[PATCH 3/3] Documentation/prctl/seccomp_filter.txt: document extensions

From: Will Drewry
Date: Mon Jan 13 2014 - 17:46:10 EST

Next message: David Miller: "Re: [PATCH -next] qlcnic: fix compiler warning"
Previous message: Greg KH: "Re: [PATCH] Staging: ced1401: fix coding style in ced_ioc.c"
In reply to: Will Drewry: "[PATCH 2/2] sys, seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC"
Next in thread: Andy Lutomirski: "Re: [PATCH 2/2] sys, seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(missed this on the first run)

Add an entry for the PR_SECCOMP_EXT entry point and the
only existing consumer, SECCOMP_EXT_ACT_TSYNC.

Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx>
---
Documentation/prctl/seccomp_filter.txt | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/Documentation/prctl/seccomp_filter.txt b/Documentation/prctl/seccomp_filter.txt
index 1e469ef..b296701 100644
--- a/Documentation/prctl/seccomp_filter.txt
+++ b/Documentation/prctl/seccomp_filter.txt
@@ -166,10 +166,36 @@ The samples/seccomp/ directory contains both an x86-specific example
and a more generic example of a higher level macro interface for BPF
program generation.

+Extensions
+----------
+
+SECCOMP_MODE_FILTER supports an additional entry point for accessing
+extended behavior through prctl(PR_SECCOMP_EXT). Only one extension
+exists today:
+
+SECCOMP_EXT_ACT_TSYNC:
+ If the calling task is running under SECCOMP_MODE_FILTER, it
+ may call prctl() to synchronize the seccomp filter of its
+ threads. As seccomp behavior is per-task, any thread under
+ SECCOMP_MODE_STRICT will be unaffected, as will any thread
+ under SECCOMP_MODE_FILTER that does not have a filter that is
+ in the filter tree ancestry for the caller. Any threads that
+ are in SECCOMP_MODE_NONE will be transitioned to
+ SECCOMP_MODE_FILTER if possible.
+
+ Usage:
+ prctl(PR_SECCOMP_EXT, SECCOMP_EXT_ACT_TSYNC, 0, 0);
+
+ If any threads cannot be transitioned, the call will return one
+ of the process ids. All other threads will have been transitioned.
+ A return value of 0 indicates success. On a negative return value,
+ the errno will be populated appropriately:
+ EINVAL indicates invalid arguments.
+ EACCES indicates invalid seccomp mode.

Adding architecture support
------------------------
+---------------------------

See arch/Kconfig for the authoritative requirements. In general, if an
architecture supports both ptrace_event and seccomp, it will be able to
--
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Miller: "Re: [PATCH -next] qlcnic: fix compiler warning"
Previous message: Greg KH: "Re: [PATCH] Staging: ced1401: fix coding style in ced_ioc.c"
In reply to: Will Drewry: "[PATCH 2/2] sys, seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC"
Next in thread: Andy Lutomirski: "Re: [PATCH 2/2] sys, seccomp: add PR_SECCOMP_EXT and SECCOMP_EXT_ACT_TSYNC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]