[CC += Rodrigo] Hi Alex, On 7/28/21 10:19 PM, Alejandro Colomar wrote: > Signed-off-by: Alejandro Colomar <alx.manpages@xxxxxxxxx> > --- > man2/seccomp_unotify.2 | 32 +++++++++++++++++--------------- > 1 file changed, 17 insertions(+), 15 deletions(-) > > diff --git a/man2/seccomp_unotify.2 b/man2/seccomp_unotify.2 > index 9bd27214f..ae449ae36 100644 > --- a/man2/seccomp_unotify.2 > +++ b/man2/seccomp_unotify.2 > @@ -740,16 +740,18 @@ use the file descriptor number specified in the > .I newfd > field. > .TP > -.BR SECCOMP_ADDFD_FLAG_SEND > -Available since Linux 5.14, combines the > +.BR SECCOMP_ADDFD_FLAG_SEND " (since Linux 5.14)" > +Combines the > .B SECCOMP_IOCTL_NOTIF_ADDFD > ioctl with > .B SECCOMP_IOCTL_NOTIF_SEND > -into an atomic operation. On successful invocation, the target process's > -errno will be 0 and the return value will be the file descriptor number that was > -installed in the target. If allocating the file descriptor in the tatget fails, > -the target's syscall continues to be blocked until a successful response is > -sent. > +into an atomic operation. > +On successful invocation, the target process's errno will be 0 > +and the return value will be the file descriptor number > +that was installed in the target. > +If allocating the file descriptor in the tatget fails, > +the target's syscall continues to be blocked > +until a successful response is sent. > .RE > .TP > .I srcfd > @@ -1149,14 +1151,6 @@ that would > normally be restarted by the > .BR SA_RESTART > flag. > -.PP > -Furthermore, if the supervisor response is a file descriptor > -added with > -.B SECCOMP_IOCTL_NOTIF_ADDFD, > -then the flag > -.B SECCOMP_ADDFD_FLAG_SEND > -can be used to atomically add the file descriptor and return that value, > -making sure no file descriptors are inadvertently leaked into the target. > .\" FIXME > .\" About the above, Kees Cook commented: > .\" > @@ -1176,6 +1170,14 @@ making sure no file descriptors are inadvertently leaked into the target. > .\" calls because it's impossible for the kernel to restart the call > .\" with the right timeout value. I wonder what happens when those > .\" system calls are restarted in the scenario we're discussing.) > +.PP > +Furthermore, if the supervisor response is a file descriptor > +added with > +.B SECCOMP_IOCTL_NOTIF_ADDFD, > +then the flag > +.B SECCOMP_ADDFD_FLAG_SEND > +can be used to atomically add the file descriptor and return that value, > +making sure no file descriptors are inadvertently leaked into the target. > .SH BUGS > If a > .BR SECCOMP_IOCTL_NOTIF_RECV Good clean-ups, but still I added some fixes, as below. (The first change is just some slightly smoother wording, IMO.) Thanks, Michael diff --git a/man2/seccomp_unotify.2 b/man2/seccomp_unotify.2 index ae449ae36..b92203721 100644 --- a/man2/seccomp_unotify.2 +++ b/man2/seccomp_unotify.2 @@ -741,16 +741,19 @@ use the file descriptor number specified in the field. .TP .BR SECCOMP_ADDFD_FLAG_SEND " (since Linux 5.14)" -Combines the +.\" commit 0ae71c7720e3ae3aabd2e8a072d27f7bd173d25c +Perform the equivalent of .B SECCOMP_IOCTL_NOTIF_ADDFD -ioctl with +plus .B SECCOMP_IOCTL_NOTIF_SEND -into an atomic operation. -On successful invocation, the target process's errno will be 0 +as an atomic operation. +On successful invocation, the target process's +.I errno +will be 0 and the return value will be the file descriptor number -that was installed in the target. -If allocating the file descriptor in the tatget fails, -the target's syscall continues to be blocked +that was allocated in the target. +If allocating the file descriptor in the target fails, +the target's system call continues to be blocked until a successful response is sent. .RE .TP @@ -1173,7 +1176,7 @@ flag. .PP Furthermore, if the supervisor response is a file descriptor added with -.B SECCOMP_IOCTL_NOTIF_ADDFD, +.BR SECCOMP_IOCTL_NOTIF_ADDFD , then the flag .B SECCOMP_ADDFD_FLAG_SEND can be used to atomically add the file descriptor and return that value, -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
