From 1e94218cbd677e2d8eef0fea6f7d1fcbc4ec06e3 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Thu, 9 Nov 2017 13:24:01 +0100 Subject: [PATCH] seccomp.2: Rewrap long source lines and on sentence breaks Signed-off-by: Michael Kerrisk --- man2/seccomp.2 | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/man2/seccomp.2 b/man2/seccomp.2 index 99b33cbb1..0fdb9a4d3 100644 --- a/man2/seccomp.2 +++ b/man2/seccomp.2 @@ -210,14 +210,19 @@ diverging from the calling thread's filter tree. .\" commit e66a39977985b1e69e17c4042cb290768eca9b02 All filter return actions except .BR SECCOMP_RET_ALLOW -should be logged. An administrator may override this filter flag by preventing specific actions from being logged via the +should be logged. +An administrator may override this filter flag by preventing specific +actions from being logged via the .IR /proc/sys/kernel/seccomp/actions_logged file. .RE .TP .BR SECCOMP_GET_ACTION_AVAIL " (since Linux 4.14)" .\" commit d612b1fd8010d0d67b5287fe146b8b55bcbb8655 -Test to see if an action is supported by the kernel. This operation is helpful to confirm that the kernel knows of a more recently added filter return action since the kernel treats all unknown actions as +Test to see if an action is supported by the kernel. +This operation is helpful to confirm that the kernel knows +of a more recently added filter return action +since the kernel treats all unknown actions as .BR SECCOMP_RET_KILL . .IP The value of @@ -510,8 +515,9 @@ ptracers can use this mechanism to escape from the seccomp sandbox.) .TP .BR SECCOMP_RET_LOG " (since Linux 4.14)" .\" commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4 -This value results in the system call being executed after the filter return -action is logged. An administrator may override the logging of this action via +This value results in the system call being executed after +the filter return action is logged. +An administrator may override the logging of this action via the .IR /proc/sys/kernel/seccomp/actions_logged file. @@ -525,22 +531,25 @@ provide additional seccomp information and configuration: .TP .IR actions_avail " (since Linux 4.14)" .\" commit 8e5f1ad116df6b0de65eac458d5e7c318d1c05af -A read-only ordered list of seccomp filter return actions in string form. The -ordering, from left-to-right, is in decreasing order of precedence. The list -represents the set of seccomp filter return actions supported by the kernel. +A read-only ordered list of seccomp filter return actions in string form. +The ordering, from left-to-right, is in decreasing order of precedence. +The list represents the set of seccomp filter return actions +supported by the kernel. .TP .IR actions_logged " (since Linux 4.14)" .\" commit 0ddec0fc8900201c0897b87b762b7c420436662f -A read-write ordered list of seccomp filter return actions that are allowed to -be logged. Writes to the file do not need to be in ordered form but reads from +A read-write ordered list of seccomp filter return actions that +are allowed to be logged. +Writes to the file do not need to be in ordered form but reads from the file will be ordered in the same way as the .IR actions_avail file. .IP It is important to note that the value of .IR actions_logged -does not prevent certain filter return actions from being logged when the audit -subsystem is configured to audit a task. If the action is not found in the +does not prevent certain filter return actions from being logged when +the audit subsystem is configured to audit a task. +If the action is not found in the .IR actions_logged file, the final decision on whether to audit the action for that task is ultimately left up to the audit subsystem to decide for all filter return @@ -551,7 +560,8 @@ The "allow" string is not accepted in the .IR actions_logged file as it is not possible to log .BR SECCOMP_RET_ALLOW -actions. Attempting to write "allow" to the file will result in +actions. +Attempting to write "allow" to the file will result in .BR EINVAL being returned. .SH RETURN VALUE