diff options
author | Paul Moore <paul@paul-moore.com> | 2017-02-15 19:10:35 -0500 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2017-02-21 17:30:47 -0500 |
commit | dc879990774b5fe0b5d3362ae592e8a5bb615fbb (patch) | |
tree | 126b545a209cf8b4abf92f50dd4cb6b0f0f0325e /doc | |
parent | a66f000de92c7ced17ae6615837dabafd803ae42 (diff) | |
download | libseccomp-dc879990774b5fe0b5d3362ae592e8a5bb615fbb.tar.gz |
all: treat syscall -1 as a valid syscall
Process tracers use a -1 syscall value to indicate that a syscall
should be skipped. This turns out to be quite an undertaking as
we need to workaround __NR_SCMP_ERROR (which also has a value of
-1). Pay special attention to the new attribute,
SCMP_FLTATR_API_TSKIP, and the documentation additions.
More information in the GitHub issue:
* https://github.com/seccomp/libseccomp/issues/80
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man/man3/seccomp_attr_set.3 | 12 | ||||
-rw-r--r-- | doc/man/man3/seccomp_rule_add.3 | 11 |
2 files changed, 21 insertions, 2 deletions
diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3 index f9d8ec1..6a54a71 100644 --- a/doc/man/man3/seccomp_attr_set.3 +++ b/doc/man/man3/seccomp_attr_set.3 @@ -77,6 +77,15 @@ greater; attempting to enable this flag on earlier kernels will result in an error being returned. Defaults to off ( .I value == 0). +.TP +.B SCMP_FLTATR_ATL_TSKIP +A flag to specify if libseccomp should allow filter rules to be created for +the -1 syscall. The -1 syscall value can be used by tracer programs to skip +specific syscall invocations, see +.BR seccomp (2) +for more information. Defaults to off ( +.I value +== 0). .\" ////////////////////////////////////////////////////////////////////////// .SH RETURN VALUE .\" ////////////////////////////////////////////////////////////////////////// @@ -130,4 +139,5 @@ Paul Moore <paul@paul-moore.com> .\" ////////////////////////////////////////////////////////////////////////// .BR seccomp_init (3), .BR seccomp_reset (3), -.BR seccomp_load (3) +.BR seccomp_load (3), +.BR seccomp (2) diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3 index eda93ae..afb173a 100644 --- a/doc/man/man3/seccomp_rule_add.3 +++ b/doc/man/man3/seccomp_rule_add.3 @@ -90,6 +90,14 @@ is highly recommended to use the .BR SCMP_SYS () macro instead. See the EXAMPLES section below. .P +Starting with Linux v4.8, there may be a need to create a rule with a syscall +value of -1 to allow tracing programs to skip a syscall invocation; in order +to create a rule with a -1 syscall value it is necessary to first set the +.B SCMP_FLTATR_API_TSKIP +attribute. See +.BR seccomp_attr_set (3) +for more information. +.P The filter context .I ctx is the value returned by the call to @@ -301,4 +309,5 @@ Paul Moore <paul@paul-moore.com> .\" ////////////////////////////////////////////////////////////////////////// .BR seccomp_syscall_resolve_name_rewrite (3), .BR seccomp_syscall_priority (3), -.BR seccomp_load (3) +.BR seccomp_load (3), +.BR seccomp_attr_set (3) |