mirror of https://github.com/mkerrisk/man-pages
seccomp_unotify.2: Document SECCOMP_ADDFD_FLAG_SEND
This flag was recently added to Linux 5.14 by a patch I wrote: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0ae71c7720e3ae3aabd2e8a072d27f7bd173d25c This patch adds documentation for the flag, the error code that the flag added and explains in the caveat when it is useful. Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io> Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
6131983d24
commit
3e2656812f
|
@ -739,6 +739,17 @@ When allocating the file descriptor in the target,
|
||||||
use the file descriptor number specified in the
|
use the file descriptor number specified in the
|
||||||
.I newfd
|
.I newfd
|
||||||
field.
|
field.
|
||||||
|
.TP
|
||||||
|
.BR SECCOMP_ADDFD_FLAG_SEND
|
||||||
|
Available since Linux 5.14, combines the
|
||||||
|
.B SECCOMP_IOCTL_NOTIF_ADDFD
|
||||||
|
ioctl with
|
||||||
|
.B SECCOMP_IOCTL_NOTIF_SEND
|
||||||
|
into an atomic operation. On successful invocation, the target process's
|
||||||
|
errno will be 0 and the return value will be the file descriptor number that was
|
||||||
|
installed in the target. If allocating the file descriptor in the tatget fails,
|
||||||
|
the target's syscall continues to be blocked until a successful response is
|
||||||
|
sent.
|
||||||
.RE
|
.RE
|
||||||
.TP
|
.TP
|
||||||
.I srcfd
|
.I srcfd
|
||||||
|
@ -801,6 +812,13 @@ Allocating the file descriptor in the target would cause the target's
|
||||||
limit to be exceeded (see
|
limit to be exceeded (see
|
||||||
.BR getrlimit (2)).
|
.BR getrlimit (2)).
|
||||||
.TP
|
.TP
|
||||||
|
.B EBUSY
|
||||||
|
If the flag
|
||||||
|
.B SECCOMP_IOCTL_NOTIF_SEND
|
||||||
|
is used, this means the operation can't proceed until other
|
||||||
|
.B SECCOMP_IOCTL_NOTIF_ADDFD
|
||||||
|
requests are processed.
|
||||||
|
.TP
|
||||||
.B EINPROGRESS
|
.B EINPROGRESS
|
||||||
The user-space notification specified in the
|
The user-space notification specified in the
|
||||||
.I id
|
.I id
|
||||||
|
@ -1131,6 +1149,14 @@ that would
|
||||||
normally be restarted by the
|
normally be restarted by the
|
||||||
.BR SA_RESTART
|
.BR SA_RESTART
|
||||||
flag.
|
flag.
|
||||||
|
.PP
|
||||||
|
Furthermore, if the supervisor response is a file descriptor
|
||||||
|
added with
|
||||||
|
.B SECCOMP_IOCTL_NOTIF_ADDFD,
|
||||||
|
then the flag
|
||||||
|
.B SECCOMP_ADDFD_FLAG_SEND
|
||||||
|
can be used to atomically add the file descriptor and return that value,
|
||||||
|
making sure no file descriptors are inadvertently leaked into the target.
|
||||||
.\" FIXME
|
.\" FIXME
|
||||||
.\" About the above, Kees Cook commented:
|
.\" About the above, Kees Cook commented:
|
||||||
.\"
|
.\"
|
||||||
|
|
Loading…
Reference in New Issue