Re: [PATCH v5 2/3] seccomp_filters: system call filtering using BPF
From: Will Drewry
Date: Sat Jan 28 2012 - 15:13:21 EST
On Sat, Jan 28, 2012 at 3:21 AM, Cong Wang <amwang@xxxxxxxxxx> wrote:
> On Fri, 2012-01-27 at 17:24 -0600, Will Drewry wrote:
>> +config SECCOMP_FILTER
>> + bool "Enable seccomp-based system call filtering"
>> + select SECCOMP
>
> Is 'depends on SECCOMP' better?
Either way is fine for me. I chose select so that SECCOMP_FILTER
wouldn't be hidden if SECCOMP was off when they hit the security menu.
>
>> + help
>> + This option provide support for limiting the accessibility
>> of
>
> s/provide/provides/
>
>> + systems calls at a task-level using a dynamically defined
>> policy.
>
>
> s/systems/system/
>
>> +
>> + System call filtering policy is expressed by the user using
>> + a Berkeley Packet Filter program. The program is attached
>> using
>
> s/the user using//
>
>> + prctl(2). For every system call the task makes, its number,
>> + arguments, and other metadata will be evaluated by the
>> attached
>> + filter program. The result determines if the system call
>> may
>> + may proceed or if the task should be terminated.
>
> One more "may"... and "be proceeded"
>
>> +
>> + This behavior is meant to aid security-conscious software in
>> + its ability to minimize the risk of running potentially
>> + risky code.
>> +
>> + See Documentation/prctl/seccomp_filter.txt for more detail.
>> +
>
>
> Thanks.
Thanks! Cleaned up, as recommended, and slightly reworded. I'll
include the updates in the next salvo.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/