On 03/01/2016 11:10 AM, Vincent Bernat wrote:
> ❦ 1 mars 2016 11:03 +0100, "Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> :
>
>> Once the SO_LOCK_FILTER option has been enabled,
>> attempts by an unprivileged process to change or remove
>> the filter attached to a socket, or to disable the
>> SO_LOCK_FILTER option will fail with the error EPERM.
>
> You should remove "unprivileged". I didn't try to check for permissions
> because I was just lazy (and I didn't have a need for it). As root, you
> can just recreate another socket.
Bother. That's what I meant to do, and then I omitted to do it! Done now
And thanks for catching that, Vincent.
Revised text below, with another query.
SO_LOCK_FILTER
When set, this option will prevent changing the filters
associated with the socket. These filters include any
set using the socket options SO_ATTACH_FILTER,
SO_ATTACH_BPF, SO_ATTACH_REUSEPORT_CBPF and
SO_ATTACH_REUSEPORT_EPBF.
The typical use case is for a privileged process to set
up a socket with restrictive filters, set SO_LOCK_FIL‐
TER, and then either drop its privileges or pass the
socket file descriptor to an unprivileged process.
Once the SO_LOCK_FILTER option has been enabled,
attempts to change or remove the filter attached to a
socket, or to disable the SO_LOCK_FILTER option will
fail with the error EPERM.
I think the second paragraph should probably drop mention of privileges,
right? In fact, maybe just drop the paragraph altogether?
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
