Re: [PATCH 1/3] kconfig: consolidate arch-specific seccomp options

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/02/2014 12:20 PM, Dave Hansen wrote:
> From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
> 
> ---
> 
>  linux.git-davehans/arch/arm/Kconfig        |   15 +--------------
>  linux.git-davehans/arch/microblaze/Kconfig |   18 +-----------------
>  linux.git-davehans/arch/mips/Kconfig       |   18 +-----------------
>  linux.git-davehans/arch/powerpc/Kconfig    |   18 +-----------------
>  linux.git-davehans/arch/s390/Kconfig       |   18 +-----------------
>  linux.git-davehans/arch/sh/Kconfig         |   17 +----------------
>  linux.git-davehans/arch/sparc/Kconfig      |   18 +-----------------
>  linux.git-davehans/arch/x86/Kconfig        |   17 +----------------
>  linux.git-davehans/security/Kconfig        |   21 ++++++++++++++++++++-
>  9 files changed, 28 insertions(+), 132 deletions(-)
> 
> diff -puN security/Kconfig~consolidate-seccomp-options security/Kconfig
> --- linux.git/security/Kconfig~consolidate-seccomp-options	2014-01-02 11:23:58.604785905 -0800
> +++ linux.git-davehans/security/Kconfig	2014-01-02 11:23:58.614786355 -0800
> @@ -167,5 +167,24 @@ config DEFAULT_SECURITY
>  	default "yama" if DEFAULT_SECURITY_YAMA
>  	default "" if DEFAULT_SECURITY_DAC
>  
> -endmenu
> +config HAVE_ARCH_SECCOMP
> +	bool
> +
> +config SECCOMP
> +	bool
> +	default y

Prefer
	def_bool y

> +	prompt "Enable seccomp to safely compute untrusted bytecode"
> +	---help---
> +	  This kernel feature is useful for number crunching applications
> +	  that may need to compute untrusted bytecode during their
> +	  execution. By using pipes or other transports made available to
> +	  the process as file descriptors supporting the read/write
> +	  syscalls, it's possible to isolate those applications in
> +	  their own address space using seccomp. Once seccomp is
> +	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
> +	  and the task is only allowed to execute a few safe syscalls
> +	  defined by each seccomp mode.
>  
> +	  If unsure, say Y. Only embedded should say N here.
> +
> +endmenu


-- 
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-arch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Newbies]     [x86 Platform Driver]     [Netdev]     [Linux Wireless]     [Netfilter]     [Bugtraq]     [Linux Filesystems]     [Yosemite Discussion]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]

  Powered by Linux