Michael Kerrisk
e7d0bb4715
memusage.1, clone.2, eventfd.2, futex.2, getdents.2, ioctl_fat.2, ioctl_ns.2, kcmp.2, keyctl.2, mmap.2, mprotect.2, msgop.2, recvmmsg.2, request_key.2, sched_setaffinity.2, seccomp.2, setns.2, tee.2, timer_create.2, timerfd_create.2, unshare.2, userfaultfd.2, wait.2, __ppc_get_timebase.3, backtrace.3, bswap.3, clock_getcpuclockid.3, dl_iterate_phdr.3, dlinfo.3, dlopen.3, duplocale.3, end.3, endian.3, fmemopen.3, fopencookie.3, frexp.3, ftw.3, getdate.3, getgrouplist.3, getifaddrs.3, getprotoent_r.3, getservent_r.3, gnu_get_libc_version.3, if_nameindex.3, inet.3, inet_net_pton.3, inet_pton.3, insque.3, makecontext.3, mallinfo.3, malloc_info.3, mallopt.3, matherr.3, mbstowcs.3, mcheck.3, mq_getattr.3, mq_notify.3, newlocale.3, offsetof.3, posix_spawn.3, pthread_attr_init.3, pthread_cancel.3, pthread_cleanup_push.3, pthread_create.3, pthread_getattr_default_np.3, pthread_getattr_np.3, pthread_getcpuclockid.3, pthread_setname_np.3, pthread_setschedparam.3, pthread_sigmask.3, scandir.3, sem_wait.3, strcat.3, strftime.3, strtok.3, strtol.3, strverscmp.3, loop.4, core.5, aio.7, fanotify.7, feature_test_macros.7, inotify.7, pkeys.7, unix.7, user_namespaces.7: Use .EX/.EE for EXAMPLE programs
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-16 10:44:33 +02:00
Michael Kerrisk
efeece0465
_syscall.2, bpf.2, cacheflush.2, capget.2, chdir.2, chmod.2, chroot.2, clock_getres.2, clock_nanosleep.2, clone.2, close.2, connect.2, copy_file_range.2, create_module.2, delete_module.2, dup.2, epoll_create.2, epoll_ctl.2, epoll_wait.2, eventfd.2, execve.2, execveat.2, fallocate.2, flock.2, fork.2, fsync.2, futex.2, futimesat.2, get_kernel_syms.2, get_mempolicy.2, get_robust_list.2, getcpu.2, getdents.2, getdomainname.2, getgid.2, getgroups.2, gethostname.2, getitimer.2, getpagesize.2, getpeername.2, getpriority.2, getrandom.2, getresuid.2, getrlimit.2, getrusage.2, getsid.2, getsockname.2, getsockopt.2, gettid.2, gettimeofday.2, getuid.2, getunwind.2, init_module.2, inotify_add_watch.2, inotify_init.2, inotify_rm_watch.2, intro.2, io_cancel.2, io_destroy.2, io_getevents.2, io_setup.2, io_submit.2, ioctl_fat.2, ioctl_ficlonerange.2, ioctl_fideduperange.2, ioctl_tty.2, ioctl_userfaultfd.2, ioperm.2, iopl.2, ioprio_set.2, kcmp.2, kexec_load.2, keyctl.2, kill.2, link.2, listen.2, listxattr.2, llseek.2, lookup_dcookie.2, lseek.2, madvise.2, mbind.2, membarrier.2, memfd_create.2, migrate_pages.2, mincore.2, mkdir.2, mknod.2, mlock.2, mmap.2, mmap2.2, modify_ldt.2, move_pages.2, mprotect.2, mq_getsetattr.2, mremap.2, msgctl.2, msgget.2, msgop.2, msync.2, nanosleep.2, nfsservctl.2, nice.2, open_by_handle_at.2, outb.2, perf_event_open.2, perfmonctl.2, personality.2, pivot_root.2, pkey_alloc.2, poll.2, posix_fadvise.2, prctl.2, pread.2, process_vm_readv.2, ptrace.2, query_module.2, quotactl.2, read.2, readahead.2, readdir.2, readv.2, reboot.2, recv.2, recvmmsg.2, remap_file_pages.2, rename.2, request_key.2, restart_syscall.2, rt_sigqueueinfo.2, s390_pci_mmio_write.2, s390_runtime_instr.2, sched_get_priority_max.2, sched_rr_get_interval.2, sched_setaffinity.2, sched_setattr.2, sched_setparam.2, sched_setscheduler.2, sched_yield.2, seccomp.2, select.2, select_tut.2, semctl.2, semget.2, semop.2, send.2, sendfile.2, sendmmsg.2, set_mempolicy.2, set_thread_area.2, set_tid_address.2, seteuid.2, setfsgid.2, setfsuid.2, setgid.2, setns.2, setpgid.2, setresuid.2, setreuid.2, setsid.2, setuid.2, sgetmask.2, shmctl.2, shmget.2, shmop.2, sigaction.2, sigaltstack.2, sigpending.2, sigprocmask.2, sigreturn.2, sigsuspend.2, sigwaitinfo.2, socket.2, socketcall.2, socketpair.2, splice.2, spu_create.2, spu_run.2, stat.2, statfs.2, statx.2, subpage_prot.2, swapon.2, symlink.2, sync.2, sync_file_range.2, syscalls.2, sysctl.2, sysinfo.2, syslog.2, tee.2, time.2, timer_create.2, timer_getoverrun.2, timer_settime.2, timerfd_create.2, times.2, tkill.2, truncate.2, umask.2, umount.2, unimplemented.2, unlink.2, unshare.2, uselib.2, userfaultfd.2, utime.2, utimensat.2, vfork.2, vmsplice.2, wait.2, wait4.2, write.2: Formatting fix: replace blank lines with .PP/.IP
...
Blank lines shouldn't generally appear in *roff source (other
than in code examples), since they create large vertical
spaces between text blocks.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-16 09:30:51 +02:00
Michael Kerrisk
0fc339b298
seccomp.2: Minor tweaks to Kees Cook's patch
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-15 20:49:22 +02:00
Kees Cook
5defc77db0
seccomp.2: Clarify SECCOMP_RET_KILL kills tasks not processes
...
Zach Reizner pointed out a mismatch between kernel behavior and the
man-page documentation of SECCOMP_RET_KILL which kills tasks not
processes.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-15 20:47:14 +02:00
Michael Kerrisk
dbfe9c700e
_syscall.2, clock_getres.2, clone.2, copy_file_range.2, create_module.2, delete_module.2, fallocate.2, futex.2, get_kernel_syms.2, get_robust_list.2, getcpu.2, getdents.2, gettid.2, gettimeofday.2, getunwind.2, init_module.2, io_cancel.2, io_destroy.2, io_getevents.2, io_setup.2, io_submit.2, ioctl_userfaultfd.2, ioprio_set.2, kcmp.2, kexec_load.2, keyctl.2, link.2, llseek.2, memfd_create.2, mmap.2, mq_getsetattr.2, msgctl.2, msgget.2, open_by_handle_at.2, outb.2, perf_event_open.2, pivot_root.2, process_vm_readv.2, query_module.2, readdir.2, recvmmsg.2, rename.2, request_key.2, restart_syscall.2, rt_sigqueueinfo.2, s390_pci_mmio_write.2, s390_runtime_instr.2, sched_setattr.2, seccomp.2, select.2, select_tut.2, send.2, sendmmsg.2, set_thread_area.2, set_tid_address.2, sgetmask.2, shmop.2, sigaction.2, sigprocmask.2, splice.2, spu_create.2, spu_run.2, statx.2, subpage_prot.2, sync_file_range.2, syscall.2, sysctl.2, sysfs.2, tee.2, timer_create.2, timer_delete.2, timer_getoverrun.2, timer_settime.2, tkill.2, uselib.2, utimensat.2, vmsplice.2, wait.2, aio_init.3, asinh.3, atan2.3, atanh.3, backtrace.3, basename.3, bswap.3, bzero.3, catgets.3, catopen.3, dladdr.3, dlsym.3, endian.3, envz_add.3, erf.3, erfc.3, error.3, ferror.3, ffs.3, fgetc.3, fmemopen.3, fopen.3, fopencookie.3, fseek.3, ftw.3, futimes.3, getdate.3, getenv.3, getline.3, getlogin.3, getrpcent.3, getsubopt.3, getutmp.3, getw.3, gnu_get_libc_version.3, inet_net_pton.3, isalpha.3, lio_listio.3, makedev.3, malloc_get_state.3, malloc_stats.3, malloc_trim.3, malloc_usable_size.3, matherr.3, memchr.3, nextup.3, ntp_gettime.3, posix_madvise.3, program_invocation_name.3, pthread_atfork.3, pthread_attr_setaffinity_np.3, pthread_attr_setdetachstate.3, pthread_attr_setguardsize.3, pthread_attr_setinheritsched.3, pthread_attr_setschedparam.3, pthread_attr_setschedpolicy.3, pthread_attr_setscope.3, pthread_attr_setstack.3, pthread_attr_setstackaddr.3, pthread_attr_setstacksize.3, pthread_cleanup_push_defer_np.3, pthread_detach.3, pthread_equal.3, pthread_exit.3, pthread_join.3, pthread_kill.3, pthread_kill_other_threads_np.3, pthread_rwlockattr_setkind_np.3, pthread_self.3, pthread_setcancelstate.3, pthread_setconcurrency.3, pthread_setschedprio.3, pthread_testcancel.3, pthread_tryjoin_np.3, pthread_yield.3, puts.3, random.3, random_r.3, rpc.3, sched_getcpu.3, setnetgrent.3, sigwait.3, stdin.3, strerror.3, strfmon.3, timeradd.3, tmpnam.3, toupper.3, towlower.3, towupper.3, ttyname.3, uselocale.3, xdr.3, dsp56k.4, sigevent.7, vdso.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-15 19:39:04 +02:00
Michael Kerrisk
f55a6d598d
Changes, ldd.1, chown.2, epoll_wait.2, get_mempolicy.2, ioctl_getfsmap.2, madvise.2, membarrier.2, mount.2, pipe.2, readv.2, seccomp.2, sigaltstack.2, splice.2, tee.2, timer_create.2, vmsplice.2, acosh.3, asinh.3, atanh.3, bsd_signal.3, dl_iterate_phdr.3, dlsym.3, flockfile.3, fpathconf.3, ftw.3, getaddrinfo.3, getcontext.3, getgrent.3, if_nametoindex.3, malloc.3, nl_langinfo.3, posix_madvise.3, ptsname.3, rand.3, resolver.3, sigpause.3, sigwait.3, strtol.3, sysconf.3, ttyslot.3, unlocked_stdio.3, unlockpt.3, capabilities.7, cgroup_namespaces.7, inode.7, man.7, pipe.7, sigevent.7: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-07-13 14:22:45 +02:00
Michael Kerrisk
baaf65e88a
seccomp.2: Minor tweaks to Mike's patch
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-07-05 10:46:44 +02:00
Mike Frysinger
089761d56d
seccomp(2): Expand SECCOMP_RET_KILL documentation
...
First clarify that the process cannot catch this SIGSYS signal.
While the text currently says that, it's easy (IMO) to read
ambiguously and that it's referring to default behavior (no
handler -> process exits).
Then add details regarding coredump behavior. Before Linux 4.11,
there was no way to get coredumps from such crashes. Now we can
at least get crashes from single threaded processes.
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-07-05 10:41:53 +02:00
Jakub Wilk
5465ae9568
futex.2, open_by_handle_at.2, seccomp.2, socket.2, console_codes.4, protocols.5, aio.7, capabilities.7, libc.7, netlink.7, raw.7, standards.7, unicode.7, uri.7, vdso.7: tfix
...
Escape hyphens in URLs.
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-01-30 08:33:49 +13:00
Michael Kerrisk
88f02af602
seccomp.2: NOTES: mention ptrace(PTRACE_SECCOMP_GET_FILTER) to dump seccomp filters
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-11-08 14:07:56 +01:00
Jann Horn
09481df399
seccomp.2: Document changed interaction with ptrace
...
Signed-off-by: Jann Horn <jann@thejh.net>
2016-11-06 13:19:55 -07:00
Michael Kerrisk
b8efb41432
memusage.1, memusagestat.1, pldd.1, accept.2, adjtimex.2, arch_prctl.2, bdflush.2, bpf.2, close.2, epoll_ctl.2, epoll_wait.2, execve.2, execveat.2, fanotify_init.2, fanotify_mark.2, fcntl.2, fsync.2, get_kernel_syms.2, getdomainname.2, getgroups.2, gethostname.2, getrandom.2, getrlimit.2, getrusage.2, getsid.2, getunwind.2, io_getevents.2, ioctl_fat.2, kexec_load.2, killpg.2, listxattr.2, lseek.2, madvise.2, memfd_create.2, mknod.2, mlock.2, modify_ldt.2, msgctl.2, msgget.2, msgop.2, readlink.2, readv.2, reboot.2, recvmmsg.2, rename.2, request_key.2, restart_syscall.2, sched_setaffinity.2, sched_setattr.2, sched_setparam.2, seccomp.2, select_tut.2, semctl.2, semget.2, semop.2, set_thread_area.2, seteuid.2, setgid.2, setpgid.2, setresuid.2, setreuid.2, setsid.2, setuid.2, shmctl.2, shmget.2, shmop.2, sigaction.2, sigprocmask.2, stat.2, symlink.2, syscall.2, sysctl.2, unlink.2, bindresvport.3, byteorder.3, dlopen.3, endian.3, error.3, ffs.3, fmemopen.3, getcwd.3, getlogin.3, getnetent.3, getprotoent.3, getservent.3, getumask.3, getutent.3, glob.3, isalpha.3, lio_listio.3, login.3, mbsinit.3, mbstowcs.3, mbtowc.3, mkstemp.3, nextup.3, ntp_gettime.3, posix_fallocate.3, posix_spawn.3, pthread_join.3, pthread_rwlockattr_setkind_np.3, random.3, rcmd.3, realpath.3, resolver.3, setjmp.3, setnetgrent.3, sigvec.3, strerror.3, strverscmp.3, system.3, toupper.3, towlower.3, towupper.3, wcstombs.3, wordexp.3, cciss.4, loop.4, mouse.4, random.4, core.5, group.5, hosts.5, resolv.conf.5, ascii.7, environ.7, epoll.7, glob.7, ip.7, mq_overview.7, packet.7, pipe.7, raw.7, sched.7, signal.7, socket.7, symlink.7, ld.so.8, sln.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-10-08 14:08:23 +02:00
Michael Kerrisk
be8f12726e
seccomp.2: CAP_SYS_ADMIN is required only in caller's user namespace
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-09-12 16:54:28 +01:00
Michael Kerrisk
bf7bc8b898
arch_prctl.2, execveat.2, fanotify_mark.2, fcntl.2, fork.2, madvise.2, mknod.2, mmap.2, modify_ldt.2, mount.2, open.2, prctl.2, ptrace.2, restart_syscall.2, seccomp.2, semop.2, set_thread_area.2, symlink.2, umount.2, unlink.2, error.3, getnetent.3, getprotoent.3, getservent.3, getutent.3, glob.3, login.3, setjmp.3, setnetgrent.3, wordexp.3, epoll.7: Remove section number from page self reference
...
Fix places where pages refer to the function that they describe
and include a section number in that reference. Such references
cause some HTML-rendering tools to create self-references in the
page.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-08-08 05:54:12 +10:00
Michael Kerrisk
6f3c74a8b9
mremap.2, open.2, perf_event_open.2, prctl.2, ptrace.2, reboot.2, seccomp.2, signalfd.2, syscalls.2, __ppc_set_ppr_med.3, daemon.3, dirfd.3, fgetgrent.3, fgetpwent.3, getauxval.3, getspnam.3, mallinfo.3, mallopt.3, posix_fallocate.3, termios.3, tty_ioctl.4, core.5, nsswitch.conf.5, proc.5, aio.7, capabilities.7, path_resolution.7, pipe.7, rtld-audit.7, signal.7, tcp.7: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-12-05 10:46:28 +01:00
Michael Kerrisk
d74503a55a
seccomp.2: Note why all filters in a set are executed even after SECCOMP_RET_KILL
...
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-09-05 09:00:02 +02:00
Michael Kerrisk
755a656a49
seccomp.2: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-09-05 08:51:37 +02:00
Michael Kerrisk
712551eaad
seccomp.2: Describe use of 'instruction_pointer' data field
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-09-05 08:43:31 +02:00
Michael Kerrisk
944a31e27f
seccomp.2: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-09-05 08:31:14 +02:00
Michael Kerrisk
ccc70c8135
seccomp.2: SEE ALSO: add scmp_sys_resolver(1)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-08-08 13:44:20 +02:00
Michael Kerrisk
ca6f43fc0e
seccomp.2: SEE ALSO: mention libseccomp pages
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-08-08 10:32:18 +02:00
Michael Kerrisk
8cc4d07100
Removed trailing white space at end of lines
2015-07-23 16:15:22 +02:00
Michael Kerrisk
5722c835ab
intro.1, locale.1, _exit.2, access.2, bpf.2, brk.2, capget.2, chmod.2, chroot.2, clock_getres.2, clone.2, eventfd.2, fallocate.2, fork.2, getgroups.2, gethostname.2, getpid.2, getpriority.2, getrlimit.2, getrusage.2, gettid.2, iopl.2, ioprio_set.2, killpg.2, mlock.2, mprotect.2, perf_event_open.2, poll.2, posix_fadvise.2, pread.2, ptrace.2, read.2, readv.2, recv.2, rename.2, sched_setaffinity.2, sched_setattr.2, seccomp.2, select.2, send.2, seteuid.2, setgid.2, setresuid.2, setreuid.2, setuid.2, sigaltstack.2, signalfd.2, sigpending.2, sigprocmask.2, sigreturn.2, sigsuspend.2, sigwaitinfo.2, socket.2, stat.2, timer_create.2, uname.2, utimensat.2, wait.2, wait4.2, write.2, MB_LEN_MAX.3, __ppc_get_timebase.3, clearenv.3, dl_iterate_phdr.3, error.3, fexecve.3, fpurge.3, fread.3, fts.3, getaddrinfo.3, getaddrinfo_a.3, getauxval.3, getgrent_r.3, gethostbyname.3, getifaddrs.3, getnameinfo.3, getnetent_r.3, getprotoent.3, getprotoent_r.3, getpw.3, getpwent_r.3, getrpcent.3, getrpcent_r.3, getrpcport.3, getservent.3, getservent_r.3, gsignal.3, key_setsecret.3, malloc_get_state.3, malloc_info.3, malloc_stats.3, malloc_trim.3, memcpy.3, mq_notify.3, mq_open.3, perror.3, profil.3, psignal.3, pthread_attr_init.3, pthread_attr_setaffinity_np.3, pthread_cancel.3, pthread_cleanup_push.3, pthread_create.3, pthread_detach.3, pthread_getattr_np.3, pthread_join.3, pthread_setname_np.3, pthread_tryjoin_np.3, putgrent.3, rcmd.3, rpc.3, rpmatch.3, sem_close.3, sem_open.3, setaliasent.3, shm_open.3, sigqueue.3, strfmon.3, xcrypt.3, xdr.3, console_codes.4, null.4, core.5, host.conf.5, hosts.equiv.5, locale.5, repertoiremap.5, locale.7, man-pages.7, pty.7, rtld-audit.7, sched.7, vdso.7: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-07-23 16:12:28 +02:00
Michael Kerrisk
00eaa6aaae
seccomp.2: SEE ALSO: add bpf(2)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-07-23 15:37:27 +02:00
Michael Kerrisk
fe56ce1c5f
seccomp.2: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-07-13 14:06:24 +02:00
Michael Kerrisk
3c5ab7703e
seccomp.2: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-07-03 12:40:48 +02:00
Michael Kerrisk
85fbef7408
prctl.2, seccomp.2: Clarify that SECCOMP_SET_MODE_STRICT disallows exit_group(2)
...
These days, glibc implements _exit() as a wrapper around
exit_group(2). (When seccomp was originally introduced, this was
not the case.) Give the reader a clue that, despite what glibc is
doing, what SECCOMP_SET_MODE_STRICT permits is the true _exit(2)
system call, and not exit_group(2).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-07-03 12:40:16 +02:00
Michael Kerrisk
7a79bb301a
seccomp.2: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-06-30 13:29:23 +02:00
Michael Kerrisk
e9855ef2f7
seccomp.2: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-06-30 13:29:00 +02:00
Michael Kerrisk
65cfc71220
seccomp.2: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-06-30 13:28:10 +02:00
Michael Kerrisk
ef5a2800f7
seccomp.2: srcfix
...
Reported-by: Sam Varshavchik <mrsam@courier-mta.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-05-08 16:13:42 +02:00
Michael Kerrisk
1a7e5113c6
seccomp.2: Note that seccomp_data is read-only
...
Reported-by: Pierre Chifflier <pollux@debian.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-04-19 09:33:38 +02:00
Michael Kerrisk
0582770c52
seccomp.2: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-04-11 08:46:26 +02:00
Michael Kerrisk
1e64c86bbf
intro.1, ldd.1, clone.2, getgroups.2, getpid.2, getsockopt.2, ioctl_list.2, msgop.2, open.2, seccomp.2, setgid.2, setresuid.2, setreuid.2, setuid.2, sigaction.2, sigpending.2, sigprocmask.2, sigreturn.2, sigsuspend.2, sigwaitinfo.2, socket.2, syscall.2, syscalls.2, umount.2, clock.3, dlopen.3, fmemopen.3, fpathconf.3, fputwc.3, fputws.3, fseek.3, fseeko.3, gcvt.3, getline.3, getwchar.3, hypot.3, if_nameindex.3, initgroups.3, popen.3, resolver.3, strcoll.3, strdup.3, tzset.3, ulimit.3, wcstombs.3, wctob.3, xdr.3, console_codes.4, random.4, filesystems.5, host.conf.5, hosts.5, proc.5, resolv.conf.5, securetty.5, credentials.7, feature_test_macros.7, hier.7, ipv6.7, packet.7, pthreads.7, raw.7, signal.7, tcp.7, user_namespaces.7, ld.so.8, ldconfig.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-29 22:30:09 +02:00
Michael Kerrisk
37daa840af
seccomp.2: Minor edits to Jann Horn's patch
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-29 18:09:56 +02:00
Jann Horn
b44088b44f
seccomp.2: Explain blacklisting problems, expand example
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-29 17:52:09 +02:00
Michael Kerrisk
65be1b46fb
seccomp.2: Minor fixes to Jann Horn's patch
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-22 20:25:10 +01:00
Jann Horn
bec56ee2bb
seccomp.2: Add note about alarm(2) not being sufficient to limit runtime
...
On Wed, Mar 11, 2015 at 10:43:50PM +0100, Mikael Pettersson wrote:
> Jann Horn writes:
> > Or should I throw this patch away and write a patch
> > for the prctl() manpage instead that documents that
> > being able to call sigreturn() implies being able to
> > effectively call sigprocmask(), at least on some
> > architectures like X86?
>
> Well, that is the semantics of sigreturn(). It is essentially
> setcontext() [which includes the actions of sigprocmask()], but
> with restrictions on parameter placement (at least on x86).
>
> You could introduce some setting to restrict that aspect for
> seccomp processes, but you can't change this for normal processes
> without breaking things.
Then I think it's probably better and easier to just document the
existing behavior? If a new setting would have to be introduced
and developers would need to be aware of that, it's probably
easier to just tell everyone to use SIGKILL.
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Mikael Pettersson <mikpelinux@gmail.com>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-22 20:25:03 +01:00
Michael Kerrisk
aea38298b3
seccomp.2: Add mention of libseccomp
...
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-15 09:51:44 +01:00
Michael Kerrisk
71bb61ecf6
seccomp.2: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-10 10:47:22 +01:00
Kees Cook
3b4a59c4b5
ptrace.2, sigaction.2, seccomp.2: Ptrace and siginfo details
...
While writing some additional seccomp tests, I realized
PTRACE_EVENT_SECCOMP wasn't documented yet. Fixed this, and added
additional notes related to ptrace events SIGTRAP details.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-18 12:04:32 +01:00
Michael Kerrisk
dff539545a
seccomp.2: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-16 07:55:21 +01:00
Michael Kerrisk
1ac80024c9
perf_event_open.2, seccomp.2, setns.2, shmget.2, memchr.3, pthread_tryjoin_np.3, strstr.3, random.4, epoll.7, netlink.7, pid_namespaces.7, tcp.7: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 16:05:01 +01:00
Michael Kerrisk
5ac5e03b0d
seccomp.2: srcfix: Remove a FIXME
...
Quoting Daniel's response to my FIXME
> Still hoping to hear from Will Drewy regarding this FIXME in the
> page source:
>
> .\" FIXME What is the significance of the line
> .\" ftest->code = BPF_LDX | BPF_W | BPF_ABS;
> .\" in kernel/seccomp.c::seccomp_check_filter()?
This came in from our rework via commit bd4cf0ed331a ("net: filter:
rework/optimize internal BPF interpreter's instruction set"), and
is kernel-internal only, and unused in classic BPF. It translates
into A = *(u32 *) (ctx + K) and will basically load an offset from
the populated seccomp_data (= ctx) to A. For the man-page itself
it has therefore no relevance, hope that clarifies it.
Reviewed-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
a79566fba6
seccomp.2: wfix
...
Revert a wording change, as suggested by Kees Cook.
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
1367a60afb
seccomp.2: A process's seccomp mode is viewable via /proc/PID/status "Seccomp"
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
068653012c
seccomp.2: Changes after review feedback by Kees Cook
...
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
36931cfc80
seccomp.2: srcfx: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
ef05ec712f
seccomp.2: Minor fix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
699996321d
seccomp.2: Tweak an argument name
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
6426723630
seccomp.2: EXAMPLE: Expand comments in the BPF program
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
86ae10e3bd
seccomp.2: Rename arguments inside example program
...
Rename the arguments to install_filter() to improve readability
a little and to remove a little ambiguity. In particular, rename
'arch' to 't_arch' so that it does not get confused with the
seccomp_data field of the same name.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
cecc8c48ba
seccomp.2: Add subsection on seccomp-specific BPF details
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
93b9a9eeff
seccomp.2: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
882cf566d8
seccomp.2: ERRORS: add an EINVAL case
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
043ed1c6d3
seccomp.2: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
0c2e01b788
seccomp.2: Rework discussion of 'seccomp_data' buffer
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
e28e21fea0
seccomp.2: SEE ALSO: add Documentation/prctl/seccomp_filter.txt
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
f74fd424c1
seccomp.2: Add reference to original Usenix BPF paper
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
65a1328c75
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
5b95c4aba5
seccomp.2: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
a0a0c98bdc
seccomp.2: Mention <linux/audit.h>
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
43b265ff16
seccomp.2: wfix for EFAULT error
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
0e27eb0cd4
seccomp.2: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
3edfdb10b2
seccomp.2: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
30d8060bd7
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:10 +01:00
Michael Kerrisk
76db415686
seccomp.2: Minor tweak to wording of ENOSYS error
2015-01-10 09:38:09 +01:00
Michael Kerrisk
cf690e13ff
seccomp.2: Rework discussion of 'siginfo_t' fields
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
41bf4e32e0
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
db99c0648c
seccomp.2: Add reference to sigaction(2) under SECCOMP_RET_TRAP discussion
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
1da13d158d
seccomp.2: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
ce67ca2364
seccomp.2: Minor tweak to ENOMEM error text
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
29efefece6
seccomp.2: Add some ERRORS
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
5c8dd0e971
seccomp.2: Add a comment to example program
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
610082d992
seccomp.2: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
880bc4eb2d
seccomp.2: Clarify thread ID returned on SECCOMP_FILTER_FLAG_TSYNC failure
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
cbffd6ae44
seccomp.2: Fixes after review comments from Kees Cook
...
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
b8ffefd766
seccomp.2: Clarifications from Andy Lutomirski
...
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
87aa1b2cd8
seccomp.2: Minor fixes
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
1268c887a7
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
4c43ddd29b
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
886a865181
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
d4438093f3
seccomp.2: srcfix: add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
35e4506b05
seccomp.2: Add sample runs for example program
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
5e97e9b10c
seccomp.2: Tweaks to example program
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
0a1b868c77
seccomp.2: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
5b84640229
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
feb058c230
seccomp.2: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
b95b411b88
seccomp.2: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
18abaf3ea2
seccomp.2: SEE ALSO: add kernel source file Documentation/networking/filter.txt
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:09 +01:00
Michael Kerrisk
d8c128fb6e
seccomp.2: srcfix: update FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
d2b076687d
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
3cea64ec03
seccomp.2: srcfix: Add FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
e01ca3aa51
seccomp.2: grfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
3fbe3aa3f9
seccomp.2: Reword text describing ENOSYS failure from SECCOMP_RET_TRACE
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
33bb5d332f
seccomp.2: Minor wording fix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
0a2a0df097
seccomp.2: Reword text describing killing via SIGSYS
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
ec2bb3c022
seccomp.2: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
8585d5a797
seccomp.2: Reword text on seccomp filter return values
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00
Michael Kerrisk
67f7d3af9d
seccomp.2: srcfix: Added FIXMEs
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-01-10 09:38:08 +01:00