mirror of https://github.com/mkerrisk/man-pages
prctl.2: Rewrite the description of PR_SET_SECCOMP to defer to seccomp(2)
There is a lot of unnecessary duplication of content of the seccomp material in prctl(2) and seccomp(2). Trevor Woerner also noted that there is an error in prctl(2), where it says that the filters "are run in order until the first non-allow result is seen", which contradicts the correct statement in seccomp(2) that *all* filters are executed. So, rewrite the seccomp material in prctl(2) to strip out most of the content duplicated in seccomp(2), and replace the removed text with statements deferring to to seccomp(2). Reported-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
2da936fe2b
commit
ae6b221882
68
man2/prctl.2
68
man2/prctl.2
|
@ -1142,66 +1142,41 @@ The seccomp mode is selected via
|
||||||
.IR arg2 .
|
.IR arg2 .
|
||||||
(The seccomp constants are defined in
|
(The seccomp constants are defined in
|
||||||
.IR <linux/seccomp.h> .)
|
.IR <linux/seccomp.h> .)
|
||||||
|
The following values can be specified:
|
||||||
|
.RS
|
||||||
|
.TP
|
||||||
|
.BR SECCOMP_MODE_STRICT " (since Linux 2.6.23)"
|
||||||
|
See the description of
|
||||||
|
.B SECCOMP_SET_MODE_STRICT
|
||||||
|
in
|
||||||
|
.BR seccomp (2).
|
||||||
.IP
|
.IP
|
||||||
With
|
|
||||||
.IR arg2
|
|
||||||
set to
|
|
||||||
.BR SECCOMP_MODE_STRICT ,
|
|
||||||
the only system calls that the thread is permitted to make are
|
|
||||||
.BR read (2),
|
|
||||||
.BR write (2),
|
|
||||||
.BR _exit (2)
|
|
||||||
(but not
|
|
||||||
.BR exit_group (2)),
|
|
||||||
and
|
|
||||||
.BR sigreturn (2).
|
|
||||||
Other system calls result in the delivery of a
|
|
||||||
.BR SIGKILL
|
|
||||||
signal.
|
|
||||||
Strict secure computing mode is useful for number-crunching applications
|
|
||||||
that may need to execute untrusted byte code,
|
|
||||||
perhaps obtained by reading from a pipe or socket.
|
|
||||||
This operation is available only
|
This operation is available only
|
||||||
if the kernel is configured with
|
if the kernel is configured with
|
||||||
.B CONFIG_SECCOMP
|
.B CONFIG_SECCOMP
|
||||||
enabled.
|
enabled.
|
||||||
.IP
|
.TP
|
||||||
With
|
.BR SECCOMP_MODE_FILTER " (since Linux 3.5)"
|
||||||
.IR arg2
|
The allowed system calls are defined by a pointer
|
||||||
set to
|
|
||||||
.BR SECCOMP_MODE_FILTER " (since Linux 3.5),"
|
|
||||||
the system calls allowed are defined by a pointer
|
|
||||||
to a Berkeley Packet Filter passed in
|
to a Berkeley Packet Filter passed in
|
||||||
.IR arg3 .
|
.IR arg3 .
|
||||||
This argument is a pointer to
|
This argument is a pointer to
|
||||||
.IR "struct sock_fprog" ;
|
.IR "struct sock_fprog" ;
|
||||||
it can be designed to filter
|
it can be designed to filter
|
||||||
arbitrary system calls and system call arguments.
|
arbitrary system calls and system call arguments.
|
||||||
This mode is available only if the kernel is configured with
|
See the description of
|
||||||
|
.B SECCOMP_SET_MODE_FILTER
|
||||||
|
in
|
||||||
|
.BR seccomp (2).
|
||||||
|
.IP
|
||||||
|
This operation is available only
|
||||||
|
if the kernel is configured with
|
||||||
.B CONFIG_SECCOMP_FILTER
|
.B CONFIG_SECCOMP_FILTER
|
||||||
enabled.
|
enabled.
|
||||||
|
.RE
|
||||||
.IP
|
.IP
|
||||||
If
|
For further details on seccomp filtering, see
|
||||||
.BR SECCOMP_MODE_FILTER
|
.BR seccomp (2).
|
||||||
filters permit
|
|
||||||
.BR fork (2),
|
|
||||||
then the seccomp mode is inherited by children created by
|
|
||||||
.BR fork (2);
|
|
||||||
if
|
|
||||||
.BR execve (2)
|
|
||||||
is permitted, then the seccomp mode is preserved across
|
|
||||||
.BR execve (2).
|
|
||||||
If the filters permit
|
|
||||||
.BR prctl ()
|
|
||||||
calls, then additional filters can be added;
|
|
||||||
they are run in order until the first non-allow result is seen.
|
|
||||||
.IP
|
|
||||||
For further information, see the kernel source file
|
|
||||||
.IR Documentation/userspace\-api/seccomp_filter.rst
|
|
||||||
.\" commit c061f33f35be0ccc80f4b8e0aea5dfd2ed7e01a3
|
|
||||||
(or
|
|
||||||
.IR Documentation/prctl/seccomp_filter.txt
|
|
||||||
before Linux 4.13).
|
|
||||||
.\" prctl PR_GET_SECCOMP
|
.\" prctl PR_GET_SECCOMP
|
||||||
.TP
|
.TP
|
||||||
.BR PR_GET_SECCOMP " (since Linux 2.6.23)"
|
.BR PR_GET_SECCOMP " (since Linux 2.6.23)"
|
||||||
|
@ -1217,6 +1192,7 @@ If the caller is in filter mode, and this system call is allowed by the
|
||||||
seccomp filters, it returns 2; otherwise, the process is killed with a
|
seccomp filters, it returns 2; otherwise, the process is killed with a
|
||||||
.BR SIGKILL
|
.BR SIGKILL
|
||||||
signal.
|
signal.
|
||||||
|
.IP
|
||||||
This operation is available only
|
This operation is available only
|
||||||
if the kernel is configured with
|
if the kernel is configured with
|
||||||
.B CONFIG_SECCOMP
|
.B CONFIG_SECCOMP
|
||||||
|
|
Loading…
Reference in New Issue