mirror of https://github.com/mkerrisk/man-pages
seccomp.2: Switch to "considerate language"
Thanks-to: https://twitter.com/expensivestevie Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
16853a31ee
commit
462ce23d49
|
@ -309,13 +309,13 @@ it is usually necessary to verify the value of the
|
||||||
.IR arch
|
.IR arch
|
||||||
field.
|
field.
|
||||||
.PP
|
.PP
|
||||||
It is strongly recommended to use a whitelisting approach whenever
|
It is strongly recommended to use an allow-list approach whenever
|
||||||
possible because such an approach is more robust and simple.
|
possible because such an approach is more robust and simple.
|
||||||
A blacklist will have to be updated whenever a potentially
|
A deny-list will have to be updated whenever a potentially
|
||||||
dangerous system call is added (or a dangerous flag or option if those
|
dangerous system call is added (or a dangerous flag or option if those
|
||||||
are blacklisted), and it is often possible to alter the
|
are deny-listed), and it is often possible to alter the
|
||||||
representation of a value without altering its meaning, leading to
|
representation of a value without altering its meaning, leading to
|
||||||
a blacklist bypass.
|
a deny-list bypass.
|
||||||
See also
|
See also
|
||||||
.IR Caveats
|
.IR Caveats
|
||||||
below.
|
below.
|
||||||
|
@ -343,7 +343,7 @@ is used on the system call number to tell the two ABIs apart.
|
||||||
.\" so that the syscall table indexing still works.
|
.\" so that the syscall table indexing still works.
|
||||||
.PP
|
.PP
|
||||||
This means that in order to create a seccomp-based
|
This means that in order to create a seccomp-based
|
||||||
blacklist for system calls performed through the x86-64 ABI,
|
deny-list for system calls performed through the x86-64 ABI,
|
||||||
it is necessary to not only check that
|
it is necessary to not only check that
|
||||||
.IR arch
|
.IR arch
|
||||||
equals
|
equals
|
||||||
|
@ -369,7 +369,7 @@ system calls to prevent the program from subverting such checks.)
|
||||||
.PP
|
.PP
|
||||||
When checking values from
|
When checking values from
|
||||||
.IR args
|
.IR args
|
||||||
against a blacklist, keep in mind that arguments are often
|
against a deny-list, keep in mind that arguments are often
|
||||||
silently truncated before being processed, but after the seccomp check.
|
silently truncated before being processed, but after the seccomp check.
|
||||||
For example, this happens if the i386 ABI is used on an
|
For example, this happens if the i386 ABI is used on an
|
||||||
x86-64 kernel: although the kernel will normally not look beyond
|
x86-64 kernel: although the kernel will normally not look beyond
|
||||||
|
@ -1047,7 +1047,7 @@ install_filter(int syscall_nr, int t_arch, int f_errno)
|
||||||
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
|
||||||
(offsetof(struct seccomp_data, nr))),
|
(offsetof(struct seccomp_data, nr))),
|
||||||
|
|
||||||
/* [3] Check ABI - only needed for x86-64 in blacklist use
|
/* [3] Check ABI - only needed for x86-64 in deny-list use
|
||||||
cases. Use BPF_JGT instead of checking against the bit
|
cases. Use BPF_JGT instead of checking against the bit
|
||||||
mask to avoid having to reload the syscall number. */
|
mask to avoid having to reload the syscall number. */
|
||||||
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0),
|
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0),
|
||||||
|
|
Loading…
Reference in New Issue