero), SELinux will default to checking the protection that will be applied by the kernel. If this option is set to 1 (one), SELinux will default to checking the protection requested by the application. The checkreqprot flag may be changed from the default via the 'checkreqprot=' boot parameter. It may also be changed at runtime via /selinux/checkreqprot if authorized by policy. If you are unsure how to answer this question, answer 0. ��selinux/Makefile��0000644��00000002143�14722053644�0007702 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 # # Makefile for building the SELinux module as part of the kernel tree. # obj-$(CONFIG_SECURITY_SELINUX) := selinux.o selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ netnode.o netport.o ibpkey.o \ ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \ ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o selinux-$(CONFIG_NETLABEL) += netlabel.o ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include $(addprefix $(obj)/,$(selinux-y)): $(obj)/flask.h quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h cmd_flask = $< $(obj)/flask.h $(obj)/av_permissions.h targets += flask.h av_permissions.h # once make >= 4.3 is required, we can use grouped targets in the rule below, # which basically involves adding both headers and a '&' before the colon, see # the example below: # $(obj)/flask.h $(obj)/av_permissions.h &: scripts/selinux/... $(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE $(call if_changed,flask) ��safesetid/Kconfig��0000644��00000001305�14722053644�0010024 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only config SECURITY_SAFESETID bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities" depends on SECURITY select SECURITYFS default n help SafeSetID is an LSM module that gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings. If you are unsure how to answer this question, answer N. ��safesetid/Makefile��0000644��00000000234�14722053644�0010161 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 # # Makefile for the safesetid LSM. # obj-$(CONFIG_SECURITY_SAFESETID) := safesetid.o safesetid-y := lsm.o securityfs.o ��integrity/Kconfig��0000644��00000006516�14722053644�0010104 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only # config INTEGRITY bool "Integrity subsystem" depends on SECURITY default y help This option enables the integrity subsystem, which is comprised of a number of different components including the Integrity Measurement Architecture (IMA), Extended Verification Module (EVM), IMA-appraisal extension, digital signature verification extension and audit measurement log support. Each of these components can be enabled/disabled separately. Refer to the individual components for additional details. if INTEGRITY config INTEGRITY_SIGNATURE bool "Digital signature verification using multiple keyrings" default n select KEYS select SIGNATURE help This option enables digital signature verification support using multiple keyrings. It defines separate keyrings for each of the different use cases - evm, ima, and modules. Different keyrings improves search performance, but also allow to "lock" certain keyring to prevent adding new keys. This is useful for evm and module keyrings, when keys are usually only added from initramfs. config INTEGRITY_ASYMMETRIC_KEYS bool "Enable asymmetric keys support" depends on INTEGRITY_SIGNATURE default n select ASYMMETRIC_KEY_TYPE select ASYMMETRIC_PUBLIC_KEY_SUBTYPE select CRYPTO_RSA select X509_CERTIFICATE_PARSER help This option enables digital signature verification using asymmetric keys. config INTEGRITY_TRUSTED_KEYRING bool "Require all keys on the integrity keyrings be signed" depends on SYSTEM_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS default y help This option requires that all keys added to the .ima and .evm keyrings be signed by a key on the system trusted keyring. config INTEGRITY_PLATFORM_KEYRING bool "Provide keyring for platform/firmware trusted keys" depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING help Provide a separate, distinct keyring for platform trusted keys, which the kernel automatically populates during initialization from values provided by the platform for verifying the kexec'ed kerned image and, possibly, the initramfs signature. config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI def_bool y config LOAD_IPL_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on S390 def_bool y config LOAD_PPC_KEYS bool "Enable loading of platform and blacklisted keys for POWER" depends on INTEGRITY_PLATFORM_KEYRING depends on PPC_SECURE_BOOT default y help Enable loading of keys to the .platform keyring and blacklisted hashes to the .blacklist keyring for powerpc based platforms. config INTEGRITY_AUDIT bool "Enables integrity auditing support " depends on AUDIT default y help In addition to enabling integrity auditing support, this option adds a kernel parameter 'integrity_audit', which controls the level of integrity auditing messages. 0 - basic integrity auditing messages (default) 1 - additional integrity auditing messages Additional informational integrity auditing messages would be enabled by specifying 'integrity_audit=1' on the kernel command line. source "security/integrity/ima/Kconfig" source "security/integrity/evm/Kconfig" endif # if INTEGRITY ��integrity/ima/Kconfig��0000644��00000022706�14722053644�0010651 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only # IBM Integrity Measurement Architecture # config IMA bool "Integrity Measurement Architecture(IMA)" select SECURITYFS select CRYPTO select CRYPTO_HMAC select CRYPTO_SHA1 select CRYPTO_HASH_INFO select TCG_TPM if HAS_IOMEM select TCG_TIS if TCG_TPM && X86 select TCG_CRB if TCG_TPM && ACPI select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES select INTEGRITY_AUDIT if AUDIT help The Trusted Computing Group(TCG) runtime Integrity Measurement Architecture(IMA) maintains a list of hash values of executables and other sensitive system files, as they are read or executed. If an attacker manages to change the contents of an important system file being measured, we can tell. If your system has a TPM chip, then IMA also maintains an aggregate integrity value over this list inside the TPM hardware, so that the TPM can prove to a third party whether or not critical system files have been modified. Read <http://www.usenix.org/events/sec04/tech/sailer.html> to learn more about IMA. If unsure, say N. if IMA config IMA_KEXEC bool "Enable carrying the IMA measurement list across a soft boot" depends on TCG_TPM && HAVE_IMA_KEXEC default n help TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft boot, the IMA measurement list of the running kernel must be saved and restored on boot. Depending on the IMA policy, the measurement list can grow to be very large. config IMA_MEASURE_PCR_IDX int range 8 14 default 10 help IMA_MEASURE_PCR_IDX determines the TPM PCR register index that IMA uses to maintain the integrity aggregate of the measurement list. If unsure, use the default 10. config IMA_LSM_RULES bool depends on AUDIT && (SECURITY_SELINUX \|\| SECURITY_SMACK) default y help Disabling this option will disregard LSM based policy rules. choice prompt "Default template" default IMA_NG_TEMPLATE help Select the default IMA measurement template. The original 'ima' measurement list template contains a hash, defined as 20 bytes, and a null terminated pathname, limited to 255 characters. The 'ima-ng' measurement list template permits both larger hash digests and longer pathnames. The configured default template can be replaced by specifying "ima_template=" on the boot command line. config IMA_NG_TEMPLATE bool "ima-ng (default)" config IMA_SIG_TEMPLATE bool "ima-sig" endchoice config IMA_DEFAULT_TEMPLATE string default "ima-ng" if IMA_NG_TEMPLATE default "ima-sig" if IMA_SIG_TEMPLATE choice prompt "Default integrity hash algorithm" default IMA_DEFAULT_HASH_SHA1 help Select the default hash algorithm used for the measurement list, integrity appraisal and audit log. The compiled default hash algorithm can be overwritten using the kernel command line 'ima_hash=' option. config IMA_DEFAULT_HASH_SHA1 bool "SHA1 (default)" depends on CRYPTO_SHA1=y config IMA_DEFAULT_HASH_SHA256 bool "SHA256" depends on CRYPTO_SHA256=y config IMA_DEFAULT_HASH_SHA512 bool "SHA512" depends on CRYPTO_SHA512=y config IMA_DEFAULT_HASH_WP512 bool "WP512" depends on CRYPTO_WP512=y endchoice config IMA_DEFAULT_HASH string default "sha1" if IMA_DEFAULT_HASH_SHA1 default "sha256" if IMA_DEFAULT_HASH_SHA256 default "sha512" if IMA_DEFAULT_HASH_SHA512 default "wp512" if IMA_DEFAULT_HASH_WP512 config IMA_WRITE_POLICY bool "Enable multiple writes to the IMA policy" default n help IMA policy can now be updated multiple times. The new rules get appended to the original policy. Have in mind that the rules are scanned in FIFO order so be careful when you design and add new ones. If unsure, say N. config IMA_READ_POLICY bool "Enable reading back the current IMA policy" default y if IMA_WRITE_POLICY default n if !IMA_WRITE_POLICY help It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. config IMA_APPRAISE bool "Appraise integrity measurements" default n help This option enables local measurement integrity appraisal. It requires the system to be labeled with a security extended attribute containing the file hash measurement. To protect the security extended attributes from offline attack, enable and configure EVM. For more information on integrity appraisal refer to: <http://linux-ima.sourceforge.net> If unsure, say N. config IMA_ARCH_POLICY bool "Enable loading an IMA architecture specific policy" depends on (KEXEC_SIG && IMA) \|\| IMA_APPRAISE \ && INTEGRITY_ASYMMETRIC_KEYS default n help This option enables loading an IMA architecture specific policy based on run time secure boot flags. config IMA_APPRAISE_BUILD_POLICY bool "IMA build time configured policy rules" depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS default n help This option defines an IMA appraisal policy at build time, which is enforced at run time without having to specify a builtin policy name on the boot command line. The build time appraisal policy rules persist after loading a custom policy. Depending on the rules configured, this policy may require kernel modules, firmware, the kexec kernel image, and/or the IMA policy to be signed. Unsigned files might prevent the system from booting or applications from working properly. config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS bool "Appraise firmware signatures" depends on IMA_APPRAISE_BUILD_POLICY default n help This option defines a policy requiring all firmware to be signed, including the regulatory.db. If both this option and CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature verification methods are necessary. config IMA_APPRAISE_REQUIRE_KEXEC_SIGS bool "Appraise kexec kernel image signatures" depends on IMA_APPRAISE_BUILD_POLICY default n help Enabling this rule will require all kexec'ed kernel images to be signed and verified by a public key on the trusted IMA keyring. Kernel image signatures can not be verified by the original kexec_load syscall. Enabling this rule will prevent its usage. config IMA_APPRAISE_REQUIRE_MODULE_SIGS bool "Appraise kernel modules signatures" depends on IMA_APPRAISE_BUILD_POLICY default n help Enabling this rule will require all kernel modules to be signed and verified by a public key on the trusted IMA keyring. Kernel module signatures can only be verified by IMA-appraisal, via the finit_module syscall. Enabling this rule will prevent the usage of the init_module syscall. config IMA_APPRAISE_REQUIRE_POLICY_SIGS bool "Appraise IMA policy signature" depends on IMA_APPRAISE_BUILD_POLICY default n help Enabling this rule will require the IMA policy to be signed and and verified by a key on the trusted IMA keyring. config IMA_APPRAISE_BOOTPARAM bool "ima_appraise boot parameter" depends on IMA_APPRAISE default y help This option enables the different "ima_appraise=" modes (eg. fix, log) from the boot command line. config IMA_APPRAISE_MODSIG bool "Support module-style signatures for appraisal" depends on IMA_APPRAISE depends on INTEGRITY_ASYMMETRIC_KEYS select PKCS7_MESSAGE_PARSER select MODULE_SIG_FORMAT default n help Adds support for signatures appended to files. The format of the appended signature is the same used for signed kernel modules. The modsig keyword can be used in the IMA policy to allow a hook to accept such signatures. config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" depends on SYSTEM_TRUSTED_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS select INTEGRITY_TRUSTED_KEYRING default n help Keys may be added to the IMA or IMA blacklist keyrings, if the key is validly signed by a CA cert in the system built-in or secondary trusted keyrings. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, provided they are validly signed by a key already resident in the built-in or secondary trusted keyrings. config IMA_BLACKLIST_KEYRING bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" depends on SYSTEM_TRUSTED_KEYRING depends on INTEGRITY_TRUSTED_KEYRING default n help This option creates an IMA blacklist keyring, which contains all revoked IMA keys. It is consulted before any other keyring. If the search is successful the requested operation is rejected and an error is returned to the caller. config IMA_LOAD_X509 bool "Load X509 certificate onto the '.ima' trusted keyring" depends on INTEGRITY_TRUSTED_KEYRING default n help File signature verification is based on the public keys loaded on the .ima trusted keyring. These public keys are X509 certificates signed by a trusted key on the .system keyring. This option enables X509 certificate loading from the kernel onto the '.ima' trusted keyring. config IMA_X509_PATH string "IMA X509 certificate path" depends on IMA_LOAD_X509 default "/etc/keys/x509_ima.der" help This option defines IMA X509 certificate path. config IMA_APPRAISE_SIGNED_INIT bool "Require signed user-space initialization" depends on IMA_LOAD_X509 default n help This option requires user-space init to be signed. endif ��integrity/ima/Makefile��0000644��00000000750�14722053644�0011001 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 # # Makefile for building Trusted Computing Group's(TCG) runtime Integrity # Measurement Architecture(IMA). # obj-$(CONFIG_IMA) += ima.o ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ ima_policy.o ima_template.o ima_template_lib.o ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o ��integrity/evm/Kconfig��0000644��00000004363�14722053644�0010671 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only config EVM bool "EVM support" select KEYS select ENCRYPTED_KEYS select CRYPTO_HMAC select CRYPTO_SHA1 select CRYPTO_HASH_INFO default n help EVM protects a file's security extended attributes against integrity attacks. If you are unsure how to answer this question, answer N. config EVM_ATTR_FSUUID bool "FSUUID (version 2)" default y depends on EVM help Include filesystem UUID for HMAC calculation. Default value is 'selected', which is former version 2. if 'not selected', it is former version 1 WARNING: changing the HMAC calculation method or adding additional info to the calculation, requires existing EVM labeled file systems to be relabeled. config EVM_EXTRA_SMACK_XATTRS bool "Additional SMACK xattrs" depends on EVM && SECURITY_SMACK default n help Include additional SMACK xattrs for HMAC calculation. In addition to the original security xattrs (eg. security.selinux, security.SMACK64, security.capability, and security.ima) included in the HMAC calculation, enabling this option includes newly defined Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP. WARNING: changing the HMAC calculation method or adding additional info to the calculation, requires existing EVM labeled file systems to be relabeled. config EVM_ADD_XATTRS bool "Add additional EVM extended attributes at runtime" depends on EVM default n help Allow userland to provide additional xattrs for HMAC calculation. When this option is enabled, root can add additional xattrs to the list used by EVM by writing them into /sys/kernel/security/integrity/evm/evm_xattrs. config EVM_LOAD_X509 bool "Load an X509 certificate onto the '.evm' trusted keyring" depends on EVM && INTEGRITY_TRUSTED_KEYRING default n help Load an X509 certificate onto the '.evm' trusted keyring. This option enables X509 certificate loading from the kernel onto the '.evm' trusted keyring. A public key can be used to verify EVM integrity starting from the 'init' process. config EVM_X509_PATH string "EVM X509 certificate path" depends on EVM_LOAD_X509 default "/etc/keys/x509_evm.der" help This option defines X509 certificate path. ��integrity/evm/Makefile��0000644��00000000341�14722053644�0011016 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only # # Makefile for building the Extended Verification Module(EVM) # obj-$(CONFIG_EVM) += evm.o evm-y := evm_main.o evm_crypto.o evm_secfs.o evm-$(CONFIG_FS_POSIX_ACL) += evm_posix_acl.o ��integrity/Makefile��0000644��00000001577�14722053644�0010243 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 # # Makefile for caching inode integrity data (iint) # obj-$(CONFIG_INTEGRITY) += integrity.o integrity-y := iint.o integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_powerpc.o \ platform_certs/keyring_handler.o obj-$(CONFIG_IMA) += ima/ obj-$(CONFIG_EVM) += evm/ ��apparmor/Kconfig��0000644��00000004343�14722053644�0007703 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only config SECURITY_APPARMOR bool "AppArmor support" depends on SECURITY && NET select AUDIT select SECURITY_PATH select SECURITYFS select SECURITY_NETWORK default n help This enables the AppArmor security module. Required userspace tools (if they are not included in your distribution) and further information may be found at http://apparmor.wiki.kernel.org If you are unsure how to answer this question, answer N. config SECURITY_APPARMOR_HASH bool "Enable introspection of sha1 hashes for loaded profiles" depends on SECURITY_APPARMOR select CRYPTO select CRYPTO_SHA1 default y help This option selects whether introspection of loaded policy is available to userspace via the apparmor filesystem. config SECURITY_APPARMOR_HASH_DEFAULT bool "Enable policy hash introspection by default" depends on SECURITY_APPARMOR_HASH default y help This option selects whether sha1 hashing of loaded policy is enabled by default. The generation of sha1 hashes for loaded policy provide system administrators a quick way to verify that policy in the kernel matches what is expected, however it can slow down policy load on some devices. In these cases policy hashing can be disabled by default and enabled only if needed. config SECURITY_APPARMOR_DEBUG bool "Build AppArmor with debug code" depends on SECURITY_APPARMOR default n help Build apparmor with debugging logic in apparmor. Not all debugging logic will necessarily be enabled. A submenu will provide fine grained control of the debug options that are available. config SECURITY_APPARMOR_DEBUG_ASSERTS bool "Build AppArmor with debugging asserts" depends on SECURITY_APPARMOR_DEBUG default y help Enable code assertions made with AA_BUG. These are primarily function entry preconditions but also exist at other key points. If the assert is triggered it will trigger a WARN message. config SECURITY_APPARMOR_DEBUG_MESSAGES bool "Debug messages enabled by default" depends on SECURITY_APPARMOR_DEBUG default n help Set the default value of the apparmor.debug kernel parameter. When enabled, various debug messages will be logged to the kernel message buffer. ��apparmor/Makefile��0000644��00000010132�14722053644�0010031 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 # Makefile for AppArmor Linux Security Module # obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ resource.o secid.o file.o policy_ns.o label.o mount.o net.o \ af_unix.o apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o clean-files := capability_names.h rlim_names.h net_names.h # Build a lower case string table of address family names # Transform lines from # #define AF_LOCAL 1 /* POSIX name for AF_UNIX / # #define AF_INET 2 / Internet IP Protocol / # to # [1] = "local", # [2] = "inet", # # and build the securityfs entries for the mapping. # Transforms lines from # #define AF_INET 2 / Internet IP Protocol / # to # #define AA_SFS_AF_MASK "local inet" quiet_cmd_make-af = GEN $@ cmd_make-af = echo "static const char address_family_names[] = {" > $@ ;\ sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.)/[\2] = "\L\1",/p';\ echo "};" >> $@ ;\ printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\ sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.)/\L\1/p'\ $< \| tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@ # Build a lower case string table of sock type names # Transform lines from # SOCK_STREAM = 1, # to # [1] = "stream", quiet_cmd_make-sock = GEN $@ cmd_make-sock = echo "static const char sock_type_names[] = {" >> $@ ;\ sed $^ >>$@ -r -n \ -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.)/[\2] = "\L\1",/p';\ echo "};" >> $@ # Build a lower case string table of capability names # Transforms lines from # #define CAP_DAC_OVERRIDE 1 # to # [1] = "dac_override", quiet_cmd_make-caps = GEN $@ cmd_make-caps = echo "static const char const capability_names[] = {" > $@ ;\ sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \ -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\ echo "};" >> $@ ;\ printf '%s' '\#define AA_SFS_CAPS_MASK "' >> $@ ;\ sed $< -r -n -e '/CAP_FS_MASK/d' \ -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' \| \ tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@ # Build a lower case string table of rlimit names. # Transforms lines from # #define RLIMIT_STACK 3 / max stack size / # to # [RLIMIT_STACK] = "stack", # # and build a second integer table (with the second sed cmd), that maps # RLIMIT defines to the order defined in asm-generic/resource.h This is # required by policy load to map policy ordering of RLIMITs to internal # ordering for architectures that redefine an RLIMIT. # Transforms lines from # #define RLIMIT_STACK 3 / max stack size / # to # RLIMIT_STACK, # # and build the securityfs entries for the mapping. # Transforms lines from # #define RLIMIT_FSIZE 1 / Maximum filesize / # #define RLIMIT_STACK 3 / max stack size / # to # #define AA_SFS_RLIMIT_MASK "fsize stack" quiet_cmd_make-rlim = GEN $@ cmd_make-rlim = echo "static const char const rlim_names[RLIM_NLIMITS] = {" \ > $@ ;\ sed $< >> $@ -r -n \ -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+))./[\1] = "\L\2",/p';\ echo "};" >> $@ ;\ echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\ sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+)./\1,/p" $< >> $@ ;\ echo "};" >> $@ ; \ printf '%s' '\#define AA_SFS_RLIMIT_MASK "' >> $@ ;\ sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+)./\L\1/p' $< \| \ tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@ $(obj)/capability.o : $(obj)/capability_names.h $(obj)/net.o : $(obj)/net_names.h $(obj)/resource.o : $(obj)/rlim_names.h $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ $(src)/Makefile $(call cmd,make-caps) $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \ $(src)/Makefile $(call cmd,make-rlim) $(obj)/net_names.h : $(srctree)/include/linux/socket.h \ $(srctree)/include/linux/net.h \ $(src)/Makefile $(call cmd,make-af) $(call cmd,make-sock) ��Makefile��0000644��00000002315�14722053644�0006214 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 # # Makefile for the kernel security code # obj-$(CONFIG_KEYS) += keys/ subdir-$(CONFIG_SECURITY_SELINUX) += selinux subdir-$(CONFIG_SECURITY_SMACK) += smack subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown # always enable default capabilities obj-y += commoncap.o obj-$(CONFIG_MMU) += min_addr.o # Object file lists obj-$(CONFIG_SECURITY) += security.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ obj-$(CONFIG_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity obj-$(CONFIG_INTEGRITY) += integrity/ ��tomoyo/Kconfig��0000644��00000006454�14722053644�0007415 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only config SECURITY_TOMOYO bool "TOMOYO Linux Support" depends on SECURITY depends on NET select SECURITYFS select SECURITY_PATH select SECURITY_NETWORK select SRCU select BUILD_BIN2C default n help This selects TOMOYO Linux, pathname-based access control. Required userspace tools and further information may be found at <http://tomoyo.sourceforge.jp/>. If you are unsure how to answer this question, answer N. config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY int "Default maximal count for learning mode" default 2048 range 0 2147483647 depends on SECURITY_TOMOYO help This is the default value for maximal ACL entries that are automatically appended into policy at "learning mode". Some programs access thousands of objects, so running such programs in "learning mode" dulls the system response and consumes much memory. This is the safeguard for such programs. config SECURITY_TOMOYO_MAX_AUDIT_LOG int "Default maximal count for audit log" default 1024 range 0 2147483647 depends on SECURITY_TOMOYO help This is the default value for maximal entries for audit logs that the kernel can hold on memory. You can read the log via /sys/kernel/security/tomoyo/audit. If you don't need audit logs, you may set this value to 0. config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER bool "Activate without calling userspace policy loader." default n depends on SECURITY_TOMOYO ---help--- Say Y here if you want to activate access control as soon as built-in policy was loaded. This option will be useful for systems where operations which can lead to the hijacking of the boot sequence are needed before loading the policy. For example, you can activate immediately after loading the fixed part of policy which will allow only operations needed for mounting a partition which contains the variant part of policy and verifying (e.g. running GPG check) and loading the variant part of policy. Since you can start using enforcing mode from the beginning, you can reduce the possibility of hijacking the boot sequence. config SECURITY_TOMOYO_POLICY_LOADER string "Location of userspace policy loader" default "/sbin/tomoyo-init" depends on SECURITY_TOMOYO depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER ---help--- This is the default pathname of policy loader which is called before activation. You can override this setting via TOMOYO_loader= kernel command line option. config SECURITY_TOMOYO_ACTIVATION_TRIGGER string "Trigger for calling userspace policy loader" default "/sbin/init" depends on SECURITY_TOMOYO depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER ---help--- This is the default pathname of activation trigger. You can override this setting via TOMOYO_trigger= kernel command line option. For example, if you pass init=/bin/systemd option, you may want to also pass TOMOYO_trigger=/bin/systemd option. config SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING bool "Use insecure built-in settings for fuzzing tests." default n depends on SECURITY_TOMOYO select SECURITY_TOMOYO_OMIT_USERSPACE_LOADER help Enabling this option forces minimal built-in policy and disables domain/program checks for run-time policy modifications. Please enable this option only if this kernel is built for doing fuzzing tests. ��tomoyo/Makefile��0000644��00000001465�14722053644�0007547 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o load_policy.o memory.o mount.o network.o realpath.o securityfs_if.o tomoyo.o util.o targets += builtin-policy.h define do_policy echo "static char tomoyo_builtin_$(1)[] __initdata ="; \ $(objtree)/scripts/bin2c <$(firstword $(wildcard $(obj)/policy/$(1).conf $(srctree)/$(src)/policy/$(1).conf.default) /dev/null); \ echo ";" endef quiet_cmd_policy = POLICY $@ cmd_policy = ($(call do_policy,profile); $(call do_policy,exception_policy); $(call do_policy,domain_policy); $(call do_policy,manager); $(call do_policy,stat)) >$@ $(obj)/builtin-policy.h: $(wildcard $(obj)/policy/.conf $(srctree)/$(src)/policy/*.conf.default) FORCE $(call if_changed,policy) $(obj)/common.o: $(obj)/builtin-policy.h ��keys/Kconfig��0000644��00000010203�14722053644�0007025 0��ustar�00��# SPDX-License-Identifier: GPL-2.0-only # # Key management configuration # config KEYS bool "Enable access key retention support" select ASSOCIATIVE_ARRAY help This option provides support for retaining authentication tokens and access keys in the kernel. It also includes provision of methods by which such keys might be associated with a process so that network filesystems, encryption support and the like can find them. Furthermore, a special type of key is available that acts as keyring: a searchable sequence of keys. Each process is equipped with access to five standard keyrings: UID-specific, GID-specific, session, process and thread. If you are unsure as to whether this is required, answer N. config KEYS_COMPAT def_bool y depends on COMPAT && KEYS config KEYS_REQUEST_CACHE bool "Enable temporary caching of the last request_key() result" depends on KEYS help This option causes the result of the last successful request_key() call that didn't upcall to the kernel to be cached temporarily in the task_struct. The cache is cleared by exit and just prior to the resumption of userspace. This allows the key used for multiple step processes where each step wants to request a key that is likely the same as the one requested by the last step to save on the searching. An example of such a process is a pathwalk through a network filesystem in which each method needs to request an authentication key. Pathwalk will call multiple methods for each dentry traversed (permission, d_revalidate, lookup, getxattr, getacl, ...). config PERSISTENT_KEYRINGS bool "Enable register of persistent per-UID keyrings" depends on KEYS help This option provides a register of persistent per-UID keyrings, primarily aimed at Kerberos key storage. The keyrings are persistent in the sense that they stay around after all processes of that UID have exited, not that they survive the machine being rebooted. A particular keyring may be accessed by either the user whose keyring it is or by a process with administrative privileges. The active LSMs gets to rule on which admin-level processes get to access the cache. Keyrings are created and added into the register upon demand and get removed if they expire (a default timeout is set upon creation). config BIG_KEYS bool "Large payload keys" depends on KEYS depends on TMPFS select CRYPTO select CRYPTO_AES select CRYPTO_GCM help This option provides support for holding large keys within the kernel (for example Kerberos ticket caches). The data may be stored out to swapspace by tmpfs. If you are unsure as to whether this is required, answer N. config TRUSTED_KEYS tristate "TRUSTED KEYS" depends on KEYS && TCG_TPM select CRYPTO select CRYPTO_HMAC select CRYPTO_SHA1 select CRYPTO_HASH_INFO help This option provides support for creating, sealing, and unsealing keys in the kernel. Trusted keys are random number symmetric keys, generated and RSA-sealed by the TPM. The TPM only unseals the keys, if the boot PCRs and other criteria match. Userspace will only ever see encrypted blobs. If you are unsure as to whether this is required, answer N. config ENCRYPTED_KEYS tristate "ENCRYPTED KEYS" depends on KEYS select CRYPTO select CRYPTO_HMAC select CRYPTO_AES select CRYPTO_CBC select CRYPTO_SHA256 select CRYPTO_RNG help This option provides support for create/encrypting/decrypting keys in the kernel. Encrypted keys are kernel generated random numbers, which are encrypted/decrypted with a 'master' symmetric key. The 'master' key can be either a trusted-key or user-key type. Userspace only ever sees/stores encrypted blobs. If you are unsure as to whether this is required, answer N. config KEY_DH_OPERATIONS bool "Diffie-Hellman operations on retained keys" depends on KEYS select CRYPTO select CRYPTO_HASH select CRYPTO_DH help This option provides support for calculating Diffie-Hellman public keys and shared secrets using values stored as keys in the kernel. If you are unsure as to whether this is required, answer N. ��keys/encrypted-keys/Makefile��0000644��00000000547�14722053644�0012142 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 # # Makefile for encrypted keys # obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys.o encrypted-keys-y := encrypted.o ecryptfs_format.o masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o encrypted-keys-y += $(masterkey-y) $(masterkey-m-m) ��keys/Makefile��0000644��00000001246�14722053644�0007171 0��ustar�00��# SPDX-License-Identifier: GPL-2.0 # # Makefile for key management # # # Core # obj-y := \ gc.o \ key.o \ keyring.o \ keyctl.o \ permission.o \ process_keys.o \ request_key.o \ request_key_auth.o \ user_defined.o compat-obj-$(CONFIG_KEY_DH_OPERATIONS) += compat_dh.o obj-$(CONFIG_KEYS_COMPAT) += compat.o $(compat-obj-y) obj-$(CONFIG_PROC_FS) += proc.o obj-$(CONFIG_SYSCTL) += sysctl.o obj-$(CONFIG_PERSISTENT_KEYRINGS) += persistent.o obj-$(CONFIG_KEY_DH_OPERATIONS) += dh.o obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += keyctl_pkey.o # # Key types # obj-$(CONFIG_BIG_KEYS) += big_key.o obj-$(CONFIG_TRUSTED_KEYS) += trusted.o obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/ ��

| ver. 1.4 | Github | . | PHP 7.4.3-4ubuntu2.24 | Генерация страницы: 0 | proxy | phpinfo | Настройка