Ken Moffat wrote:
Let's try to take a straw poll:
Do people have CONFIG_SECCOMP=y set anyway in the (desktop, laptop)
kernels they are using ? To avoid noise on the list, please reply
to me directly.
The initial tally is:
No 1 (Nathan)
Yes 1 (me)
config-3.16.0-38-generic:CONFIG_SECCOMP_FILTER=y
config-3.16.0-38-generic:CONFIG_SECCOMP=y
config-4.3.3-SVN-20160104:CONFIG_SECCOMP_FILTER=y
config-4.3.3-SVN-20160104:CONFIG_SECCOMP=y
config-4.4-SVN-20160111:CONFIG_SECCOMP_FILTER=y
config-4.4-SVN-20160111:CONFIG_SECCOMP=y
config-4.9.8:CONFIG_SECCOMP_FILTER=y
config-4.9.8:CONFIG_SECCOMP=y
config-4.10.3:CONFIG_SECCOMP_FILTER=y
config-4.10.3:CONFIG_SECCOMP=y
config-4.11.0-amdgpu:CONFIG_SECCOMP_FILTER=y
config-4.11.0-amdgpu:CONFIG_SECCOMP=y
config-4.11.0-lfs-20170507-nvidia:CONFIG_SECCOMP_FILTER=y
config-4.11.0-lfs-20170507-nvidia:CONFIG_SECCOMP=y
config-4.11.4:CONFIG_SECCOMP_FILTER=y
config-4.11.4:CONFIG_SECCOMP=y
config-4.12.7-lfs-8.1-rc2:CONFIG_SECCOMP_FILTER=y
config-4.12.7-lfs-8.1-rc2:CONFIG_SECCOMP=y
config-4.4.2-lfs-7.9-rc2:CONFIG_SECCOMP_FILTER=y
config-4.4.2-lfs-7.9-rc2:CONFIG_SECCOMP=y
config-4.6.2-lfs-7.9-1:CONFIG_SECCOMP_FILTER=y
config-4.6.2-lfs-7.9-1:CONFIG_SECCOMP=y
config-4.7.2-20161104:CONFIG_SECCOMP_FILTER=y
config-4.7.2-20161104:CONFIG_SECCOMP=y
config-4.7.2-20161107:CONFIG_SECCOMP_FILTER=y
config-4.7.2-20161107:CONFIG_SECCOMP=y
config-4.7.2-lfs-7.10-rc1:CONFIG_SECCOMP_FILTER=y
config-4.7.2-lfs-7.10-rc1:CONFIG_SECCOMP=y
config-4.8.6-20161104:CONFIG_SECCOMP_FILTER=y
config-4.8.6-20161104:CONFIG_SECCOMP=y
config-4.9.5:CONFIG_SECCOMP_FILTER=y
config-4.9.5:CONFIG_SECCOMP=y
config-4.9.9:CONFIG_SECCOMP_FILTER=y
config-4.9.9:CONFIG_SECCOMP=y
config-4.9.9-lfs-20170214-amdgpu:CONFIG_SECCOMP_FILTER=y
config-4.9.9-lfs-20170214-amdgpu:CONFIG_SECCOMP=y
Apparently doing 'make defconfig' on an x86_64 set it.
"This kernel feature is useful for number crunching applications that may
need to compute untrusted bytecode during their execution. By using pipes
or other transports made available to the process as file descriptors
supporting the read/write syscalls, it's possible to isolate those
applications in their own address space using seccomp. Once seccomp is
enabled via /proc/<pid>/seccomp, it cannot be disabled and the task is
only allowed to execute a few safe syscalls defined by each seccomp mode.
If unsure, say Y. Only embedded should say N here."
Some architectures recommend N, but LFS does not directly support those.
https://cateee.net/lkddb/web-lkddb/SECCOMP.html
I don't think we need to say anything about this in the book.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
