seccomp.2: Add subsection on seccomp-specific BPF details

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-12-30 12:35:39 +01:00 · 2014-12-30 12:35:39 +01:00 · cecc8c48ba
parent 93b9a9eeff
commit cecc8c48ba
1 changed files with 28 additions and 0 deletions
--- a/man2/seccomp.2
+++ b/man2/seccomp.2
@ -463,6 +463,34 @@ provides a superset of the functionality provided by the
 .BR PR_SET_SECCOMP
 operation (which does not support
 .IR flags ).
+.\" FIXME Please review the following new subsection {{{
+.SS Seccomp-specific BPF details
+Note the following BPF details specific to seccomp filters:
+.IP * 3
+The
+.B BPF_H
+and
+.B BPF_B
+size modifiers are not supported: all operations must load and store
+(4-byte) words
+.RB ( BPF_W ).
+.IP *
+To access the contents of the
+.I seccomp_data
+buffer, use the
+.B BPF_ABS
+addressing mode modifier.
+.\" FIXME What is the significance of the line
+.\"           ftest->code = BPF_LDX | BPF_W | BPF_ABS;
+.\"       in kernel/seccomp.c::seccomp_check_filter()?
+.IP *
+The
+.B BPF_LEN
+addressing mode modifier yields an immediate mode operand
+whose value is the size of the
+.IR seccomp_data
+buffer.
+.\" FIXME End of new subsection for review }}}
 .SH EXAMPLE
 The program below accepts four or more arguments.
 The first three arguments are a system call number,