diff options
-rw-r--r-- | doc/man/man3/seccomp_rule_add.3 | 5 | ||||
-rw-r--r-- | doc/man/man3/seccomp_syscall_resolve_name.3 | 16 |
2 files changed, 18 insertions, 3 deletions
diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3 index e242115..eda93ae 100644 --- a/doc/man/man3/seccomp_rule_add.3 +++ b/doc/man/man3/seccomp_rule_add.3 @@ -53,8 +53,8 @@ functions all add a new filter rule to the current seccomp filter. The and .BR seccomp_rule_add_array () functions will make a "best effort" to add the rule as specified, but may alter -the rule slightly due to architecture specifics, e.g. socket and ipc functions -on x86. The +the rule slightly due to architecture specifics (e.g. internal rewriting of +multiplexed syscalls, like socket and ipc functions on x86). The .BR seccomp_rule_add_exact () and .BR seccomp_rule_add_exact_array () @@ -299,5 +299,6 @@ Paul Moore <paul@paul-moore.com> .\" ////////////////////////////////////////////////////////////////////////// .SH SEE ALSO .\" ////////////////////////////////////////////////////////////////////////// +.BR seccomp_syscall_resolve_name_rewrite (3), .BR seccomp_syscall_priority (3), .BR seccomp_load (3) diff --git a/doc/man/man3/seccomp_syscall_resolve_name.3 b/doc/man/man3/seccomp_syscall_resolve_name.3 index 670fcd2..3c0f789 100644 --- a/doc/man/man3/seccomp_syscall_resolve_name.3 +++ b/doc/man/man3/seccomp_syscall_resolve_name.3 @@ -30,7 +30,12 @@ and functions resolve the commonly used syscall name to the syscall number used by the kernel and the rest of the libseccomp API, with .BR seccomp_syscall_resolve_name_rewrite() -rewriting the syscall number for architectures that modify the syscall. The +rewriting the syscall number for architectures that modify the syscall. Syscall +rewriting typically happens in case of a multiplexed syscall, like +.BR socketcall (2) +or +.BR ipc (2) +on x86. .BR seccomp_syscall_resolve_num_arch() function resolves the syscall number used by the kernel to the commonly used syscall name. @@ -100,6 +105,15 @@ out: .SH NOTES .\" ////////////////////////////////////////////////////////////////////////// .P +In case of bare syscalls implemented on top of a multiplexed syscall, +.BR seccomp_syscall_resolve_name() +and +.BR seccomp_syscall_resolve_name_arch() +can be used to verify if a bare syscall is implemented for a specific +architecture, while +.BR seccomp_syscall_resolve_name_rewrite() +can be used to determine the underlying multiplexed syscall. +.P While the seccomp filter can be generated independent of the kernel, kernel support is required to load and enforce the seccomp filter generated by libseccomp. |