From de527cb9b75d61e3768f150bc53025b1bc8bf77a Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Fri, 24 Jul 2020 14:15:00 +0200 Subject: [PATCH] seccomp.2: Minor tweaks to Andy Lutomirski's patch Signed-off-by: Michael Kerrisk --- man2/seccomp.2 | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/man2/seccomp.2 b/man2/seccomp.2 index e49182560..2ab30b14a 100644 --- a/man2/seccomp.2 +++ b/man2/seccomp.2 @@ -346,7 +346,8 @@ This means that a policy must either deny all syscalls with .BR __X32_SYSCALL_BIT or it must recognize syscalls with and without .BR __X32_SYSCALL_BIT -set. A list of syscalls to be denied based on +set. +A list of system calls to be denied based on .IR nr that does not also contain .IR nr @@ -355,9 +356,9 @@ values with set can be bypassed by a malicious program that sets .BR __X32_SYSCALL_BIT . .PP -Additionally, kernels prior to 5.4 incorrectly permitted +Additionally, kernels prior to Linux 5.4 incorrectly permitted .IR nr -in the ranges 512-547 as well as the corresponding non-x32 syscalls ored +in the ranges 512-547 as well as the corresponding non-x32 syscalls ORed with .BR __X32_SYSCALL_BIT . For example, @@ -369,11 +370,13 @@ For example, would result in invocations of .BR ptrace (2) with potentially confused x32-vs-x86_64 semantics in the kernel. -Policies intended to work on kernels before 5.4 must ensure that they -deny or otherwise correctly handle these system calls. On kernels -5.4 and newer, such system calls will return -ENOSYS without doing -anything. +Policies intended to work on kernels before Linux 5.4 must ensure that they +deny or otherwise correctly handle these system calls. +On Linux 5.4 and newer, .\" commit 6365b842aae4490ebfafadfc6bb27a6d3cc54757 +such system calls will fail with the error +.BR ENOSYS , +without doing anything. .PP The .I instruction_pointer