On 29 September 2017 at 08:39, Bruce Dubbs <[email protected]> wrote: > Ken Moffat wrote: > >> Let's try to take a straw poll: >> >> Do people have CONFIG_SECCOMP=y set anyway in the (desktop, laptop) >> kernels they are using ? To avoid noise on the list, please reply >> to me directly. >> >> The initial tally is: >> >> No 1 (Nathan) >> Yes 1 (me) > > > config-3.16.0-38-generic:CONFIG_SECCOMP_FILTER=y > config-3.16.0-38-generic:CONFIG_SECCOMP=y > config-4.3.3-SVN-20160104:CONFIG_SECCOMP_FILTER=y > config-4.3.3-SVN-20160104:CONFIG_SECCOMP=y > config-4.4-SVN-20160111:CONFIG_SECCOMP_FILTER=y > config-4.4-SVN-20160111:CONFIG_SECCOMP=y > config-4.9.8:CONFIG_SECCOMP_FILTER=y > config-4.9.8:CONFIG_SECCOMP=y > > > config-4.10.3:CONFIG_SECCOMP_FILTER=y > config-4.10.3:CONFIG_SECCOMP=y > config-4.11.0-amdgpu:CONFIG_SECCOMP_FILTER=y > config-4.11.0-amdgpu:CONFIG_SECCOMP=y > config-4.11.0-lfs-20170507-nvidia:CONFIG_SECCOMP_FILTER=y > config-4.11.0-lfs-20170507-nvidia:CONFIG_SECCOMP=y > config-4.11.4:CONFIG_SECCOMP_FILTER=y > config-4.11.4:CONFIG_SECCOMP=y > config-4.12.7-lfs-8.1-rc2:CONFIG_SECCOMP_FILTER=y > config-4.12.7-lfs-8.1-rc2:CONFIG_SECCOMP=y > config-4.4.2-lfs-7.9-rc2:CONFIG_SECCOMP_FILTER=y > config-4.4.2-lfs-7.9-rc2:CONFIG_SECCOMP=y > config-4.6.2-lfs-7.9-1:CONFIG_SECCOMP_FILTER=y > config-4.6.2-lfs-7.9-1:CONFIG_SECCOMP=y > config-4.7.2-20161104:CONFIG_SECCOMP_FILTER=y > config-4.7.2-20161104:CONFIG_SECCOMP=y > config-4.7.2-20161107:CONFIG_SECCOMP_FILTER=y > config-4.7.2-20161107:CONFIG_SECCOMP=y > config-4.7.2-lfs-7.10-rc1:CONFIG_SECCOMP_FILTER=y > config-4.7.2-lfs-7.10-rc1:CONFIG_SECCOMP=y > config-4.8.6-20161104:CONFIG_SECCOMP_FILTER=y > config-4.8.6-20161104:CONFIG_SECCOMP=y > config-4.9.5:CONFIG_SECCOMP_FILTER=y > config-4.9.5:CONFIG_SECCOMP=y > config-4.9.9:CONFIG_SECCOMP_FILTER=y > config-4.9.9:CONFIG_SECCOMP=y > config-4.9.9-lfs-20170214-amdgpu:CONFIG_SECCOMP_FILTER=y > config-4.9.9-lfs-20170214-amdgpu:CONFIG_SECCOMP=y > > Apparently doing 'make defconfig' on an x86_64 set it. > > "This kernel feature is useful for number crunching applications that may > need to compute untrusted bytecode during their execution. By using pipes or > other transports made available to the process as file descriptors > supporting the read/write syscalls, it's possible to isolate those > applications in their own address space using seccomp. Once seccomp is > enabled via /proc/<pid>/seccomp, it cannot be disabled and the task is only > allowed to execute a few safe syscalls defined by each seccomp mode. > > If unsure, say Y. Only embedded should say N here." > > Some architectures recommend N, but LFS does not directly support those. > https://cateee.net/lkddb/web-lkddb/SECCOMP.html > > I don't think we need to say anything about this in the book. > > -- Bruce
*shrug*, I suppose I just never needed it before. The kernel config was back from the early 2.6 era (Wonder if it was originally from 2.4... been doing LFS long enough), so very good chance that one just fell through the cracks. (I do tend to keep the kernel minimal to a degree). -- Nathan Coulson (conathan) ------ Location: British Columbia, Canada Timezone: PST (-8) Webpage: http://www.nathancoulson.com -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
