Signed-off-by: Jann Horn <jann@xxxxxxxxx> --- man2/seccomp.2 | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/man2/seccomp.2 b/man2/seccomp.2 index dc3d87d..8d36fdc 100644 --- a/man2/seccomp.2 +++ b/man2/seccomp.2 @@ -455,8 +455,13 @@ requested by changing the system call to a valid system call number. If the tracer asks to skip the system call, then the system call will appear to return the value that the tracer puts in the return value register. -The seccomp check will not be run again after the tracer is notified. -(This means that seccomp-based sandboxes +.\" This was changed in ce6526e8afa4. +.\" A related hole, using PTRACE_SYSCALL instead of SECCOMP_RET_TRACE, was +.\" changed in arch-specific commits, e.g. 93e35efb8de4 for X86 and +.\" 0f3912fd934c for ARM. +Before kernel 4.8, the seccomp check will not be run again after the tracer is +notified. +(This means that, on older kernels, seccomp-based sandboxes .B "must not" allow use of .BR ptrace (2)\(emeven -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
