seccomp.2: Document the SECCOMP_GET_ACTION_AVAIL operation added in Linux 4.14

Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-10-26 04:11:40 +00:00 · 2017-10-26 04:11:40 +00:00 · 6d1728dad1
parent 2577dbba2b
commit 6d1728dad1
1 changed files with 18 additions and 0 deletions
--- a/man2/seccomp.2
+++ b/man2/seccomp.2
@ -206,6 +206,17 @@ Synchronization will fail if another thread in the same process is in
 or if it has attached new seccomp filters to itself,
 diverging from the calling thread's filter tree.
 .RE
+.TP
+.BR SECCOMP_GET_ACTION_AVAIL " (since Linux 4.14)"
+.\" commit d612b1fd8010d0d67b5287fe146b8b55bcbb8655
+Test to see if an action is supported by the kernel. This operation is helpful to confirm that the kernel knows of a more recently added filter return action since the kernel treats all unknown actions as
+.BR SECCOMP_RET_KILL .
+.IP
+The value of
+.IR flags
+must be 0, and
+.IR args
+must be a pointer to an unsigned 32-bit filter return action.
 .SS Filters
 When adding filters via
 .BR SECCOMP_SET_MODE_FILTER ,
@ -611,6 +622,13 @@ Note that for the purposes of calculating this limit,
 each already existing filter program incurs an
 overhead penalty of 4 instructions.
 .TP
+.BR EOPNOTSUPP
+.I operation
+specified
+.BR SECCOMP_GET_ACTION_AVAIL ,
+but the kernel does not support the filter return action specified by
+.IR args .
+.TP
 .BR ESRCH
 Another thread caused a failure during thread sync, but its ID could not
 be determined.