Document the seccomp /proc interfaces added in Linux commits v4.14-rc2~15^2~10 and v4.14-rc2~15^2~8. Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx> --- man2/seccomp.2 | 36 ++++++++++++++++++++++++++++++++++++ man5/proc.5 | 7 +++++++ 2 files changed, 43 insertions(+) diff --git a/man2/seccomp.2 b/man2/seccomp.2 index a99c262..5cd28b7 100644 --- a/man2/seccomp.2 +++ b/man2/seccomp.2 @@ -490,6 +490,42 @@ ptracers can use this mechanism to escape from the seccomp sandbox.) .TP .BR SECCOMP_RET_ALLOW This value results in the system call being executed. +.SS /proc interfaces +The files in the directory +.IR /proc/sys/kernel/seccomp +provide additional seccomp information and configuration: +.TP +.IR actions_avail " (since Linux 4.14)" +.\" commit 8e5f1ad116df6b0de65eac458d5e7c318d1c05af +A read-only ordered list of seccomp filter return actions in string form. The +ordering, from left-to-right, is in decreasing order of precedence. The list +represents the set of seccomp filter return actions supported by the kernel. +.TP +.IR actions_logged " (since Linux 4.14)" +.\" commit 0ddec0fc8900201c0897b87b762b7c420436662f +A read-write ordered list of seccomp filter return actions that are allowed to +be logged. Writes to the file do not need to be in ordered form but reads from +the file will be ordered in the same way as the +.IR actions_avail +file. +.IP +It is important to note that the value of +.IR actions_logged +does not prevent certain filter return actions from being logged when the audit +subsystem is configured to audit a task. If the action is not found in the +.IR actions_logged +file, the final decision on whether to audit the action for that task is +ultimately left up to the audit subsystem to decide for all filter return +actions other than +.BR SECCOMP_RET_ALLOW . +.IP +The "allow" string is not accepted in the +.IR actions_logged +file as it is not possible to log +.BR SECCOMP_RET_ALLOW +actions. Attempting to write "allow" to the file will result in +.BR EINVAL +being returned. .SH RETURN VALUE On success, .BR seccomp () diff --git a/man5/proc.5 b/man5/proc.5 index eeba1cf..215b3d9 100644 --- a/man5/proc.5 +++ b/man5/proc.5 @@ -4720,6 +4720,13 @@ See See .BR sched (7). .TP +.IR /proc/sys/kernel/seccomp " (since Linux 4.14)" +.\" commit 8e5f1ad116df6b0de65eac458d5e7c318d1c05af +This directory provides additional seccomp information and +configuration. See +.BR seccomp (2) +for further details. +.TP .IR /proc/sys/kernel/sem " (since Linux 2.4)" This file contains 4 numbers defining limits for System V IPC semaphores. These fields are, in order: -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
