[OpenWrt-Devel] enabling seccomp by default in kernel

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Feb 15 10:22:26 EST 2015

On Sat, 2015-02-14 at 15:31 -0800, David Lang wrote:

> > I've also enabled the ocserv package to use seccomp if configured to,
> > but in order for that protection to become meaningful for other
> > programs to use as well, it would also need the default kernel option to
> > enable seccomp filter.
> It needs the kernel support to use the seccomp filter, but why is this so 
> critical that it must be enabled by default?

Being critical isn't the only reason for enabling kernel options on
openwrt. IPv6 isn't critical, many can live without it, but still it is
there. The question is whether the added value of seccomp justifies the
few kilobytes spent. My opinion on that, is that exploits on a router
are more grave than on a PC, because a router is harder to upgrade, and
an issue is harder to notice. For that a mechanism like seccomp which
can contain potential damage, is very useful on openwrt.

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list