all: treat syscall -1 as a valid syscall

Process tracers use a -1 syscall value to indicate that a syscall
should be skipped.  This turns out to be quite an undertaking as
we need to workaround __NR_SCMP_ERROR (which also has a value of
-1).  Pay special attention to the new attribute,
SCMP_FLTATR_API_TSKIP, and the documentation additions.

More information in the GitHub issue:
* https://github.com/seccomp/libseccomp/issues/80

Signed-off-by: Paul Moore <paul@paul-moore.com>

2 files changed, 21 insertions, 2 deletions

diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3
index f9d8ec1..6a54a71 100644
--- a/doc/man/man3/seccomp_attr_set.3
+++ b/doc/man/man3/seccomp_attr_set.3
@@ -77,6 +77,15 @@ greater; attempting to enable this flag on earlier kernels will result in an
 error being returned.  Defaults to off (
 .I value
 == 0).
+.TP
+.B SCMP_FLTATR_ATL_TSKIP
+A flag to specify if libseccomp should allow filter rules to be created for
+the -1 syscall.  The -1 syscall value can be used by tracer programs to skip
+specific syscall invocations, see
+.BR seccomp (2)
+for more information.  Defaults to off (
+.I value
+== 0).
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
@@ -130,4 +139,5 @@ Paul Moore <paul@paul-moore.com>
 .\" //////////////////////////////////////////////////////////////////////////
 .BR seccomp_init (3),
 .BR seccomp_reset (3),
-.BR seccomp_load (3)
+.BR seccomp_load (3),
+.BR seccomp (2)
diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
index eda93ae..afb173a 100644
--- a/doc/man/man3/seccomp_rule_add.3
+++ b/doc/man/man3/seccomp_rule_add.3
@@ -90,6 +90,14 @@ is highly recommended to use the
 .BR SCMP_SYS ()
 macro instead.  See the EXAMPLES section below.
 .P
+Starting with Linux v4.8, there may be a need to create a rule with a syscall
+value of -1 to allow tracing programs to skip a syscall invocation; in order
+to create a rule with a -1 syscall value it is necessary to first set the
+.B SCMP_FLTATR_API_TSKIP
+attribute.  See
+.BR seccomp_attr_set (3)
+for more information.
+.P
 The filter context
 .I ctx
 is the value returned by the call to
@@ -301,4 +309,5 @@ Paul Moore <paul@paul-moore.com>
 .\" //////////////////////////////////////////////////////////////////////////
 .BR seccomp_syscall_resolve_name_rewrite (3),
 .BR seccomp_syscall_priority (3),
-.BR seccomp_load (3)
+.BR seccomp_load (3),
+.BR seccomp_attr_set (3)