prctl.2: Rewrite the description of PR_SET_SECCOMP to defer to seccomp(2)

There is a lot of unnecessary duplication of content of the seccomp
material in prctl(2) and seccomp(2).  Trevor Woerner also noted that
there is an error in prctl(2), where it says that the filters
"are run in order until the first non-allow result is seen", which
contradicts the correct statement in seccomp(2) that *all* filters
are executed.

So, rewrite the seccomp material in prctl(2) to strip out most of
the content duplicated in seccomp(2), and replace the removed
text with statements deferring to to seccomp(2).

Reported-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2021-09-02 00:07:23 +02:00
parent 2da936fe2b
commit ae6b221882
1 changed files with 22 additions and 46 deletions

View File

@ -1142,66 +1142,41 @@ The seccomp mode is selected via
.IR arg2 . .IR arg2 .
(The seccomp constants are defined in (The seccomp constants are defined in
.IR <linux/seccomp.h> .) .IR <linux/seccomp.h> .)
The following values can be specified:
.RS
.TP
.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
See the description of
.B SECCOMP_SET_MODE_STRICT
in
.BR seccomp (2).
.IP .IP
With
.IR arg2
set to
.BR SECCOMP_MODE_STRICT ,
the only system calls that the thread is permitted to make are
.BR read (2),
.BR write (2),
.BR _exit (2)
(but not
.BR exit_group (2)),
and
.BR sigreturn (2).
Other system calls result in the delivery of a
.BR SIGKILL
signal.
Strict secure computing mode is useful for number-crunching applications
that may need to execute untrusted byte code,
perhaps obtained by reading from a pipe or socket.
This operation is available only This operation is available only
if the kernel is configured with if the kernel is configured with
.B CONFIG_SECCOMP .B CONFIG_SECCOMP
enabled. enabled.
.IP .TP
With .BR SECCOMP_MODE_FILTER " (since Linux 3.5)"
.IR arg2 The allowed system calls are defined by a pointer
set to
.BR SECCOMP_MODE_FILTER " (since Linux 3.5),"
the system calls allowed are defined by a pointer
to a Berkeley Packet Filter passed in to a Berkeley Packet Filter passed in
.IR arg3 . .IR arg3 .
This argument is a pointer to This argument is a pointer to
.IR "struct sock_fprog" ; .IR "struct sock_fprog" ;
it can be designed to filter it can be designed to filter
arbitrary system calls and system call arguments. arbitrary system calls and system call arguments.
This mode is available only if the kernel is configured with See the description of
.B SECCOMP_SET_MODE_FILTER
in
.BR seccomp (2).
.IP
This operation is available only
if the kernel is configured with
.B CONFIG_SECCOMP_FILTER .B CONFIG_SECCOMP_FILTER
enabled. enabled.
.RE
.IP .IP
If For further details on seccomp filtering, see
.BR SECCOMP_MODE_FILTER .BR seccomp (2).
filters permit
.BR fork (2),
then the seccomp mode is inherited by children created by
.BR fork (2);
if
.BR execve (2)
is permitted, then the seccomp mode is preserved across
.BR execve (2).
If the filters permit
.BR prctl ()
calls, then additional filters can be added;
they are run in order until the first non-allow result is seen.
.IP
For further information, see the kernel source file
.IR Documentation/userspace\-api/seccomp_filter.rst
.\" commit c061f33f35be0ccc80f4b8e0aea5dfd2ed7e01a3
(or
.IR Documentation/prctl/seccomp_filter.txt
before Linux 4.13).
.\" prctl PR_GET_SECCOMP .\" prctl PR_GET_SECCOMP
.TP .TP
.BR PR_GET_SECCOMP " (since Linux 2.6.23)" .BR PR_GET_SECCOMP " (since Linux 2.6.23)"
@ -1217,6 +1192,7 @@ If the caller is in filter mode, and this system call is allowed by the
seccomp filters, it returns 2; otherwise, the process is killed with a seccomp filters, it returns 2; otherwise, the process is killed with a
.BR SIGKILL .BR SIGKILL
signal. signal.
.IP
This operation is available only This operation is available only
if the kernel is configured with if the kernel is configured with
.B CONFIG_SECCOMP .B CONFIG_SECCOMP