From e74831eb6679bc2ae12a7f426de0e75859032e81 Mon Sep 17 00:00:00 2001
From: Tudor Brindus <me@tbrindus.ca>
Date: Sat, 11 Jul 2020 02:23:24 -0400
Subject: doc: clarify that syscall must exist in all filter architectures

If a syscall is used in a multi-architecture filter, the syscall must
exist in all the architectures, or -EOPNOTSUPP is returned. For example,
epoll_wait_old has value 215 in x86-64, but does not exist in x86.
Trying to add a filter rule including it in a x86-64/x86 filter will
fail.

This commit clarifies that libseccomp will reject a rule containing such
a case.

Signed-off-by: Tudor Brindus <me@tbrindus.ca>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 doc/man/man3/seccomp_rule_add.3 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
index 99d85e2..efa1bc6 100644
--- a/doc/man/man3/seccomp_rule_add.3
+++ b/doc/man/man3/seccomp_rule_add.3
@@ -140,6 +140,9 @@ rule, you can only compare each argument once in a single rule.  In other words,
 you can not have multiple comparisons of the 3rd syscall argument in a single
 rule.
 .P
+In a filter containing multiple architectures, it is an error to add a filter
+rule for a syscall that does not exist in all of the filter's architectures.
+.P
 While it is possible to specify the
 .I syscall
 value directly using the standard
-- 
cgit v1.2.1