diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2020-10-29 12:19:16 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2021-06-10 10:40:17 +1200 |
| commit | 6f0ca7da712d02d5c59b8fbc66a8515b8a3f7ef3 (patch) | |
| tree | 2711bc88322597642f114963b470c99adce2273f /man2 | |
| parent | 8a7703864cfb4c90e30d9ca9823b40dd838e218c (diff) | |
| download | man-pages-6f0ca7da712d02d5c59b8fbc66a8515b8a3f7ef3.tar.gz | |
seccomp_unotify.2: EXAMPLES: Improve comments describing checkNotificationIdIsValid()
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man2')
| -rw-r--r-- | man2/seccomp_unotify.2 | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/man2/seccomp_unotify.2 b/man2/seccomp_unotify.2 index f9053b8281..0bcabaa003 100644 --- a/man2/seccomp_unotify.2 +++ b/man2/seccomp_unotify.2 @@ -1315,11 +1315,14 @@ targetProcess(int sockPair[2], char *argv[]) } /* Check that the notification ID provided by a SECCOMP_IOCTL_NOTIF_RECV - operation is still valid. It will no longer be valid if the process - has terminated. This operation can be used when accessing /proc/PID - files in the target process in order to avoid TOCTOU race conditions - where the PID that is returned by SECCOMP_IOCTL_NOTIF_RECV terminates - and is reused by another process. */ + operation is still valid. It will no longer be valid if the target + process has terminated or is no longer blocked in the system call that + generated the notification (because it was interrupted by a signal). + + This operation can be used when doing such things as accessing + /proc/PID files in the target process in order to avoid TOCTOU race + conditions where the PID that is returned by SECCOMP_IOCTL_NOTIF_RECV + terminates and is reused by another process. */ static void checkNotificationIdIsValid(int notifyFd, uint64_t id) @@ -1349,7 +1352,8 @@ getTargetPathname(struct seccomp_notif *req, int notifyFd, if (procMemFd == \-1) errExit("\etS: open"); - /* Check that the process whose info we are accessing is still alive. + /* Check that the process whose info we are accessing is still alive + and blocked in the system call that caused the notification. If the SECCOMP_IOCTL_NOTIF_ID_VALID operation (performed in checkNotificationIdIsValid()) succeeds, we know that the /proc/PID/mem file descriptor that we opened corresponds to the |