LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

seccomp_unotify.2: Minor tweaks to Rodrigo's patch 

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Alejandro Colomar 2021-07-28 22:19:53 +02:00 committed by Michael Kerrisk
parent 3e2656812f
commit 1cca69d3a7
1 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
man2/seccomp_unotify.2
View File

@ -740,16 +740,18 @@ use the file descriptor number specified in the
.I newfd .I newfd
field. field.
.TP .TP
.BR SECCOMP_ADDFD_FLAG_SEND .BR SECCOMP_ADDFD_FLAG_SEND " (since Linux 5.14)"
Available since Linux 5.14, combines the Combines the
.B SECCOMP_IOCTL_NOTIF_ADDFD .B SECCOMP_IOCTL_NOTIF_ADDFD
ioctl with ioctl with
.B SECCOMP_IOCTL_NOTIF_SEND .B SECCOMP_IOCTL_NOTIF_SEND
into an atomic operation. On successful invocation, the target process's into an atomic operation.
errno will be 0 and the return value will be the file descriptor number that was On successful invocation, the target process's errno will be 0
installed in the target. If allocating the file descriptor in the tatget fails, and the return value will be the file descriptor number
the target's syscall continues to be blocked until a successful response is that was installed in the target.
sent. If allocating the file descriptor in the tatget fails,
the target's syscall continues to be blocked
until a successful response is sent.
.RE .RE
.TP .TP
.I srcfd .I srcfd
@ -1149,14 +1151,6 @@ that would
normally be restarted by the normally be restarted by the
.BR SA_RESTART .BR SA_RESTART
flag. flag.
.PP
Furthermore, if the supervisor response is a file descriptor
added with
.B SECCOMP_IOCTL_NOTIF_ADDFD,
then the flag
.B SECCOMP_ADDFD_FLAG_SEND
can be used to atomically add the file descriptor and return that value,
making sure no file descriptors are inadvertently leaked into the target.
.\" FIXME .\" FIXME
.\" About the above, Kees Cook commented: .\" About the above, Kees Cook commented:
.\" .\"
@ -1176,6 +1170,14 @@ making sure no file descriptors are inadvertently leaked into the target.
.\" calls because it's impossible for the kernel to restart the call .\" calls because it's impossible for the kernel to restart the call
.\" with the right timeout value. I wonder what happens when those .\" with the right timeout value. I wonder what happens when those
.\" system calls are restarted in the scenario we're discussing.) .\" system calls are restarted in the scenario we're discussing.)
.PP
Furthermore, if the supervisor response is a file descriptor
added with
.B SECCOMP_IOCTL_NOTIF_ADDFD,
then the flag
.B SECCOMP_ADDFD_FLAG_SEND
can be used to atomically add the file descriptor and return that value,
making sure no file descriptors are inadvertently leaked into the target.
.SH BUGS .SH BUGS
If a If a
.BR SECCOMP_IOCTL_NOTIF_RECV .BR SECCOMP_IOCTL_NOTIF_RECV