mirror of https://github.com/mkerrisk/man-pages
seccomp_unotify.2: NOTES: describe an example use-case
The container manager use case was the original motivation for this feature. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
b8360d3701
commit
9688ea78cb
|
@ -634,6 +634,29 @@ or the target has terminated.
|
|||
.\" whether the target thread has picked up the response yet
|
||||
.RE
|
||||
.SH NOTES
|
||||
One example use case for the user-space notification
|
||||
mechanism is to allow a container manager
|
||||
(a process which is typically running with more privilege than
|
||||
the processes inside the container)
|
||||
to mount block devices or create device nodes for the container.
|
||||
The mount use case provides an example of where the
|
||||
.BR SECCOMP_USER_NOTIF_FLAG_CONTINUE
|
||||
.BR ioctl (2)
|
||||
operation is useful.
|
||||
Upon receiving a notification for the
|
||||
.BR mount (2)
|
||||
system call, the container manager (the "supervisor") can distinguish
|
||||
a request to mount a block filesystem
|
||||
(which would not be possible for a "target" process inside the container)
|
||||
and mount that file system.
|
||||
If, on the other hand, the container manager detects that the operation
|
||||
could be performed by the process inside the container
|
||||
(e.g., a mount of a
|
||||
.BR tmpfs (5)
|
||||
filesystem), it can notify the kernel that the target process's
|
||||
.BR mount (2)
|
||||
system call can continue.
|
||||
.\"
|
||||
.SS select()/poll()/epoll semantics
|
||||
The file descriptor returned when
|
||||
.BR seccomp (2)
|
||||
|
|
Loading…
Reference in New Issue