mirror of https://github.com/mkerrisk/man-pages
seccomp.2: Minor fixes
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
90c6777a67
commit
50b4bc2378
111
man2/seccomp.2
111
man2/seccomp.2
|
@ -26,8 +26,7 @@
|
|||
.\"
|
||||
.TH SECCOMP 2 2014-06-23 "Linux" "Linux Programmer's Manual"
|
||||
.SH NAME
|
||||
seccomp \-
|
||||
operate on Secure Computing state of the process
|
||||
seccomp \- operate on Secure Computing state of the process
|
||||
.SH SYNOPSIS
|
||||
.nf
|
||||
.B #include <linux/seccomp.h>
|
||||
|
@ -36,21 +35,21 @@ operate on Secure Computing state of the process
|
|||
.B #include <linux/signal.h>
|
||||
.B #include <sys/ptrace.h>
|
||||
|
||||
.BI "int seccomp(unsigned int " operation ", unsigned int " flags ,
|
||||
.BI " void *" args );
|
||||
.BI "int seccomp(unsigned int " operation ", unsigned int " flags \
|
||||
", void *" args );
|
||||
.fi
|
||||
.SH DESCRIPTION
|
||||
The
|
||||
.BR seccomp ()
|
||||
system call operates on the Secure Computing (seccomp) state of the
|
||||
current process.
|
||||
calling process.
|
||||
|
||||
Currently, Linux supports the following
|
||||
.IR operation
|
||||
values:
|
||||
.TP
|
||||
.BR SECCOMP_SET_MODE_STRICT
|
||||
Only system calls that the thread is permitted to make are
|
||||
The only system calls that the thread is permitted to make are
|
||||
.BR read (2),
|
||||
.BR write (2),
|
||||
.BR _exit (2),
|
||||
|
@ -72,8 +71,9 @@ must be 0, and
|
|||
.IR args
|
||||
must be NULL.
|
||||
|
||||
This operation is functionally identical to calling
|
||||
.IR "prctl(PR_SET_SECCOMP,\ SECCOMP_MODE_STRICT)" .
|
||||
This operation is functionally identical to the call:
|
||||
|
||||
prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
|
||||
.TP
|
||||
.BR SECCOMP_SET_MODE_FILTER
|
||||
The system calls allowed are defined by a pointer to a Berkeley Packet
|
||||
|
@ -82,7 +82,8 @@ Filter (BPF) passed via
|
|||
This argument is a pointer to
|
||||
.IR "struct\ sock_fprog" ;
|
||||
it can be designed to filter arbitrary system calls and system call
|
||||
arguments. If the filter is invalid, the call will fail, returning
|
||||
arguments.
|
||||
If the filter is invalid, the call will fail, returning
|
||||
.BR EACCESS
|
||||
in
|
||||
.IR errno .
|
||||
|
@ -99,8 +100,8 @@ Prior to using this operation, the process must call
|
|||
.IR "prctl(PR_SET_NO_NEW_PRIVS,\ 1)"
|
||||
or run with
|
||||
.BR CAP_SYS_ADMIN
|
||||
privileges in its namespace. If these are not true, the call will fail
|
||||
and return
|
||||
privileges in its namespace.
|
||||
If these are not true, the call will fail and return
|
||||
.BR EACCES
|
||||
in
|
||||
.IR errno .
|
||||
|
@ -115,14 +116,17 @@ is allowed by the attached filter, additional filters may be layered on
|
|||
which will increase evaluation time, but allow for further reduction of
|
||||
the attack surface during execution of a process.
|
||||
|
||||
This operation is available only if the kernel is configured with
|
||||
The
|
||||
.BR SECCOMP_SET_MODE_FILTER
|
||||
operation is available only if the kernel is configured with
|
||||
.BR CONFIG_SECCOMP_FILTER
|
||||
enabled.
|
||||
|
||||
When
|
||||
.IR flags
|
||||
are 0, this operation is functionally identical to calling
|
||||
.IR "prctl(PR_SET_SECCOMP,\ SECCOMP_MODE_FILTER,\ args)" .
|
||||
is 0, this operation is functionally identical to the call:
|
||||
|
||||
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);
|
||||
|
||||
The recognized
|
||||
.IR flags
|
||||
|
@ -131,13 +135,14 @@ are:
|
|||
.TP
|
||||
.BR SECCOMP_FILTER_FLAG_TSYNC
|
||||
When adding a new filter, synchronize all other threads of the current
|
||||
process to the same seccomp filter tree. If any thread cannot do this,
|
||||
the call will not attach the new seccomp filter, and will fail returning
|
||||
the first thread ID found that cannot synchronize. Synchronization will
|
||||
fail if another thread is in
|
||||
process to the same seccomp filter tree.
|
||||
If any thread cannot do this,
|
||||
the call will not attach the new seccomp filter,
|
||||
and will fail, returning the first thread ID found that cannot synchronize.
|
||||
Synchronization will fail if another thread is in
|
||||
.BR SECCOMP_MODE_STRICT
|
||||
or if it has attached new seccomp filters to itself, diverging from the
|
||||
calling thread's filter tree.
|
||||
or if it has attached new seccomp filters to itself,
|
||||
diverging from the calling thread's filter tree.
|
||||
.RE
|
||||
.SH FILTERS
|
||||
When adding filters via
|
||||
|
@ -181,9 +186,11 @@ struct seccomp_data {
|
|||
.fi
|
||||
.in
|
||||
|
||||
A seccomp filter may return any of the following values. If multiple
|
||||
filters exist, the return value for the evaluation of a given system
|
||||
call will always use the highest precedent value. (For example,
|
||||
A seccomp filter may return any of the following values.
|
||||
If multiple filters exist,
|
||||
the return value for the evaluation of a given system
|
||||
call will always use the highest precedent value.
|
||||
(For example,
|
||||
.BR SECCOMP_RET_KILL
|
||||
will always take precedence.)
|
||||
|
||||
|
@ -191,8 +198,8 @@ In precedence order, they are:
|
|||
.TP
|
||||
.BR SECCOMP_RET_KILL
|
||||
Results in the task exiting immediately without executing the
|
||||
system call. The exit status of the task (status & 0x7f) will
|
||||
be
|
||||
system call.
|
||||
The exit status of the task (status & 0x7f) will be
|
||||
.BR SIGSYS ,
|
||||
not
|
||||
.BR SIGKILL .
|
||||
|
@ -206,10 +213,11 @@ will show the address of the system call instruction, and
|
|||
.IR siginfo\->si_syscall
|
||||
and
|
||||
.IR siginfo\->si_arch
|
||||
will indicate which syscall was attempted. The program counter will be
|
||||
as though the syscall happened (i.e. it will not point to the syscall
|
||||
instruction). The return value register will contain an arch\-dependent
|
||||
value; if resuming execution, set it to something sensible.
|
||||
will indicate which syscall was attempted.
|
||||
The program counter will be as though the system call happened
|
||||
(i.e., it will not point to the syscall instruction).
|
||||
The return value register will contain an architecture\-dependent value;
|
||||
if resuming execution, set it to something sensible.
|
||||
(The architecture dependency is because replacing it with
|
||||
.BR ENOSYS
|
||||
could overwrite some useful information.)
|
||||
|
@ -233,8 +241,8 @@ without executing the system call.
|
|||
.TP
|
||||
.BR SECCOMP_RET_TRACE
|
||||
When returned, this value will cause the kernel to attempt to
|
||||
notify a ptrace()-based tracer prior to executing the system
|
||||
call. If there is no tracer present,
|
||||
notify a ptrace()-based tracer prior to executing the system call.
|
||||
If there is no tracer present,
|
||||
.BR ENOSYS
|
||||
is returned to userland and the system call is not executed.
|
||||
|
||||
|
@ -250,17 +258,19 @@ portion of the BPF program return value will be available to the tracer
|
|||
via
|
||||
.BR PTRACE_GETEVENTMSG .
|
||||
|
||||
The tracer can skip the system call by changing the syscall number
|
||||
to \-1. Alternatively, the tracer can change the system call
|
||||
requested by changing the system call to a valid syscall number. If
|
||||
the tracer asks to skip the system call, then the system call will
|
||||
appear to return the value that the tracer puts in the return value
|
||||
register.
|
||||
The tracer can skip the system call by changing the system call number
|
||||
to \-1.
|
||||
Alternatively, the tracer can change the system call
|
||||
requested by changing the system call to a valid syscall number.
|
||||
If the tracer asks to skip the system call, then the system call will
|
||||
appear to return the value that the tracer puts in the return value register.
|
||||
|
||||
The seccomp check will not be run again after the tracer is
|
||||
notified. (This means that seccomp-based sandboxes MUST NOT
|
||||
allow use of ptrace, even of other sandboxed processes, without
|
||||
extreme care; ptracers can use this mechanism to escape.)
|
||||
The seccomp check will not be run again after the tracer is notified.
|
||||
(This means that seccomp-based sandboxes
|
||||
.B "must not"
|
||||
allow use of ptrace\(emeven of other
|
||||
sandboxed processes\(emwithout extreme care;
|
||||
ptracers can use this mechanism to escape.)
|
||||
.TP
|
||||
.BR SECCOMP_RET_ALLOW
|
||||
Results in the system call being executed.
|
||||
|
@ -280,8 +290,9 @@ On success,
|
|||
returns 0.
|
||||
On error, if
|
||||
.BR SECCOMP_FILTER_FLAG_TSYNC
|
||||
was used, the return value is the thread ID that caused the
|
||||
synchronization failure. On other errors, \-1 is returned, and
|
||||
was used,
|
||||
the return value is the thread ID that caused the synchronization failure.
|
||||
On other errors, \-1 is returned, and
|
||||
.IR errno
|
||||
is set to indicate the cause of the error.
|
||||
.SH ERRORS
|
||||
|
@ -289,7 +300,7 @@ is set to indicate the cause of the error.
|
|||
can fail for the following reasons:
|
||||
.TP
|
||||
.BR EACCESS
|
||||
the caller did not have the
|
||||
The caller did not have the
|
||||
.BR CAP_SYS_ADMIN
|
||||
capability, or had not set
|
||||
.IR no_new_privs
|
||||
|
@ -317,12 +328,11 @@ This system call first appeared in Linux 3.17.
|
|||
This system call is a nonstandard Linux extension.
|
||||
.SH NOTES
|
||||
.BR seccomp ()
|
||||
provides a superset of the functionality provided by
|
||||
provides a superset of the functionality provided by the
|
||||
.BR prctl (2)
|
||||
.IR PR_SET_SECCOMP
|
||||
of
|
||||
.BR prctl (2) .
|
||||
(Which does not support
|
||||
.IR flags .)
|
||||
operation (which does not support
|
||||
.IR flags ).
|
||||
.SH EXAMPLE
|
||||
.nf
|
||||
#include <errno.h>
|
||||
|
@ -391,10 +401,7 @@ int main(int argc, char **argv)
|
|||
}
|
||||
.fi
|
||||
.SH SEE ALSO
|
||||
.ad l
|
||||
.nh
|
||||
.BR prctl (2),
|
||||
.BR ptrace (2),
|
||||
.BR signal (7),
|
||||
.BR socket (7)
|
||||
.ad
|
||||
|
|
Loading…
Reference in New Issue