tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Documentation: seccomp: Fix user notification documentation

The documentation had some previously incorrect information about how
userspace notifications (and responses) were handled due to a change
from a previously proposed patchset.

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Acked-by: Tycho Andersen <tycho@tycho.pizza>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210517193908.3113-2-sargun@sargun.me

authored by Sargun Dhillon and committed by Kees Cook aac90292 d07f6ca9

options
unified split
Changed files
+8 -8
Documentation
userspace-api
seccomp_filter.rst
+8 -8
Documentation/userspace-api/seccomp_filter.rst
··· 250 250 seccomp notification fd to receive a ``struct seccomp_notif``, which contains 251 251 five members: the input length of the structure, a unique-per-filter ``id``, 252 252 the ``pid`` of the task which triggered this request (which may be 0 if the 253 - task is in a pid ns not visible from the listener's pid namespace), a ``flags`` 254 - member which for now only has ``SECCOMP_NOTIF_FLAG_SIGNALED``, representing 255 - whether or not the notification is a result of a non-fatal signal, and the 256 - ``data`` passed to seccomp. Userspace can then make a decision based on this 257 - information about what to do, and ``ioctl(SECCOMP_IOCTL_NOTIF_SEND)`` a 258 - response, indicating what should be returned to userspace. The ``id`` member of 259 - ``struct seccomp_notif_resp`` should be the same ``id`` as in ``struct 260 - seccomp_notif``. 253 + task is in a pid ns not visible from the listener's pid namespace). The 254 + notification also contains the ``data`` passed to seccomp, and a filters flag. 255 + The structure should be zeroed out prior to calling the ioctl. 256 + 257 + Userspace can then make a decision based on this information about what to do, 258 + and ``ioctl(SECCOMP_IOCTL_NOTIF_SEND)`` a response, indicating what should be 259 + returned to userspace. The ``id`` member of ``struct seccomp_notif_resp`` should 260 + be the same ``id`` as in ``struct seccomp_notif``. 261 261 262 262 It is worth noting that ``struct seccomp_data`` contains the values of register 263 263 arguments to the syscall, but does not contain pointers to memory. The task's