diff options
author | Chris Metcalf <cmetcalf@ezchip.com> | 2015-07-22 14:30:14 -0400 |
---|---|---|
committer | Chris Metcalf <cmetcalf@ezchip.com> | 2015-07-30 12:32:16 -0400 |
commit | a0ddef81f4aeeeec3326f6b6a255d8ea13b41908 (patch) | |
tree | 3a551abb0a57ff62fa7ad380f87e6c8bdb154d7b /arch/tile/Kconfig | |
parent | 38715df206d52817ac8ac032f35ee76955bdc15d (diff) |
tile: enable full SECCOMP support
Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>
Diffstat (limited to 'arch/tile/Kconfig')
-rw-r--r-- | arch/tile/Kconfig | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig index 9def1f52d03a..2ba12d761723 100644 --- a/arch/tile/Kconfig +++ b/arch/tile/Kconfig @@ -32,6 +32,7 @@ config TILE select EDAC_SUPPORT select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER + select HAVE_ARCH_SECCOMP_FILTER # FIXME: investigate whether we need/want these options. # select HAVE_IOREMAP_PROT @@ -221,6 +222,22 @@ config COMPAT If enabled, the kernel will support running TILE-Gx binaries that were built with the -m32 option. +config SECCOMP + bool "Enable seccomp to safely compute untrusted bytecode" + depends on PROC_FS + help + This kernel feature is useful for number crunching applications + that may need to compute untrusted bytecode during their + execution. By using pipes or other transports made available to + the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in + their own address space using seccomp. Once seccomp is + enabled via prctl, it cannot be disabled and the task is only + allowed to execute a few safe syscalls defined by each seccomp + mode. + + If unsure, say N. + config SYSVIPC_COMPAT def_bool y depends on COMPAT && SYSVIPC |