mirror of https://github.com/mkerrisk/man-pages
seccomp.2: Minor tweaks to Andy Lutomirski's patch
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
9729408da5
commit
de527cb9b7
|
@ -346,7 +346,8 @@ This means that a policy must either deny all syscalls with
|
|||
.BR __X32_SYSCALL_BIT
|
||||
or it must recognize syscalls with and without
|
||||
.BR __X32_SYSCALL_BIT
|
||||
set. A list of syscalls to be denied based on
|
||||
set.
|
||||
A list of system calls to be denied based on
|
||||
.IR nr
|
||||
that does not also contain
|
||||
.IR nr
|
||||
|
@ -355,9 +356,9 @@ values with
|
|||
set can be bypassed by a malicious program that sets
|
||||
.BR __X32_SYSCALL_BIT .
|
||||
.PP
|
||||
Additionally, kernels prior to 5.4 incorrectly permitted
|
||||
Additionally, kernels prior to Linux 5.4 incorrectly permitted
|
||||
.IR nr
|
||||
in the ranges 512-547 as well as the corresponding non-x32 syscalls ored
|
||||
in the ranges 512-547 as well as the corresponding non-x32 syscalls ORed
|
||||
with
|
||||
.BR __X32_SYSCALL_BIT .
|
||||
For example,
|
||||
|
@ -369,11 +370,13 @@ For example,
|
|||
would result in invocations of
|
||||
.BR ptrace (2)
|
||||
with potentially confused x32-vs-x86_64 semantics in the kernel.
|
||||
Policies intended to work on kernels before 5.4 must ensure that they
|
||||
deny or otherwise correctly handle these system calls. On kernels
|
||||
5.4 and newer, such system calls will return -ENOSYS without doing
|
||||
anything.
|
||||
Policies intended to work on kernels before Linux 5.4 must ensure that they
|
||||
deny or otherwise correctly handle these system calls.
|
||||
On Linux 5.4 and newer,
|
||||
.\" commit 6365b842aae4490ebfafadfc6bb27a6d3cc54757
|
||||
such system calls will fail with the error
|
||||
.BR ENOSYS ,
|
||||
without doing anything.
|
||||
.PP
|
||||
The
|
||||
.I instruction_pointer
|
||||
|
|
Loading…
Reference in New Issue