sh: seccomp support.

This hooks up the seccomp thread flag and associated callback from the
syscall tracer.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>

1 files changed, 17 insertions, 0 deletions

diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index cb992c3d6b71..0ae541107f3f 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -483,6 +483,23 @@ config CRASH_DUMP
 
 	  For more details see Documentation/kdump/kdump.txt
 
+config SECCOMP
+	bool "Enable seccomp to safely compute untrusted bytecode"
+	depends on PROC_FS
+	default y
+	help
+	  This kernel feature is useful for number crunching applications
+	  that may need to compute untrusted bytecode during their
+	  execution. By using pipes or other transports made available to
+	  the process as file descriptors supporting the read/write
+	  syscalls, it's possible to isolate those applications in
+	  their own address space using seccomp. Once seccomp is
+	  enabled via prctl, it cannot be disabled and the task is only
+	  allowed to execute a few safe syscalls defined by each seccomp
+	  mode.
+
+	  If unsure, say N.
+
 config SMP
 	bool "Symmetric multi-processing support"
 	depends on SYS_SUPPORTS_SMP