file: seccomp sandboxing

Support seccomp sandboxing to reduce the attack surface and enable it by default. Important for usecases with files from untrusted sources. Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
author: Clemens Gruber <clemens.gruber@pqgruber.com> 2018-06-27 17:24:08 +0200
committer: Michael Olbrich <m.olbrich@pengutronix.de> 2018-06-28 12:07:36 +0200
commit: 12d2997b4660a89985626abc88a074094d14b9e0 (patch)
tree: 95c8d7a29c20a1293316005f98705380bc308276 /rules/file.in
parent: 37f92ae91a86ac58eff005f9fd561d845cb592d3 (diff)
download: ptxdist-12d2997b4660a89985626abc88a074094d14b9e0.tar.gz
ptxdist-12d2997b4660a89985626abc88a074094d14b9e0.tar.xz
1 files changed, 13 insertions, 1 deletions
diff --git a/rules/file.in b/rules/file.in
index a4e0a7125..3f44cc380 100644
--- a/rules/file.in
+++ b/rules/file.in
@@ -1,10 +1,11 @@
 ## SECTION=shell_and_console
 
-config FILE
+menuconfig FILE
 	tristate
 	select HOST_FILE
 	select ZLIB
 	select GCCLIBS_GCC_S
+	select LIBSECCOMP if FILE_SECCOMP
 	prompt "file"
 	help
 	  The file command is "a file type guesser", that is, a command-line tool
@@ -15,3 +16,14 @@ config FILE
 	  reliable, but requires a bit of I/O.
 	  
 	  http://www.darwinsys.com/file/
+
+if FILE
+
+config FILE_SECCOMP
+	bool
+	default y
+	prompt "enable seccomp sandboxing"
+	help
+	  Enables seccomp sandboxing to reduce the attack surface.
+
+endif
author	Clemens Gruber <clemens.gruber@pqgruber.com>	2018-06-27 17:24:08 +0200
committer	Michael Olbrich <m.olbrich@pengutronix.de>	2018-06-28 12:07:36 +0200
commit	12d2997b4660a89985626abc88a074094d14b9e0 (patch)
tree	95c8d7a29c20a1293316005f98705380bc308276 /rules/file.in
parent	37f92ae91a86ac58eff005f9fd561d845cb592d3 (diff)
download	ptxdist-12d2997b4660a89985626abc88a074094d14b9e0.tar.gz ptxdist-12d2997b4660a89985626abc88a074094d14b9e0.tar.xz