Adds documentation describing the SECCOMP_RET_INFO return value.
Signed-off-by: Corey Bryant <cor...@linux.vnet.ibm.com>
---
Documentation/prctl/seccomp_filter.txt | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Documentation/prctl/seccomp_filter.txt
b/Documentation/prctl/seccomp_filter.txt
index 1e469ef..ffddf9f 100644
--- a/Documentation/prctl/seccomp_filter.txt
+++ b/Documentation/prctl/seccomp_filter.txt
@@ -49,6 +49,7 @@ CONFIG_HAVE_ARCH_SECCOMP_FILTER, then filters may be added as
below:
PR_SET_SECCOMP:
Now takes an additional argument which specifies a new filter
using a BPF program.
+
The BPF program will be executed over struct seccomp_data
reflecting the system call number, arguments, and other
metadata. The BPF program must then return one of the
@@ -138,6 +139,12 @@ SECCOMP_RET_TRACE:
allow use of ptrace, even of other sandboxed processes, without
extreme care; ptracers can use this mechanism to escape.)
+SECCOMP_RET_INFO:
+ Results in a rate-limited informational kernel message that
+ includes the system call number, and the system call is
+ executed. The message format is:
+ "seccomp: syscall=x", where x is the system call number.
+
SECCOMP_RET_ALLOW:
Results in the system call being executed.
--
1.7.11.7
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
