mirror of https://github.com/mkerrisk/man-pages
seccomp.2: Rewrap long source lines and on sentence breaks
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
b0bd99827c
commit
1e94218cbd
|
@ -210,14 +210,19 @@ diverging from the calling thread's filter tree.
|
|||
.\" commit e66a39977985b1e69e17c4042cb290768eca9b02
|
||||
All filter return actions except
|
||||
.BR SECCOMP_RET_ALLOW
|
||||
should be logged. An administrator may override this filter flag by preventing specific actions from being logged via the
|
||||
should be logged.
|
||||
An administrator may override this filter flag by preventing specific
|
||||
actions from being logged via the
|
||||
.IR /proc/sys/kernel/seccomp/actions_logged
|
||||
file.
|
||||
.RE
|
||||
.TP
|
||||
.BR SECCOMP_GET_ACTION_AVAIL " (since Linux 4.14)"
|
||||
.\" commit d612b1fd8010d0d67b5287fe146b8b55bcbb8655
|
||||
Test to see if an action is supported by the kernel. This operation is helpful to confirm that the kernel knows of a more recently added filter return action since the kernel treats all unknown actions as
|
||||
Test to see if an action is supported by the kernel.
|
||||
This operation is helpful to confirm that the kernel knows
|
||||
of a more recently added filter return action
|
||||
since the kernel treats all unknown actions as
|
||||
.BR SECCOMP_RET_KILL .
|
||||
.IP
|
||||
The value of
|
||||
|
@ -510,8 +515,9 @@ ptracers can use this mechanism to escape from the seccomp sandbox.)
|
|||
.TP
|
||||
.BR SECCOMP_RET_LOG " (since Linux 4.14)"
|
||||
.\" commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4
|
||||
This value results in the system call being executed after the filter return
|
||||
action is logged. An administrator may override the logging of this action via
|
||||
This value results in the system call being executed after
|
||||
the filter return action is logged.
|
||||
An administrator may override the logging of this action via
|
||||
the
|
||||
.IR /proc/sys/kernel/seccomp/actions_logged
|
||||
file.
|
||||
|
@ -525,22 +531,25 @@ provide additional seccomp information and configuration:
|
|||
.TP
|
||||
.IR actions_avail " (since Linux 4.14)"
|
||||
.\" commit 8e5f1ad116df6b0de65eac458d5e7c318d1c05af
|
||||
A read-only ordered list of seccomp filter return actions in string form. The
|
||||
ordering, from left-to-right, is in decreasing order of precedence. The list
|
||||
represents the set of seccomp filter return actions supported by the kernel.
|
||||
A read-only ordered list of seccomp filter return actions in string form.
|
||||
The ordering, from left-to-right, is in decreasing order of precedence.
|
||||
The list represents the set of seccomp filter return actions
|
||||
supported by the kernel.
|
||||
.TP
|
||||
.IR actions_logged " (since Linux 4.14)"
|
||||
.\" commit 0ddec0fc8900201c0897b87b762b7c420436662f
|
||||
A read-write ordered list of seccomp filter return actions that are allowed to
|
||||
be logged. Writes to the file do not need to be in ordered form but reads from
|
||||
A read-write ordered list of seccomp filter return actions that
|
||||
are allowed to be logged.
|
||||
Writes to the file do not need to be in ordered form but reads from
|
||||
the file will be ordered in the same way as the
|
||||
.IR actions_avail
|
||||
file.
|
||||
.IP
|
||||
It is important to note that the value of
|
||||
.IR actions_logged
|
||||
does not prevent certain filter return actions from being logged when the audit
|
||||
subsystem is configured to audit a task. If the action is not found in the
|
||||
does not prevent certain filter return actions from being logged when
|
||||
the audit subsystem is configured to audit a task.
|
||||
If the action is not found in the
|
||||
.IR actions_logged
|
||||
file, the final decision on whether to audit the action for that task is
|
||||
ultimately left up to the audit subsystem to decide for all filter return
|
||||
|
@ -551,7 +560,8 @@ The "allow" string is not accepted in the
|
|||
.IR actions_logged
|
||||
file as it is not possible to log
|
||||
.BR SECCOMP_RET_ALLOW
|
||||
actions. Attempting to write "allow" to the file will result in
|
||||
actions.
|
||||
Attempting to write "allow" to the file will result in
|
||||
.BR EINVAL
|
||||
being returned.
|
||||
.SH RETURN VALUE
|
||||
|
|
Loading…
Reference in New Issue