doc: clarify that syscall must exist in all filter architectures

If a syscall is used in a multi-architecture filter, the syscall must exist in all the architectures, or -EOPNOTSUPP is returned. For example, epoll_wait_old has value 215 in x86-64, but does not exist in x86. Trying to add a filter rule including it in a x86-64/x86 filter will fail. This commit clarifies that libseccomp will reject a rule containing such a case. Signed-off-by: Tudor Brindus <me@tbrindus.ca> Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Tudor Brindus <me@tbrindus.ca> 2020-07-11 02:23:24 -0400
committer: Paul Moore <paul@paul-moore.com> 2020-07-13 21:02:38 -0400
commit: e74831eb6679bc2ae12a7f426de0e75859032e81 (patch)
tree: 6377a713b57866ba71ac71c0afeb1e724d7564dd /doc
parent: 6b286c2e8e43de76746346b8eab855311915f5aa (diff)
download: libseccomp-e74831eb6679bc2ae12a7f426de0e75859032e81.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
index 99d85e2..efa1bc6 100644
--- a/doc/man/man3/seccomp_rule_add.3
+++ b/doc/man/man3/seccomp_rule_add.3
@@ -140,6 +140,9 @@ rule, you can only compare each argument once in a single rule.  In other words,
 you can not have multiple comparisons of the 3rd syscall argument in a single
 rule.
 .P
+In a filter containing multiple architectures, it is an error to add a filter
+rule for a syscall that does not exist in all of the filter's architectures.
+.P
 While it is possible to specify the
 .I syscall
 value directly using the standard
author	Tudor Brindus <me@tbrindus.ca>	2020-07-11 02:23:24 -0400
committer	Paul Moore <paul@paul-moore.com>	2020-07-13 21:02:38 -0400
commit	e74831eb6679bc2ae12a7f426de0e75859032e81 (patch)
tree	6377a713b57866ba71ac71c0afeb1e724d7564dd /doc
parent	6b286c2e8e43de76746346b8eab855311915f5aa (diff)
download	libseccomp-e74831eb6679bc2ae12a7f426de0e75859032e81.tar.gz