From a66f000de92c7ced17ae6615837dabafd803ae42 Mon Sep 17 00:00:00 2001 From: Luca Bruno Date: Mon, 11 Jul 2016 15:06:52 +0200 Subject: man: clarify syscall number rewriting In case of multiplexed syscalls, syscall name resolver and rule builder both offer additional functions to ignore or perform syscall number rewriting. This commit introduces additional explicit details to the corresponding manpages. Signed-off-by: Luca Bruno [PM: minor man-page style fixes] Signed-off-by: Paul Moore --- doc/man/man3/seccomp_rule_add.3 | 5 +++-- doc/man/man3/seccomp_syscall_resolve_name.3 | 16 +++++++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3 index e242115..eda93ae 100644 --- a/doc/man/man3/seccomp_rule_add.3 +++ b/doc/man/man3/seccomp_rule_add.3 @@ -53,8 +53,8 @@ functions all add a new filter rule to the current seccomp filter. The and .BR seccomp_rule_add_array () functions will make a "best effort" to add the rule as specified, but may alter -the rule slightly due to architecture specifics, e.g. socket and ipc functions -on x86. The +the rule slightly due to architecture specifics (e.g. internal rewriting of +multiplexed syscalls, like socket and ipc functions on x86). The .BR seccomp_rule_add_exact () and .BR seccomp_rule_add_exact_array () @@ -299,5 +299,6 @@ Paul Moore .\" ////////////////////////////////////////////////////////////////////////// .SH SEE ALSO .\" ////////////////////////////////////////////////////////////////////////// +.BR seccomp_syscall_resolve_name_rewrite (3), .BR seccomp_syscall_priority (3), .BR seccomp_load (3) diff --git a/doc/man/man3/seccomp_syscall_resolve_name.3 b/doc/man/man3/seccomp_syscall_resolve_name.3 index 670fcd2..3c0f789 100644 --- a/doc/man/man3/seccomp_syscall_resolve_name.3 +++ b/doc/man/man3/seccomp_syscall_resolve_name.3 @@ -30,7 +30,12 @@ and functions resolve the commonly used syscall name to the syscall number used by the kernel and the rest of the libseccomp API, with .BR seccomp_syscall_resolve_name_rewrite() -rewriting the syscall number for architectures that modify the syscall. The +rewriting the syscall number for architectures that modify the syscall. Syscall +rewriting typically happens in case of a multiplexed syscall, like +.BR socketcall (2) +or +.BR ipc (2) +on x86. .BR seccomp_syscall_resolve_num_arch() function resolves the syscall number used by the kernel to the commonly used syscall name. @@ -100,6 +105,15 @@ out: .SH NOTES .\" ////////////////////////////////////////////////////////////////////////// .P +In case of bare syscalls implemented on top of a multiplexed syscall, +.BR seccomp_syscall_resolve_name() +and +.BR seccomp_syscall_resolve_name_arch() +can be used to verify if a bare syscall is implemented for a specific +architecture, while +.BR seccomp_syscall_resolve_name_rewrite() +can be used to determine the underlying multiplexed syscall. +.P While the seccomp filter can be generated independent of the kernel, kernel support is required to load and enforce the seccomp filter generated by libseccomp. -- cgit v1.2.1