ARM: SECCOMP support

Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
author: Nicolas Pitre <nicolas.pitre@linaro.org> 2010-08-26 22:08:35 (GMT)
committer: Nicolas Pitre <nicolas.pitre@linaro.org> 2010-10-02 02:32:18 (GMT)
commit: 70c70d97809c3cdb8ff04f38ee3718c5385a2a4d (patch)
tree: 33b30af89b35370f01f69f80e44a660e8e80c137 /arch/arm/Kconfig
parent: 087aaffcdf9c91667c93923fbc05fa8fb6bc7d3a (diff)
download: linux-fsl-qoriq-70c70d97809c3cdb8ff04f38ee3718c5385a2a4d.tar.xz
1 files changed, 14 insertions, 0 deletions
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 88c97bc..1273ee8 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1463,6 +1463,20 @@ config UACCESS_WITH_MEMCPY
 	  However, if the CPU data cache is using a write-allocate mode,
 	  this option is unlikely to provide any performance gain.
 
+config SECCOMP
+	bool
+	prompt "Enable seccomp to safely compute untrusted bytecode"
+	---help---
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl(PR_SET_SECCOMP), it cannot be disabled
+	  and the task is only allowed to execute a few safe syscalls
+	  defined by each seccomp mode.
+
 config CC_STACKPROTECTOR
 	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
 	help
author	Nicolas Pitre <nicolas.pitre@linaro.org>	2010-08-26 22:08:35 (GMT)
committer	Nicolas Pitre <nicolas.pitre@linaro.org>	2010-10-02 02:32:18 (GMT)
commit	70c70d97809c3cdb8ff04f38ee3718c5385a2a4d (patch)
tree	33b30af89b35370f01f69f80e44a660e8e80c137 /arch/arm/Kconfig
parent	087aaffcdf9c91667c93923fbc05fa8fb6bc7d3a (diff)
download	linux-fsl-qoriq-70c70d97809c3cdb8ff04f38ee3718c5385a2a4d.tar.xz