diff options
-rw-r--r-- | arch/microblaze/Kconfig | 17 | ||||
-rw-r--r-- | arch/microblaze/include/asm/seccomp.h | 16 |
2 files changed, 33 insertions, 0 deletions
diff --git a/arch/microblaze/Kconfig b/arch/microblaze/Kconfig index 692fdfce2a2..dad40fc2bef 100644 --- a/arch/microblaze/Kconfig +++ b/arch/microblaze/Kconfig @@ -121,6 +121,23 @@ config CMDLINE_FORCE Set this to have arguments from the default kernel command string override those passed by the boot loader. +config SECCOMP + bool "Enable seccomp to safely compute untrusted bytecode" + depends on PROC_FS + default y + help + This kernel feature is useful for number crunching applications + that may need to compute untrusted bytecode during their + execution. By using pipes or other transports made available to + the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in + their own address space using seccomp. Once seccomp is + enabled via /proc/<pid>/seccomp, it cannot be disabled + and the task is only allowed to execute a few safe syscalls + defined by each seccomp mode. + + If unsure, say Y. Only embedded should say N here. + endmenu menu "Advanced setup" diff --git a/arch/microblaze/include/asm/seccomp.h b/arch/microblaze/include/asm/seccomp.h new file mode 100644 index 00000000000..0d912758a0d --- /dev/null +++ b/arch/microblaze/include/asm/seccomp.h @@ -0,0 +1,16 @@ +#ifndef _ASM_MICROBLAZE_SECCOMP_H +#define _ASM_MICROBLAZE_SECCOMP_H + +#include <linux/unistd.h> + +#define __NR_seccomp_read __NR_read +#define __NR_seccomp_write __NR_write +#define __NR_seccomp_exit __NR_exit +#define __NR_seccomp_sigreturn __NR_sigreturn + +#define __NR_seccomp_read_32 __NR_read +#define __NR_seccomp_write_32 __NR_write +#define __NR_seccomp_exit_32 __NR_exit +#define __NR_seccomp_sigreturn_32 __NR_sigreturn + +#endif /* _ASM_MICROBLAZE_SECCOMP_H */ |