man: clarify SCMP_FLTATR_CTL_NNP semantic

Clarify that the zero value results in a no-op on libseccomp side, and applications will need to have to have proper caps or set NO_NEW_PRIVS by themself. Signed-off-by: Luca Bruno <lucab@debian.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Luca Bruno <lucab@debian.org> 2016-06-10 12:39:03 +0200
committer: Paul Moore <paul@paul-moore.com> 2016-06-20 17:38:12 -0400
commit: 937e774d8ccfd063a601f49ef46769de3926b62d (patch)
tree: 941acc471ec5b89691f2fd32467c4a26b9a68611
parent: 5e0a33f8f5c086204451041c43010e4ab51b5c6e (diff)
download: libseccomp-937e774d8ccfd063a601f49ef46769de3926b62d.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3
index 806b223..f9d8ec1 100644
--- a/doc/man/man3/seccomp_attr_set.3
+++ b/doc/man/man3/seccomp_attr_set.3
@@ -59,10 +59,11 @@ action.
 .TP
 .B SCMP_FLTATR_CTL_NNP
 A flag to specify if the NO_NEW_PRIVS functionality should be enabled before
-loading the seccomp filter into the kernel.  If set to off (
+loading the seccomp filter into the kernel.  Setting this to off (
 .I value
-== 0) then loading the seccomp filter into the kernel will fail if CAP_SYS_ADMIN
-is not set.  Defaults to on (
+== 0) results in no action, meaning that loading the seccomp filter into the
+kernel will fail if CAP_SYS_ADMIN is missing and NO_NEW_PRIVS has not been
+externally set.  Defaults to on (
 .I value
 == 1).
 .TP
author	Luca Bruno <lucab@debian.org>	2016-06-10 12:39:03 +0200
committer	Paul Moore <paul@paul-moore.com>	2016-06-20 17:38:12 -0400
commit	937e774d8ccfd063a601f49ef46769de3926b62d (patch)
tree	941acc471ec5b89691f2fd32467c4a26b9a68611
parent	5e0a33f8f5c086204451041c43010e4ab51b5c6e (diff)
download	libseccomp-937e774d8ccfd063a601f49ef46769de3926b62d.tar.gz