On Sat, Jan 28, 2012 at 3:21 AM, Cong Wang <amwang@xxxxxxxxxx> wrote: > On Fri, 2012-01-27 at 17:24 -0600, Will Drewry wrote: >> +config SECCOMP_FILTER >> + bool "Enable seccomp-based system call filtering" >> + select SECCOMP > > Is 'depends on SECCOMP' better? Either way is fine for me. I chose select so that SECCOMP_FILTER wouldn't be hidden if SECCOMP was off when they hit the security menu. > >> + help >> + This option provide support for limiting the accessibility >> of > > s/provide/provides/ > >> + systems calls at a task-level using a dynamically defined >> policy. > > > s/systems/system/ > >> + >> + System call filtering policy is expressed by the user using >> + a Berkeley Packet Filter program. The program is attached >> using > > s/the user using// > >> + prctl(2). For every system call the task makes, its number, >> + arguments, and other metadata will be evaluated by the >> attached >> + filter program. The result determines if the system call >> may >> + may proceed or if the task should be terminated. > > One more "may"... and "be proceeded" > >> + >> + This behavior is meant to aid security-conscious software in >> + its ability to minimize the risk of running potentially >> + risky code. >> + >> + See Documentation/prctl/seccomp_filter.txt for more detail. >> + > > > Thanks. Thanks! Cleaned up, as recommended, and slightly reworded. I'll include the updates in the next salvo. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
