diff options
Diffstat (limited to 'init')
| -rw-r--r-- | init/Kconfig | 27 | ||||
| -rw-r--r-- | init/main.c | 2 |
2 files changed, 14 insertions, 15 deletions
diff --git a/init/Kconfig b/init/Kconfig index 3fc8a2f2fac4..79383d3aa5dc 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
| @@ -301,20 +301,6 @@ config AUDIT_TREE | |||
| 301 | depends on AUDITSYSCALL | 301 | depends on AUDITSYSCALL |
| 302 | select FSNOTIFY | 302 | select FSNOTIFY |
| 303 | 303 | ||
| 304 | config AUDIT_LOGINUID_IMMUTABLE | ||
| 305 | bool "Make audit loginuid immutable" | ||
| 306 | depends on AUDIT | ||
| 307 | help | ||
| 308 | The config option toggles if a task setting its loginuid requires | ||
| 309 | CAP_SYS_AUDITCONTROL or if that task should require no special permissions | ||
| 310 | but should instead only allow setting its loginuid if it was never | ||
| 311 | previously set. On systems which use systemd or a similar central | ||
| 312 | process to restart login services this should be set to true. On older | ||
| 313 | systems in which an admin would typically have to directly stop and | ||
| 314 | start processes this should be set to false. Setting this to true allows | ||
| 315 | one to drop potentially dangerous capabilites from the login tasks, | ||
| 316 | but may not be backwards compatible with older init systems. | ||
| 317 | |||
| 318 | source "kernel/irq/Kconfig" | 304 | source "kernel/irq/Kconfig" |
| 319 | source "kernel/time/Kconfig" | 305 | source "kernel/time/Kconfig" |
| 320 | 306 | ||
| @@ -1669,6 +1655,18 @@ config BASE_SMALL | |||
| 1669 | default 0 if BASE_FULL | 1655 | default 0 if BASE_FULL |
| 1670 | default 1 if !BASE_FULL | 1656 | default 1 if !BASE_FULL |
| 1671 | 1657 | ||
| 1658 | config SYSTEM_TRUSTED_KEYRING | ||
| 1659 | bool "Provide system-wide ring of trusted keys" | ||
| 1660 | depends on KEYS | ||
| 1661 | help | ||
| 1662 | Provide a system keyring to which trusted keys can be added. Keys in | ||
| 1663 | the keyring are considered to be trusted. Keys may be added at will | ||
| 1664 | by the kernel from compiled-in data and from hardware key stores, but | ||
| 1665 | userspace may only add extra keys if those keys can be verified by | ||
| 1666 | keys already in the keyring. | ||
| 1667 | |||
| 1668 | Keys in this keyring are used by module signature checking. | ||
| 1669 | |||
| 1672 | menuconfig MODULES | 1670 | menuconfig MODULES |
| 1673 | bool "Enable loadable module support" | 1671 | bool "Enable loadable module support" |
| 1674 | option modules | 1672 | option modules |
| @@ -1742,6 +1740,7 @@ config MODULE_SRCVERSION_ALL | |||
| 1742 | config MODULE_SIG | 1740 | config MODULE_SIG |
| 1743 | bool "Module signature verification" | 1741 | bool "Module signature verification" |
| 1744 | depends on MODULES | 1742 | depends on MODULES |
| 1743 | select SYSTEM_TRUSTED_KEYRING | ||
| 1745 | select KEYS | 1744 | select KEYS |
| 1746 | select CRYPTO | 1745 | select CRYPTO |
| 1747 | select ASYMMETRIC_KEY_TYPE | 1746 | select ASYMMETRIC_KEY_TYPE |
diff --git a/init/main.c b/init/main.c index 01573fdfa186..febc511e078a 100644 --- a/init/main.c +++ b/init/main.c | |||
| @@ -476,7 +476,7 @@ static void __init mm_init(void) | |||
| 476 | mem_init(); | 476 | mem_init(); |
| 477 | kmem_cache_init(); | 477 | kmem_cache_init(); |
| 478 | percpu_init_late(); | 478 | percpu_init_late(); |
| 479 | pgtable_init(); | 479 | pgtable_cache_init(); |
| 480 | vmalloc_init(); | 480 | vmalloc_init(); |
| 481 | } | 481 | } |
| 482 | 482 | ||