LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

seccomp.2: Reword discussion of PR_SET_NO_NEW_PRIVS

This commit is contained in:
Michael Kerrisk 2014-11-02 09:40:24 +01:00
parent d06d25cc28
commit 955efdbcc1
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
man2/seccomp.2
View File

@ -100,12 +100,17 @@ is allowed by the filter,
the filters and constraints on permitted system calls are preserved across an
.BR execve (2).
Prior to using this operation, the process must call
.IR "prctl(PR_SET_NO_NEW_PRIVS,\ 1)"
or run with
In order to use the
.BR SECCOMP_SET_MODE_FILTER
operation, either the caller must have the
.BR CAP_SYS_ADMIN
privileges in its namespace.
If these are not true, the call will fail and return
capability or the call must be preceded by the call:
prctl(PR_SET_NO_NEW_PRIVS, 1);
Otherwise, the
.BR SECCOMP_SET_MODE_FILTER
operation will fail and return
.BR EACCES
in
.IR errno .