doc: Add BUGS section to seccomp_rule_add.3

Add BUGS section to seccomp_rule_add.3 and add a warning about adding a seccomp filter to syscalls that are always expected to succeed. PowerPC's glibc behaves differently from other architectures and will not return a negative number for the getpid() syscall. Fixes: #313 Acked-by: Paul Moore <[email protected]> Signed-off-by: Tom Hromatka <[email protected]>
seccomp · Aug 23, 2021 · b9a8f3d · b9a8f3d
1 parent 8b34512
commit b9a8f3d
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
@@ -424,6 +424,24 @@ The libseccomp project site, with more information and the source code
 repository, can be found at https://github.com/seccomp/libseccomp. This tool,
 as well as the libseccomp library, is currently under development, please
 report any bugs at the project site or directly to the author.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH BUGS
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+The runtime behavior of seccomp filters is dependent upon the kernel
+version, the processor architecture, and other libraries including libc.
+This could affect the return code of a seccomp filter.
+
+.TP
+.B *
+PowerPC glibc will not return a negative number when the
+.B getpid()
+syscall is invoked. If a seccomp filter has been created where
+.B getpid()
+will return a negative number from the kernel, then PowerPC glibc will
+return the absolute value of the errno. In this case, it is very difficult
+for an application to distinguish between the errno and a valid pid.
+
 .\" //////////////////////////////////////////////////////////////////////////
 .SH AUTHOR
 .\" //////////////////////////////////////////////////////////////////////////