From b9a8f3dbdfe84bfe7802bb9532253cc0a46b5b8a Mon Sep 17 00:00:00 2001
From: Tom Hromatka <tom.hromatka@oracle.com>
Date: Tue, 17 Aug 2021 14:28:30 -0600
Subject: doc: Add BUGS section to seccomp_rule_add.3

Add BUGS section to seccomp_rule_add.3 and add a warning about
adding a seccomp filter to syscalls that are always expected to
succeed.

PowerPC's glibc behaves differently from other architectures and
will not return a negative number for the getpid() syscall.

Fixes: https://github.com/seccomp/libseccomp/issues/313
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
---
 doc/man/man3/seccomp_rule_add.3 | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'doc')

diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
index 4d8ef3f..3ad80c7 100644
--- a/doc/man/man3/seccomp_rule_add.3
+++ b/doc/man/man3/seccomp_rule_add.3
@@ -424,6 +424,24 @@ The libseccomp project site, with more information and the source code
 repository, can be found at https://github.com/seccomp/libseccomp.  This tool,
 as well as the libseccomp library, is currently under development, please
 report any bugs at the project site or directly to the author.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH BUGS
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+The runtime behavior of seccomp filters is dependent upon the kernel
+version, the processor architecture, and other libraries including libc.
+This could affect the return code of a seccomp filter.
+
+.TP
+.B *
+PowerPC glibc will not return a negative number when the
+.B getpid()
+syscall is invoked.  If a seccomp filter has been created where
+.B getpid()
+will return a negative number from the kernel, then PowerPC glibc will
+return the absolute value of the errno.  In this case, it is very difficult
+for an application to distinguish between the errno and a valid pid.
+
 .\" //////////////////////////////////////////////////////////////////////////
 .SH AUTHOR
 .\" //////////////////////////////////////////////////////////////////////////
-- 
cgit v1.2.1