mirror of https://github.com/mkerrisk/man-pages
seccomp_unotify.2: Fixes after review comments from Christian Brauner
Reported-by: Christian Brauner <christian@brauner.io> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
fd376c6b2a
commit
03e4237409
|
@ -59,23 +59,30 @@ operations (described below).
|
||||||
.\"
|
.\"
|
||||||
.SS Overview
|
.SS Overview
|
||||||
In conventional usage of a seccomp filter,
|
In conventional usage of a seccomp filter,
|
||||||
the decision about how to treat a particular system call
|
the decision about how to treat a system call is made by the filter itself.
|
||||||
is made by the filter itself.
|
By contrast, the user-space notification mechanism allows
|
||||||
The user-space notification mechanism allows the handling of
|
the seccomp filter to delegate
|
||||||
the system call to instead be handed off to a user-space process.
|
the handling of the system call to another user-space process.
|
||||||
The advantages of doing this are that, by contrast with the seccomp filter,
|
|
||||||
which is running on a virtual machine inside the kernel,
|
|
||||||
the user-space process has access to information that is unavailable
|
|
||||||
to the seccomp filter and it can perform actions
|
|
||||||
that can't be performed from the seccomp filter.
|
|
||||||
.PP
|
.PP
|
||||||
In the discussion that follows,
|
In the discussion that follows,
|
||||||
the thread(s) on which the seccomp filter is installed are referred to as the
|
the thread(s) on which the seccomp filter is installed is (are)
|
||||||
|
referred to as the
|
||||||
.IR target ,
|
.IR target ,
|
||||||
and the process that is notified by the user-space notification
|
and the process that is notified by the user-space notification
|
||||||
mechanism is referred to as the
|
mechanism is referred to as the
|
||||||
.IR supervisor .
|
.IR supervisor .
|
||||||
An overview of the steps performed by these target and the supervisor
|
.PP
|
||||||
|
A suitably privileged supervisor can use the user-space notification
|
||||||
|
mechanism to perform actions on behalf of the target.
|
||||||
|
The advantage of the user-space notification mechanism is that
|
||||||
|
the supervisor will
|
||||||
|
usually be able to retrieve information about the target and the
|
||||||
|
performed system call that the seccomp filter itself cannot.
|
||||||
|
(A seccomp filter is limited in the information it can obtain and
|
||||||
|
the actions that it can perform because it
|
||||||
|
is running on a virtual machine inside the kernel.)
|
||||||
|
.PP
|
||||||
|
An overview of the steps performed by the target and the supervisor
|
||||||
is as follows:
|
is as follows:
|
||||||
.\"-------------------------------------
|
.\"-------------------------------------
|
||||||
.IP 1. 3
|
.IP 1. 3
|
||||||
|
@ -149,10 +156,10 @@ Whenever one of these system calls causes the filter to return the
|
||||||
.B SECCOMP_RET_USER_NOTIF
|
.B SECCOMP_RET_USER_NOTIF
|
||||||
action value, the kernel does
|
action value, the kernel does
|
||||||
.I not
|
.I not
|
||||||
execute the system call;
|
(yet) execute the system call;
|
||||||
instead, execution of the target is temporarily blocked inside
|
instead, execution of the target is temporarily blocked inside
|
||||||
the kernel and a notification event is generated on
|
the kernel (in a sleep state that is interruptible by signals)
|
||||||
the listening file descriptor.
|
and a notification event is generated on the listening file descriptor.
|
||||||
.\"-------------------------------------
|
.\"-------------------------------------
|
||||||
.IP 5.
|
.IP 5.
|
||||||
The supervisor can now repeatedly monitor the
|
The supervisor can now repeatedly monitor the
|
||||||
|
|
Loading…
Reference in New Issue