mirror of https://github.com/mkerrisk/man-pages
seccomp.2: Describe use of 'instruction_pointer' data field
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
944a31e27f
commit
712551eaad
|
@ -306,6 +306,20 @@ but also to explicitly reject all system calls that contain
|
|||
in
|
||||
.IR nr .
|
||||
|
||||
The
|
||||
.I instruction_pointer
|
||||
field provides the address of the machine-language instruction that
|
||||
performed the system call.
|
||||
This might be useful in conjunction with the use of
|
||||
.I /proc/[pid]/maps
|
||||
to perform checks based on which region (mapping) of the program
|
||||
made the system call.
|
||||
(Probably, it is wise to lock down the
|
||||
.BR mmap (2)
|
||||
and
|
||||
.BR mprotect (2)
|
||||
system calls to prevent the program from subverting such checks.)
|
||||
|
||||
When checking values from
|
||||
.IR args
|
||||
against a blacklist, keep in mind that arguments are often
|
||||
|
@ -777,6 +791,7 @@ main(int argc, char **argv)
|
|||
.BR prctl (2),
|
||||
.BR ptrace (2),
|
||||
.BR sigaction (2),
|
||||
.BR proc (5),
|
||||
.BR signal (7),
|
||||
.BR socket (7)
|
||||
.sp
|
||||
|
|
Loading…
Reference in New Issue