On Fri, 2012-01-27 at 17:24 -0600, Will Drewry wrote: > +config SECCOMP_FILTER > + bool "Enable seccomp-based system call filtering" > + select SECCOMP Is 'depends on SECCOMP' better? > + help > + This option provide support for limiting the accessibility > of s/provide/provides/ > + systems calls at a task-level using a dynamically defined > policy. s/systems/system/ > + > + System call filtering policy is expressed by the user using > + a Berkeley Packet Filter program. The program is attached > using s/the user using// > + prctl(2). For every system call the task makes, its number, > + arguments, and other metadata will be evaluated by the > attached > + filter program. The result determines if the system call > may > + may proceed or if the task should be terminated. One more "may"... and "be proceeded" > + > + This behavior is meant to aid security-conscious software in > + its ability to minimize the risk of running potentially > + risky code. > + > + See Documentation/prctl/seccomp_filter.txt for more detail. > + Thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
