|
@@ -1205,7 +1205,6 @@ config IRQBALANCE
|
|
|
config SECCOMP
|
|
config SECCOMP
|
|
|
def_bool y
|
|
def_bool y
|
|
|
prompt "Enable seccomp to safely compute untrusted bytecode"
|
|
prompt "Enable seccomp to safely compute untrusted bytecode"
|
|
|
- depends on PROC_FS
|
|
|
|
|
help
|
|
help
|
|
|
This kernel feature is useful for number crunching applications
|
|
This kernel feature is useful for number crunching applications
|
|
|
that may need to compute untrusted bytecode during their
|
|
that may need to compute untrusted bytecode during their
|
|
@@ -1213,7 +1212,7 @@ config SECCOMP
|
|
|
the process as file descriptors supporting the read/write
|
|
the process as file descriptors supporting the read/write
|
|
|
syscalls, it's possible to isolate those applications in
|
|
syscalls, it's possible to isolate those applications in
|
|
|
their own address space using seccomp. Once seccomp is
|
|
their own address space using seccomp. Once seccomp is
|
|
|
- enabled via /proc/<pid>/seccomp, it cannot be disabled
|
|
|
|
|
|
|
+ enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
|
|
|
and the task is only allowed to execute a few safe syscalls
|
|
and the task is only allowed to execute a few safe syscalls
|
|
|
defined by each seccomp mode.
|
|
defined by each seccomp mode.
|
|
|
|
|
|
Alexey Dobriyan