Lines Matching full:should

14 Whether an interpreter should check these securebits or not depends on the
18 syscalls and access arbitrary files.  Such interpreters should then be
20 However, a JavaScript engine running in a web browser should already be
21 sandboxed and then should not be able to harm the user's environment.
41 Programs should always perform this check to apply kernel-level checks against
44 view of the interpreter, should be checked.  However the result of this check
45 should only be enforced according to ``SECBIT_EXEC_RESTRICT_FILE`` or
54 In a secure environment, libraries and any executable dependencies should also
55 be checked.  For instance, dynamic linking should make sure that all libraries
57 For such secure execution environment to make sense, only trusted code should
61 ``AT_EXECVE_CHECK`` should be used with ``AT_EMPTY_PATH`` to check against a
67 When ``SECBIT_EXEC_RESTRICT_FILE`` is set, a process should only interpret or
73 related ``SECBIT_EXEC_RESTRICT_FILE_LOCKED`` bit should also be set.
75 Programs should only enforce consistent restrictions according to the
78 vetted by the system configuration (through the kernel), so we should be
86 make sense, the system should provide a consistent security policy to avoid
89 When ``SECBIT_EXEC_DENY_INTERACTIVE`` is set, a process should never interpret
91 through a file descriptor (e.g. stdin), its content should be interpreted if a
96 should always deny such execution if ``SECBIT_EXEC_DENY_INTERACTIVE`` is set.
100 related ``SECBIT_EXEC_DENY_INTERACTIVE_LOCKED`` bit should also be set.
111    ``AT_EXECVE_CHECK`` which should always be performed but ignored by the