diff options
| author | Alejandro Colomar <alx.manpages@gmail.com> | 2021-07-28 22:19:53 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2021-08-08 03:02:59 +0200 |
| commit | 1cca69d3a70439e84a9e15c7d675883d44e42bfe (patch) | |
| tree | 21a3edc12f2d8191d10adb41bf2a45e5d2407e55 /man2 | |
| parent | 3e2656812f240aa25db29f4c8ee85f199cb5a66a (diff) | |
| download | man-pages-1cca69d3a70439e84a9e15c7d675883d44e42bfe.tar.gz | |
seccomp_unotify.2: Minor tweaks to Rodrigo's patch
Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man2')
| -rw-r--r-- | man2/seccomp_unotify.2 | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/man2/seccomp_unotify.2 b/man2/seccomp_unotify.2 index 9bd27214f0..ae449ae365 100644 --- a/man2/seccomp_unotify.2 +++ b/man2/seccomp_unotify.2 @@ -740,16 +740,18 @@ use the file descriptor number specified in the .I newfd field. .TP -.BR SECCOMP_ADDFD_FLAG_SEND -Available since Linux 5.14, combines the +.BR SECCOMP_ADDFD_FLAG_SEND " (since Linux 5.14)" +Combines the .B SECCOMP_IOCTL_NOTIF_ADDFD ioctl with .B SECCOMP_IOCTL_NOTIF_SEND -into an atomic operation. On successful invocation, the target process's -errno will be 0 and the return value will be the file descriptor number that was -installed in the target. If allocating the file descriptor in the tatget fails, -the target's syscall continues to be blocked until a successful response is -sent. +into an atomic operation. +On successful invocation, the target process's errno will be 0 +and the return value will be the file descriptor number +that was installed in the target. +If allocating the file descriptor in the tatget fails, +the target's syscall continues to be blocked +until a successful response is sent. .RE .TP .I srcfd @@ -1149,14 +1151,6 @@ that would normally be restarted by the .BR SA_RESTART flag. -.PP -Furthermore, if the supervisor response is a file descriptor -added with -.B SECCOMP_IOCTL_NOTIF_ADDFD, -then the flag -.B SECCOMP_ADDFD_FLAG_SEND -can be used to atomically add the file descriptor and return that value, -making sure no file descriptors are inadvertently leaked into the target. .\" FIXME .\" About the above, Kees Cook commented: .\" @@ -1176,6 +1170,14 @@ making sure no file descriptors are inadvertently leaked into the target. .\" calls because it's impossible for the kernel to restart the call .\" with the right timeout value. I wonder what happens when those .\" system calls are restarted in the scenario we're discussing.) +.PP +Furthermore, if the supervisor response is a file descriptor +added with +.B SECCOMP_IOCTL_NOTIF_ADDFD, +then the flag +.B SECCOMP_ADDFD_FLAG_SEND +can be used to atomically add the file descriptor and return that value, +making sure no file descriptors are inadvertently leaked into the target. .SH BUGS If a .BR SECCOMP_IOCTL_NOTIF_RECV |