Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: clarify syscall number rewriting #43

Closed
wants to merge 1 commit into from
Closed

RFE: clarify syscall number rewriting #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions doc/man/man3/seccomp_rule_add.3
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,8 @@ functions all add a new filter rule to the current seccomp filter. The
and
.BR seccomp_rule_add_array ()
functions will make a "best effort" to add the rule as specified, but may alter
the rule slightly due to architecture specifics, e.g. socket and ipc functions
on x86. The
the rule slightly due to architecture specifics (e.g. internal rewriting of
multiplexed syscalls, like socket and ipc functions on x86). The
.BR seccomp_rule_add_exact ()
and
.BR seccomp_rule_add_exact_array ()
Expand Down Expand Up @@ -291,5 +291,6 @@ Paul Moore <[email protected]>
.\" //////////////////////////////////////////////////////////////////////////
.SH SEE ALSO
.\" //////////////////////////////////////////////////////////////////////////
.BR seccomp_syscall_resolve_name_rewrite (3),
.BR seccomp_syscall_priority (3),
.BR seccomp_load (3)
13 changes: 12 additions & 1 deletion doc/man/man3/seccomp_syscall_resolve_name.3
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,9 @@ and
functions resolve the commonly used syscall name to the syscall number used by
the kernel and the rest of the libseccomp API, with
.BR seccomp_syscall_resolve_name_rewrite()
rewriting the syscall number for architectures that modify the syscall. The
rewriting the syscall number for architectures that modify the syscall. Syscall
rewriting typically happens in case of a multiplexed syscall, like socketcall(2)
or ipc(2) on x86.
.BR seccomp_syscall_resolve_num_arch()
function resolves the syscall number used by the kernel to the commonly used
syscall name.
Expand Down Expand Up @@ -100,6 +102,15 @@ out:
.SH NOTES
.\" //////////////////////////////////////////////////////////////////////////
.P
In case of bare syscalls implemented on top of a multiplexed syscall,
.BR seccomp_syscall_resolve_name()
and
.BR seccomp_syscall_resolve_name_arch()
can be used to verify if a (bare) syscall is implemented for a specific
architecture, while
.BR seccomp_syscall_resolve_name_rewrite()
can be used to determine the underlying (multiplexed) syscall.
.P
While the seccomp filter can be generated independent of the kernel, kernel
support is required to load and enforce the seccomp filter generated by
libseccomp.
Expand Down