1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
documentation_complete: true
title: 'Enable seccomp to safely compute untrusted bytecode'
description: |-
This kernel feature is useful for number crunching applications that may need to compute
untrusted bytecode during their execution. By using pipes or other transports made available
to the process as file descriptors supporting the read/write syscalls, it's possible to isolate
those applications in their own address space using seccomp.
{{{ describe_kernel_build_config("CONFIG_SECCOMP", "y") | indent(4) }}}
rationale: |-
<tt>seccomp</tt> enables the ability to filter system calls made by an application, effectively
isolating the system's resources from it.
warnings:
{{{ warning_kernel_build_config() | indent(4) }}}
severity: medium
identifiers:
cce@rhel8: CCE-86450-4
cce@rhel9: CCE-86451-2
cce@rhel10: CCE-87403-2
ocil_clause: 'the kernel was not built with the required value'
ocil: |-
{{{ ocil_kernel_build_config("CONFIG_SECCOMP", "y") | indent(4) }}}
template:
name: kernel_build_config
vars:
config: CONFIG_SECCOMP
value: 'y'
|
