On Tue, Oct 27, 2020 at 4:52 AM Geert Uytterhoeven <geert@xxxxxxxxxxxxxx> wrote: > Please tell me why SECCOMP is special, and deserves to default to be > enabled. Is it really that critical, given only 13.5 (half of sparc > ;-) out of 24 > architectures implement support for it? Good point. My thought process is that quite a few system software are reliant on seccomp for enforcing policies -- systemd, docker, and other sandboxing tools like browsers and firejail, so when I moved this to the non-perarch section, it at least has to be default for x86. Granted, I'm not super familiar with other architectures, so you are probably right that those that did not have it on by default should be kept off by default; many of them could be for embedded devices. What's the best way to do this? Set it as default N in Kconfig and add CONFIG_SECCOMP=y in each arch's defconfig? YiFei Zhu
