Re: [PATCH v2 seccomp 1/6] seccomp: Move config option SECCOMP to arch/Kconfig
From: YiFei Zhu
Date: Tue Oct 27 2020 - 15:13:50 EST
On Tue, Oct 27, 2020 at 4:52 AM Geert Uytterhoeven <geert@xxxxxxxxxxxxxx> wrote:
> Please tell me why SECCOMP is special, and deserves to default to be
> enabled. Is it really that critical, given only 13.5 (half of sparc
> ;-) out of 24
> architectures implement support for it?
Good point. My thought process is that quite a few system software are
reliant on seccomp for enforcing policies -- systemd, docker, and
other sandboxing tools like browsers and firejail, so when I moved
this to the non-perarch section, it at least has to be default for
x86. Granted, I'm not super familiar with other architectures, so you
are probably right that those that did not have it on by default
should be kept off by default; many of them could be for embedded
devices. What's the best way to do this? Set it as default N in
Kconfig and add CONFIG_SECCOMP=y in each arch's defconfig?
YiFei Zhu