LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

seccomp.2: Switch to "considerate language" 

Thanks-to: https://twitter.com/expensivestevie
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2019-10-28 12:40:36 +01:00
parent 16853a31ee
commit 462ce23d49
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
man2/seccomp.2
View File

@ -309,13 +309,13 @@ it is usually necessary to verify the value of the
.IR arch .IR arch
field. field.
.PP .PP
It is strongly recommended to use a whitelisting approach whenever It is strongly recommended to use an allow-list approach whenever
possible because such an approach is more robust and simple. possible because such an approach is more robust and simple.
A blacklist will have to be updated whenever a potentially A deny-list will have to be updated whenever a potentially
dangerous system call is added (or a dangerous flag or option if those dangerous system call is added (or a dangerous flag or option if those
are blacklisted), and it is often possible to alter the are deny-listed), and it is often possible to alter the
representation of a value without altering its meaning, leading to representation of a value without altering its meaning, leading to
a blacklist bypass. a deny-list bypass.
See also See also
.IR Caveats .IR Caveats
below. below.
@ -343,7 +343,7 @@ is used on the system call number to tell the two ABIs apart.
.\" so that the syscall table indexing still works. .\" so that the syscall table indexing still works.
.PP .PP
This means that in order to create a seccomp-based This means that in order to create a seccomp-based
blacklist for system calls performed through the x86-64 ABI, deny-list for system calls performed through the x86-64 ABI,
it is necessary to not only check that it is necessary to not only check that
.IR arch .IR arch
equals equals
@ -369,7 +369,7 @@ system calls to prevent the program from subverting such checks.)
.PP .PP
When checking values from When checking values from
.IR args .IR args
against a blacklist, keep in mind that arguments are often against a deny-list, keep in mind that arguments are often
silently truncated before being processed, but after the seccomp check. silently truncated before being processed, but after the seccomp check.
For example, this happens if the i386 ABI is used on an For example, this happens if the i386 ABI is used on an
x86-64 kernel: although the kernel will normally not look beyond x86-64 kernel: although the kernel will normally not look beyond
@ -1047,7 +1047,7 @@ install_filter(int syscall_nr, int t_arch, int f_errno)
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, nr))), (offsetof(struct seccomp_data, nr))),
/* [3] Check ABI - only needed for x86-64 in blacklist use /* [3] Check ABI - only needed for x86-64 in deny-list use
cases. Use BPF_JGT instead of checking against the bit cases. Use BPF_JGT instead of checking against the bit
mask to avoid having to reload the syscall number. */ mask to avoid having to reload the syscall number. */
BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0), BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0),