LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

seccomp.2: Rewrap long source lines and on sentence breaks 

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2017-11-09 13:24:01 +01:00
parent b0bd99827c
commit 1e94218cbd
1 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
man2/seccomp.2
View File

@ -210,14 +210,19 @@ diverging from the calling thread's filter tree.
.\" commit e66a39977985b1e69e17c4042cb290768eca9b02
All filter return actions except
.BR SECCOMP_RET_ALLOW
should be logged. An administrator may override this filter flag by preventing specific actions from being logged via the
should be logged.
An administrator may override this filter flag by preventing specific
actions from being logged via the
.IR /proc/sys/kernel/seccomp/actions_logged
file.
.RE
.TP
.BR SECCOMP_GET_ACTION_AVAIL " (since Linux 4.14)"
.\" commit d612b1fd8010d0d67b5287fe146b8b55bcbb8655
Test to see if an action is supported by the kernel. This operation is helpful to confirm that the kernel knows of a more recently added filter return action since the kernel treats all unknown actions as
Test to see if an action is supported by the kernel.
This operation is helpful to confirm that the kernel knows
of a more recently added filter return action
since the kernel treats all unknown actions as
.BR SECCOMP_RET_KILL .
.IP
The value of
@ -510,8 +515,9 @@ ptracers can use this mechanism to escape from the seccomp sandbox.)
.TP
.BR SECCOMP_RET_LOG " (since Linux 4.14)"
.\" commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4
This value results in the system call being executed after the filter return
action is logged. An administrator may override the logging of this action via
This value results in the system call being executed after
the filter return action is logged.
An administrator may override the logging of this action via
the
.IR /proc/sys/kernel/seccomp/actions_logged
file.
@ -525,22 +531,25 @@ provide additional seccomp information and configuration:
.TP
.IR actions_avail " (since Linux 4.14)"
.\" commit 8e5f1ad116df6b0de65eac458d5e7c318d1c05af
A read-only ordered list of seccomp filter return actions in string form. The
ordering, from left-to-right, is in decreasing order of precedence. The list
represents the set of seccomp filter return actions supported by the kernel.
A read-only ordered list of seccomp filter return actions in string form.
The ordering, from left-to-right, is in decreasing order of precedence.
The list represents the set of seccomp filter return actions
supported by the kernel.
.TP
.IR actions_logged " (since Linux 4.14)"
.\" commit 0ddec0fc8900201c0897b87b762b7c420436662f
A read-write ordered list of seccomp filter return actions that are allowed to
be logged. Writes to the file do not need to be in ordered form but reads from
A read-write ordered list of seccomp filter return actions that
are allowed to be logged.
Writes to the file do not need to be in ordered form but reads from
the file will be ordered in the same way as the
.IR actions_avail
file.
.IP
It is important to note that the value of
.IR actions_logged
does not prevent certain filter return actions from being logged when the audit
subsystem is configured to audit a task. If the action is not found in the
does not prevent certain filter return actions from being logged when
the audit subsystem is configured to audit a task.
If the action is not found in the
.IR actions_logged
file, the final decision on whether to audit the action for that task is
ultimately left up to the audit subsystem to decide for all filter return
@ -551,7 +560,8 @@ The "allow" string is not accepted in the
.IR actions_logged
file as it is not possible to log
.BR SECCOMP_RET_ALLOW
actions. Attempting to write "allow" to the file will result in
actions.
Attempting to write "allow" to the file will result in
.BR EINVAL
being returned.
.SH RETURN VALUE