ARM: SECCOMP support

Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
author: Nicolas Pitre <nicolas.pitre@linaro.org> 2010-08-26 18:08:35 -0400
committer: Nicolas Pitre <nicolas.pitre@linaro.org> 2010-10-01 22:32:18 -0400
commit: 70c70d97809c3cdb8ff04f38ee3718c5385a2a4d (patch)
tree: 33b30af89b35370f01f69f80e44a660e8e80c137 /arch/arm/Kconfig
parent: 087aaffcdf9c91667c93923fbc05fa8fb6bc7d3a (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 88c97bc7a6f5..1273ee8756be 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1463,6 +1463,20 @@ config UACCESS_WITH_MEMCPY
          However, if the CPU data cache is using a write-allocate mode,
          this option is unlikely to provide any performance gain.
+config SECCOMP
+        bool
+        prompt "Enable seccomp to safely compute untrusted bytecode"
+        ---help---
+          This kernel feature is useful for number crunching applications
+          that may need to compute untrusted bytecode during their
+          execution. By using pipes or other transports made available to
+          the process as file descriptors supporting the read/write
+          syscalls, it's possible to isolate those applications in
+          their own address space using seccomp. Once seccomp is
+          enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+          and the task is only allowed to execute a few safe syscalls
+          defined by each seccomp mode.
 config CC_STACKPROTECTOR
        bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
        help
author	Nicolas Pitre <nicolas.pitre@linaro.org>	2010-08-26 18:08:35 -0400
committer	Nicolas Pitre <nicolas.pitre@linaro.org>	2010-10-01 22:32:18 -0400
commit	70c70d97809c3cdb8ff04f38ee3718c5385a2a4d (patch)
tree	33b30af89b35370f01f69f80e44a660e8e80c137 /arch/arm/Kconfig
parent	087aaffcdf9c91667c93923fbc05fa8fb6bc7d3a (diff)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 88c97bc7a6f5..1273ee8756be 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig
@@ -1463,6 +1463,20 @@ config UACCESS_WITH_MEMCPY
1463	However, if the CPU data cache is using a write-allocate mode,	1463	However, if the CPU data cache is using a write-allocate mode,
1464	this option is unlikely to provide any performance gain.	1464	this option is unlikely to provide any performance gain.
1465		1465
		1466	config SECCOMP
		1467	bool
		1468	prompt "Enable seccomp to safely compute untrusted bytecode"
		1469	---help---
		1470	This kernel feature is useful for number crunching applications
		1471	that may need to compute untrusted bytecode during their
		1472	execution. By using pipes or other transports made available to
		1473	the process as file descriptors supporting the read/write
		1474	syscalls, it's possible to isolate those applications in
		1475	their own address space using seccomp. Once seccomp is
		1476	enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
		1477	and the task is only allowed to execute a few safe syscalls
		1478	defined by each seccomp mode.
		1479
1466	config CC_STACKPROTECTOR	1480	config CC_STACKPROTECTOR
1467	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"	1481	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
1468	help	1482	help