diff options
author | Luca Bruno <lucab@debian.org> | 2016-06-10 12:39:03 +0200 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2016-06-20 17:38:12 -0400 |
commit | 937e774d8ccfd063a601f49ef46769de3926b62d (patch) | |
tree | 941acc471ec5b89691f2fd32467c4a26b9a68611 /doc | |
parent | 5e0a33f8f5c086204451041c43010e4ab51b5c6e (diff) | |
download | libseccomp-937e774d8ccfd063a601f49ef46769de3926b62d.tar.gz |
man: clarify SCMP_FLTATR_CTL_NNP semantic
Clarify that the zero value results in a no-op on libseccomp
side, and applications will need to have to have proper caps
or set NO_NEW_PRIVS by themself.
Signed-off-by: Luca Bruno <lucab@debian.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man/man3/seccomp_attr_set.3 | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3 index 806b223..f9d8ec1 100644 --- a/doc/man/man3/seccomp_attr_set.3 +++ b/doc/man/man3/seccomp_attr_set.3 @@ -59,10 +59,11 @@ action. .TP .B SCMP_FLTATR_CTL_NNP A flag to specify if the NO_NEW_PRIVS functionality should be enabled before -loading the seccomp filter into the kernel. If set to off ( +loading the seccomp filter into the kernel. Setting this to off ( .I value -== 0) then loading the seccomp filter into the kernel will fail if CAP_SYS_ADMIN -is not set. Defaults to on ( +== 0) results in no action, meaning that loading the seccomp filter into the +kernel will fail if CAP_SYS_ADMIN is missing and NO_NEW_PRIVS has not been +externally set. Defaults to on ( .I value == 1). .TP |