# Russian translation of manpages # This file is distributed under the same license as the manpages-l10n package. # Copyright © of this file: # Alexander Golubev , 2018. # Azamat Hackimov , 2011, 2014-2016. # Hotellook, 2014. # Nikita , 2014. # Spiros Georgaras , 2016. # Vladislav , 2015. # Yuri Kozlov , 2011-2019. # Иван Павлов , 2017. msgid "" msgstr "" "Project-Id-Version: manpages-l10n\n" "POT-Creation-Date: 2024-06-01 06:20+0200\n" "PO-Revision-Date: 2019-10-15 18:55+0300\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=4; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" "%10<=4 && (n%100<12 || n%100>14) ? 1 : n%10==0 || (n%10>=5 && n%10<=9) || (n" "%100>=11 && n%100<=14)? 2 : 3);\n" "X-Generator: Lokalize 2.0\n" #. type: TH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "seccomp" msgstr "seccomp" #. type: TH #: archlinux debian-unstable opensuse-tumbleweed #, no-wrap msgid "2024-05-02" msgstr "2 мая 2024 г." #. type: TH #: archlinux debian-unstable #, fuzzy, no-wrap #| msgid "Linux man-pages 6.7" msgid "Linux man-pages 6.8" msgstr "Linux man-pages 6.7" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "ИМЯ" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "seccomp - operate on Secure Computing state of the process" msgstr "seccomp - переводит процесс в состояние безопасных вычислений" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "LIBRARY" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Standard C library (I, I<-lc>)" msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "SYNOPSIS" msgstr "СИНТАКСИС" #. Kees Cook noted: Anything that uses SECCOMP_RET_TRACE returns will #. need #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "B<#include Elinux/seccomp.hE> /* Definition of B constants */\n" "B<#include Elinux/filter.hE> /* Definition of B */\n" "B<#include Elinux/audit.hE> /* Definition of B constants */\n" "B<#include Elinux/signal.hE> /* Definition of B constants */\n" "B<#include Esys/ptrace.hE> /* Definition of B constants */\n" "B<#include Esys/syscall.hE> /* Definition of B constants */\n" "B<#include Eunistd.hE>\n" msgstr "" "B<#include Elinux/seccomp.hE> /* определения констант B */\n" "B<#include Elinux/filter.hE> /* определения B */\n" "B<#include Elinux/audit.hE> /* определения констант B */\n" "B<#include Elinux/signal.hE> /* определения констант B */\n" "B<#include Esys/ptrace.hE> /* определения констант B */\n" "B<#include Esys/syscall.hE> /* определения констант B */\n" "B<#include Eunistd.hE>\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "BIB<, unsigned int >IB<,>\n" "B< void *>IB<);>\n" msgstr "" "BIB<, unsigned int >IB<,>\n" "B< void *>IB<);>\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I: glibc provides no wrapper for B(), necessitating the use " "of B(2)." msgstr "" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "ОПИСАНИЕ" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The B() system call operates on the Secure Computing (seccomp) " "state of the calling process." msgstr "" "Системный вызов B() переводит вызвавший процесс в состояние " "безопасных вычислений (Secure Computing, seccomp)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Currently, Linux supports the following I values:" msgstr "" "В настоящее время в Linux поддерживаются следующие значения I:" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The only system calls that the calling thread is permitted to make are " #| "B(2), B(2), B<_exit>(2) (but not B(2)), and " #| "B(2). Other system calls result in the delivery of a " #| "B signal. Strict secure computing mode is useful for number-" #| "crunching applications that may need to execute untrusted byte code, " #| "perhaps obtained by reading from a pipe or socket." msgid "" "The only system calls that the calling thread is permitted to make are " "B(2), B(2), B<_exit>(2) (but not B(2)), and " "B(2). Other system calls result in the termination of the " "calling thread, or termination of the entire process with the B " "signal when there is only one thread. Strict secure computing mode is " "useful for number-crunching applications that may need to execute untrusted " "byte code, perhaps obtained by reading from a pipe or socket." msgstr "" "Вызвавшей нити доступны только системные вызовы B(2), B(2), " "B<_exit>(2) (но не B(2)) и B(2). При запуске других " "системных вызовов генерируется сигнал B. Строгий режим безопасных " "вычислений полезен для вычислительных приложений, которым может " "потребоваться выполнить недоверительный байт-код, возможно полученный при " "чтении из канала или сокета." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that although the calling thread can no longer call B(2), " "it can use B(2) to block all signals apart from B and " "B. This means that B(2) (for example) is not sufficient " "for restricting the process's execution time. Instead, to reliably " "terminate the process, B must be used. This can be done by using " "B(2) with B and I set to " "B, or by using B(2) to set the hard limit for " "B." msgstr "" "Заметим, что хотя вызывающая нить больше не вызывает B(2), она " "может использовать B(2) для блокировки всех сигналов (кроме " "B и B). Это означает, что B(2) (например) " "недостаточно для ограничения времени выполнения процесса. Вместо него для " "надёжного завершения процесса нужно использовать B. Это можно " "сделать с помощью B(2) с B и I " "равным B, или используя B(2) для задания жёсткого " "ограничения по B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This operation is available only if the kernel is configured with " "B enabled." msgstr "" "Эта операция доступна только, если в ядре включён параметр B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "The value of I must be 0, and I must be NULL." msgstr "Значение I должно быть равно 0, а I — NULL." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "This operation is functionally identical to the call:" msgstr "Эта операция функционально идентична вызову:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);\n" msgstr "prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);\n" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The system calls allowed are defined by a pointer to a Berkeley Packet " #| "Filter (BPF) passed via I. This argument is a pointer to a I; it can be designed to filter arbitrary system calls and " #| "system call arguments. If the filter is invalid, B() fails, " #| "returning B in I." msgid "" "The system calls allowed are defined by a pointer to a Berkeley Packet " "Filter (BPF) passed via I. This argument is a pointer to a I; it can be designed to filter arbitrary system calls and system " "call arguments. If the filter is invalid, B() fails, returning " "B in I." msgstr "" "Разрешённые системные вызовы определяются указателем на Berkeley Packet " "Filter (BPF), передаваемый через I. Данный аргумент является " "указателем на I; эту структуру можно использовать для " "отбора произвольных системных вызовов и их аргументов. Если фильтр " "некорректен, то B() завершается с ошибкой B в I." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If B(2) or B(2) is allowed by the filter, any child processes " "will be constrained to the same system call filters as the parent. If " "B(2) is allowed, the existing filters will be preserved across a " "call to B(2)." msgstr "" "Если фильтром разрешён B(2) или B(2), то все потомки будут " "ограничены тем же фильтром системных вызовов что и родитель. Если разрешён " "B(2), то существующий фильтр сохраняется и после вызова B(2)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In order to use the B operation, either the calling " "thread must have the B capability in its user namespace, or " "the thread must already have the I bit set. If that bit was " "not already set by an ancestor of this thread, the thread must make the " "following call:" msgstr "" "Чтобы использовать операцию B вызывающая нить " "должна иметь мандат B в своём пространстве имён пользователя " "или у нити уже должен быть установлен бит I. Если этот бит не " "установлен предком этой нити, то в нити нужно сделать следующий вызов:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "prctl(PR_SET_NO_NEW_PRIVS, 1);\n" msgstr "prctl(PR_SET_NO_NEW_PRIVS, 1);\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Otherwise, the B operation fails and returns " "B in I. This requirement ensures that an unprivileged " "process cannot apply a malicious filter and then invoke a set-user-ID or " "other privileged program using B(2), thus potentially compromising " "that program. (Such a malicious filter might, for example, cause an attempt " "to use B(2) to set the caller's user IDs to nonzero values to " "instead return 0 without actually making the system call. Thus, the program " "might be tricked into retaining superuser privileges in circumstances where " "it is possible to influence it to do dangerous things because it did not " "actually drop privileges.)" msgstr "" "В противном случае операция B завершается ошибкой и " "возвращает B в I. Данное требование гарантирует, что " "непривилегированный процесс не сможет применить вредоносный фильтр и вызвать " "программу с set-user-ID или другую привилегированную программу с помощью " "B(2), то есть потенциально подвергнуть эту программу опасности " "(такой вредоносный фильтр может, например, заставить попытаться использовать " "B(2) для установки ID вызывающего пользователя в ненулевые значения " "вместо возврата 0 без действительного запуска системного вызова. Таким " "образом, программа может быть обманута и остаться с правами " "суперпользователя в окружении, где возможно заставить её сделать что-то " "опасное, так как в действительности она не отказалась от своих прав)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If B(2) or B() is allowed by the attached filter, further " "filters may be added. This will increase evaluation time, but allows for " "further reduction of the attack surface during execution of a thread." msgstr "" "Если B(2) или B() разрешены присоединённым фильтром, то " "могут быть добавлены дополнительные фильтры. Это увеличит время вычисления, " "но в дальнейшем позволит сократить область атаки при выполнении нити." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The B operation is available only if the kernel is " "configured with B enabled." msgstr "" "Операция B доступна только, если в ядре включён " "параметр B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When I is 0, this operation is functionally identical to the call:" msgstr "" "Если значение I равно 0, то эта операция функционально идентична " "вызову:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);\n" msgstr "prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "The recognized I are:" msgstr "Возможные значения I:" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (since Linux 4.14)" msgstr "B (начиная с Linux 4.14)" #. commit e66a39977985b1e69e17c4042cb290768eca9b02 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "All filter return actions except B should be logged. An " "administrator may override this filter flag by preventing specific actions " "from being logged via the I file." msgstr "" "Все фильтры, возвращающие действия, кроме B, должны " "протоколироваться. Администратор может заменить этот флаг фильтров, " "предварительно запретив протоколировать определённые действия через файл I." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (since Linux 5.0)" msgstr "B (начиная с Linux 5.0)" #. commit 6a21cc50f0c7f87dae5259f6cfefe024412313f6 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "After successfully installing the filter program, return a new user-space " "notification file descriptor. (The close-on-exec flag is set for the file " "descriptor.) When the filter returns B a " "notification will be sent to this file descriptor." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "At most one seccomp filter using the B " "flag can be installed for a thread." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "Do not block on I/O; see B(2) for further details." msgid "See B(2) for further details." msgstr "Не блокировать ввод-вывод; подробности в B(2)." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (since Linux 4.17)" msgstr "B (начиная с Linux 4.17)" #. commit 00a02d0c502a06d15e07b857f8ff921e3e402675 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Disable Speculative Store Bypass mitigation." msgstr "Выключить недопущение Speculative Store Bypass." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When adding a new filter, synchronize all other threads of the calling " "process to the same seccomp filter tree. A \"filter tree\" is the ordered " "list of filters attached to a thread. (Attaching identical filters in " "separate B() calls results in different filters from this " "perspective.)" msgstr "" "При добавлении нового фильтра, выполнять синхронизацию с одним деревом " "фильтров seccomp все нити вызывающего процесса. «Дерево фильтров» — " "упорядоченный список фильтров, присоединённых к нити (присоединённые " "одинаковые фильтры отдельными вызовами B() считаются разными " "фильтрами, с этой точки зрения)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If any thread cannot synchronize to the same filter tree, the call will not " "attach the new seccomp filter, and will fail, returning the first thread ID " "found that cannot synchronize. Synchronization will fail if another thread " "in the same process is in B or if it has attached new " "seccomp filters to itself, diverging from the calling thread's filter tree." msgstr "" "Если в какой-то нити невозможна синхронизация с единым деревом фильтров, то " "вызов не присоединит новый фильтр seccomp, и завершится с ошибкой, вернув ID " "первой обнаруженной нити, для которой синхронизация невозможна. " "Синхронизации не получится, если другая нить того же процесса находится в " "B, или если она присоединила новые фильтры seccomp к " "самой себе, отличающиеся от дерева фильтров вызывающей нити." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (since Linux 4.14)" msgstr "B (начиная с Linux 4.14)" #. commit d612b1fd8010d0d67b5287fe146b8b55bcbb8655 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Test to see if an action is supported by the kernel. This operation is " "helpful to confirm that the kernel knows of a more recently added filter " "return action since the kernel treats all unknown actions as " "B." msgstr "" "Проверить, поддерживается ли действие ядром. Данная операция помогает " "убедиться, что ядро знает о самых последних добавленных фильтрах, " "возвращающих действие, так как ядро считает все неизвестные действия как " "B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The value of I must be 0, and I must be a pointer to an " "unsigned 32-bit filter return action." msgstr "" "Значение I должно быть равно 0, а I должно быть указателем на " "беззнаковый 32-битный фильтр, возвращающих действие." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (since Linux 5.0)" msgstr "B (начиная с Linux 5.0)" #. commit 6a21cc50f0c7f87dae5259f6cfefe024412313f6 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Get the sizes of the seccomp user-space notification structures. Since " "these structures may evolve and grow over time, this command can be used to " "determine how much memory to allocate for sending and receiving " "notifications." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "The value of I must be 0, and I must be a pointer to an " #| "unsigned 32-bit filter return action." msgid "" "The value of I must be 0, and I must be a pointer to a I, which has the following form:" msgstr "" "Значение I должно быть равно 0, а I должно быть указателем на " "беззнаковый 32-битный фильтр, возвращающих действие." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "struct seccomp_notif_sizes\n" " __u16 seccomp_notif; /* Size of notification structure */\n" " __u16 seccomp_notif_resp; /* Size of response structure */\n" " __u16 seccomp_data; /* Size of \\[aq]struct seccomp_data\\[aq] */\n" "};\n" msgstr "" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Filters" msgstr "Фильтры" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When adding filters via B, I points to a " "filter program:" msgstr "" "При добавлении фильтров посредством B, значение " "I указывает на программу фильтрации:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "struct sock_fprog {\n" " unsigned short len; /* Number of BPF instructions */\n" " struct sock_filter *filter; /* Pointer to array of\n" " BPF instructions */\n" "};\n" msgstr "" "struct sock_fprog {\n" " unsigned short len; /* количество инструкций BPF */\n" " struct sock_filter *filter; /* указатель на массив\n" " инструкций BPF */\n" "};\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Each program must contain one or more BPF instructions:" msgstr "В каждой программе должно быть не менее одной инструкции BPF:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "struct sock_filter { /* Filter block */\n" " __u16 code; /* Actual filter code */\n" " __u8 jt; /* Jump true */\n" " __u8 jf; /* Jump false */\n" " __u32 k; /* Generic multiuse field */\n" "};\n" msgstr "" "struct sock_filter { /* блок фильтрации */\n" " __u16 code; /* действительный код фильтра */\n" " __u8 jt; /* переход при совпадении */\n" " __u8 jf; /* переход при несовпадении */\n" " __u32 k; /* общее поле для различных целей */\n" "};\n" #. Quoting Kees Cook: #. If BPF even allows changing the data, it's not copied back to #. the syscall when it runs. Anything wanting to do things like #. that would need to use ptrace to catch the call and directly #. modify the registers before continuing with the call. #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When executing the instructions, the BPF program operates on the system call " "information made available (i.e., use the B addressing mode) as a " "(read-only) buffer of the following form:" msgstr "" "При выполнении инструкций информация о системном вызове (когда используется " "режим адресации B) программе BPF доступна из буфера (только для " "чтения) в виде:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "" "struct seccomp_data {\n" " int nr; /* System call number */\n" " __u32 arch; /* AUDIT_ARCH_* value\n" " (see Elinux/audit.hE) */\n" " __u64 instruction_pointer; /* CPU instruction pointer */\n" " __u64 args[6]; /* Up to 6 system call arguments */\n" "};\n" msgstr "" "struct seccomp_data {\n" " int nr; /* номер системного вызова */\n" " __u32 arch; /* значение AUDIT_ARCH_* \n" " (смотрите Elinux/audit.hE) */\n" " __u64 instruction_pointer; /* указатель на инструкцию ЦП */\n" " __u64 args[6]; /* до 6 аргументов системного вызова */\n" "};\n" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Because numbering of system calls varies between architectures and some " "architectures (e.g., x86-64) allow user-space code to use the calling " "conventions of multiple architectures (and the convention being used may " "vary over the life of a process that uses B(2) to execute binaries " "that employ the different conventions), it is usually necessary to verify " "the value of the I field." msgstr "" "Так как количество системных вызовов различно на разных архитектурах и " "некоторые архитектуры (например, x86-64) позволяют коду в пользовательском " "пространстве использовать соглашения о вызовах нескольких архитектур (и " "используемое соглашение может меняться на протяжении выполнения процесса, " "если он использует B(2) для запуска выполняемых файлов, которые " "задействуют другие соглашения), то, обычно, необходимо проверять значение " "поля I." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "It is strongly recommended to use a whitelisting approach whenever " #| "possible because such an approach is more robust and simple. A blacklist " #| "will have to be updated whenever a potentially dangerous system call is " #| "added (or a dangerous flag or option if those are blacklisted), and it is " #| "often possible to alter the representation of a value without altering " #| "its meaning, leading to a blacklist bypass. See also I below." msgid "" "It is strongly recommended to use an allow-list approach whenever possible " "because such an approach is more robust and simple. A deny-list will have " "to be updated whenever a potentially dangerous system call is added (or a " "dangerous flag or option if those are deny-listed), and it is often possible " "to alter the representation of a value without altering its meaning, leading " "to a deny-list bypass. See also I below." msgstr "" "Настоятельно рекомендуется использовать подход белого списка, когда это " "возможно, потому что такой подход более устойчив и прост. Черный список " "нужно будет обновлять каждый раз, когда добавляется потенциально опасный " "системный вызов (или опасный флаг или параметр, если они помещены в черный " "список), и это часто возможно изменит представление значения, не изменяя его " "смысла, что приведёт к обходу черного списка. Также смотрите I<ЗАМЕЧАНИЯ> " "ниже." #. As noted by Dave Drysdale in a note at the end of #. https://lwn.net/Articles/604515/ #. One additional detail to point out for the x32 ABI case: #. the syscall number gets a high bit set (__X32_SYSCALL_BIT), #. to mark it as an x32 call. #. If x32 support is included in the kernel, then __SYSCALL_MASK #. will have a value that is not all-ones, and this will trigger #. an extra instruction in system_call to mask off the extra bit, #. so that the syscall table indexing still works. #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The I field is not unique for all calling conventions. The x86-64 ABI " "and the x32 ABI both use B as I, and they run on " "the same processors. Instead, the mask B<__X32_SYSCALL_BIT> is used on the " "system call number to tell the two ABIs apart." msgstr "" "Поле I не уникально для всех соглашений о вызовах. В x86-64 ABI и x32 " "ABI в I используется B, и они запускаются на одних " "и тех же процессорах. Чтобы отличать один ABI от другого используется маска " "B<__X32_SYSCALL_BIT> с номером системного вызова." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This means that a policy must either deny all syscalls with " "B<__X32_SYSCALL_BIT> or it must recognize syscalls with and without " "B<__X32_SYSCALL_BIT> set. A list of system calls to be denied based on " "I that does not also contain I values with B<__X32_SYSCALL_BIT> set " "can be bypassed by a malicious program that sets B<__X32_SYSCALL_BIT>." msgstr "" #. commit 6365b842aae4490ebfafadfc6bb27a6d3cc54757 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Additionally, kernels prior to Linux 5.4 incorrectly permitted I in the " "ranges 512-547 as well as the corresponding non-x32 syscalls ORed with " "B<__X32_SYSCALL_BIT>. For example, I == 521 and I == (101 | " "B<__X32_SYSCALL_BIT>) would result in invocations of B(2) with " "potentially confused x32-vs-x86_64 semantics in the kernel. Policies " "intended to work on kernels before Linux 5.4 must ensure that they deny or " "otherwise correctly handle these system calls. On Linux 5.4 and newer, such " "system calls will fail with the error B, without doing anything." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The I field provides the address of the machine-" "language instruction that performed the system call. This might be useful " "in conjunction with the use of IpidI to perform checks based " "on which region (mapping) of the program made the system call. (Probably, " "it is wise to lock down the B(2) and B(2) system calls to " "prevent the program from subverting such checks.)" msgstr "" "В поле I содержится адрес инструкции машинного языка, " "который запускает системный вызов. Это может быть полезно вместе с IpidI для выполнения проверок из какой области (отображение) " "программы делается системный вызов (вероятно, стоит блокировать системные " "вызовы B(2) и B(2) для запрета программе удалять такие " "проверки)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "When checking values from I against a blacklist, keep in mind that " #| "arguments are often silently truncated before being processed, but after " #| "the seccomp check. For example, this happens if the i386 ABI is used on " #| "an x86-64 kernel: although the kernel will normally not look beyond the " #| "32 lowest bits of the arguments, the values of the full 64-bit registers " #| "will be present in the seccomp data. A less surprising example is that " #| "if the x86-64 ABI is used to perform a system call that takes an argument " #| "of type I, the more-significant half of the argument register is " #| "ignored by the system call, but visible in the seccomp data." msgid "" "When checking values from I, keep in mind that arguments are often " "silently truncated before being processed, but after the seccomp check. For " "example, this happens if the i386 ABI is used on an x86-64 kernel: although " "the kernel will normally not look beyond the 32 lowest bits of the " "arguments, the values of the full 64-bit registers will be present in the " "seccomp data. A less surprising example is that if the x86-64 ABI is used " "to perform a system call that takes an argument of type I, the more-" "significant half of the argument register is ignored by the system call, but " "visible in the seccomp data." msgstr "" "При проверке значений из I по чёрному списку имейте в виду, что часто " "аргументы просто обрезаются до обработки, но после проверки seccomp. " "Например, это случается, если на ядре x86-64 используется i386 ABI: хотя " "ядро, обычно, не смотрит дальше 32 младших бит аргументов, в данные seccomp " "попадут значения полных 64-битных регистров. Менее удивительный пример: если " "для выполнения системного вызова с аргументом типа I используется " "x86-64 ABI, то старшая половина регистра аргумента игнорируется системным " "вызовом, но видима в данных seccomp." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A seccomp filter returns a 32-bit value consisting of two parts: the most " "significant 16 bits (corresponding to the mask defined by the constant " "B) contain one of the \"action\" values listed " "below; the least significant 16-bits (defined by the constant " "B) are \"data\" to be associated with this return value." msgstr "" "Фильтр seccomp возвращает 32-битное значение, состоящее из двух частей: в " "старших 16 битах (соответствует маске, определяемой константой " "B) содержится одно из значений «действие», " "перечисленных далее; в младших 16 битах (определяется константой " "B) содержатся «данные», связанные с возвращаемым значением." #. From an Aug 2015 conversation with Kees Cook where I asked why *all* #. filters are applied even if one of the early filters returns #. SECCOMP_RET_KILL: #. It's just because it would be an optimization that would only speed up #. the RET_KILL case, but it's the uncommon one and the one that doesn't #. benefit meaningfully from such a change (you need to kill the process #. really quickly?). We would speed up killing a program at the (albeit #. tiny) expense to all other filtered programs. Best to keep the filter #. execution logic clear, simple, and as fast as possible for all #. filters. #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "If multiple filters exist, they are I executed, in reverse order of " #| "their addition to the filter tree\\(emthat is, the most recently " #| "installed filter is executed first. (Note that all filters will be " #| "called even if one of the earlier filters returns B. " #| "This is done to simplify the kernel code and to provide a tiny speed-up " #| "in the execution of sets of filters by avoiding a check for this uncommon " #| "case.) The return value for the evaluation of a given system call is the " #| "first-seen action value of highest precedence (along with its " #| "accompanying data) returned by execution of all of the filters." msgid "" "If multiple filters exist, they are I executed, in reverse order of " "their addition to the filter tree\\[em]that is, the most recently installed " "filter is executed first. (Note that all filters will be called even if one " "of the earlier filters returns B. This is done to " "simplify the kernel code and to provide a tiny speed-up in the execution of " "sets of filters by avoiding a check for this uncommon case.) The return " "value for the evaluation of a given system call is the first-seen action " "value of highest precedence (along with its accompanying data) returned by " "execution of all of the filters." msgstr "" "Если существует несколько фильтров, то I<все> они выполняются в обратном " "порядке их добавления в дерево фильтров — то есть последние добавленные " "выполняются первыми (заметим, что все фильтры будут вызваны даже, если ранее " "выполнявшиеся фильтры вернули B. Это сделано для простоты " "кода ядра и предоставления крошечного ускорения выполнения набора фильтров, " "так как не выполняется проверка этого редкого случая). Возвращаемое значение " "для вычисления данного системного вызова —первое встреченного значение " "действия наивысшего приоритета (вместе с сопутствующими ему данными), " "возвращаемое выполнением всех фильтров." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "In decreasing order of precedence, the action values that may be returned by " "a seccomp filter are:" msgstr "" "Значения действий, которые могут возвращаться фильтром seccomp (в порядке " "уменьшения приоритета):" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (since Linux 4.14)" msgstr "B (начиная с Linux 4.14)" #. commit 4d3b0b05aae9ee9ce0970dc4cc0fb3fad5e85945 #. commit 0466bdb99e8744bc9befa8d62a317f0fd7fd7421 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This value results in immediate termination of the process, with a core " "dump. The system call is not executed. By contrast with " "B below, all threads in the thread group are " "terminated. (For a discussion of thread groups, see the description of the " "B flag in B(2).)" msgstr "" "Это значение возвращается при немедленном завершении процесса с образованием " "дампа. Системный вызов не выполняется. По сравнению с " "B, описанном далее, завершаются все нити в группе " "нитей (группы нитей представлены в описании B в B(2))." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The process terminates I killed by a B signal. Even if a " "signal handler has been registered for B, the handler will be " "ignored in this case and the process always terminates. To a parent process " "that is waiting on this process (using B(2) or similar), the " "returned I will indicate that its child was terminated as though by " "a B signal." msgstr "" "Процесс завершается I<думая>, что убит сигналом B. Даже если " "обработчик сигнала B был зарегистрирован, в этом случае он будет " "проигнорирован и процесс всегда прекращает выполнение. Родительскому " "процессу, который ждёт этот процесс (с помощью B(2) или подобного " "вызова) возвращается I, который будет показывать, что потомок " "завершился по сигналу B." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (or B)" msgstr "B (или B)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This value results in immediate termination of the thread that made the " "system call. The system call is not executed. Other threads in the same " "thread group will continue to execute." msgstr "" "Это значение возвращается при немедленном завершении нити, сделавшей " "системный вызов. Системный вызов не выполняется. Другие нити в той же группе " "нитей продолжат выполнение." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The thread terminates I killed by a B signal. See " "B above." msgstr "" "Нить завершается I<думая>, что убита сигналом B. Смотрите описание " "B выше." #. See these commits: #. seccomp: dump core when using SECCOMP_RET_KILL #. (b25e67161c295c98acda92123b2dd1e7d8642901) #. seccomp: Only dump core when single-threaded #. (d7276e321ff8a53106a59c85ca46d03e34288893) #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Before Linux 4.11, any process terminated in this way would not trigger a " "coredump (even though B is documented in B(7) as having a " "default action of termination with a core dump). Since Linux 4.11, a single-" "threaded process will dump core if terminated in this way." msgstr "" "До Linux 4.11 любой процесс, завершавшийся таким образом, не вызывал " "образование дампа (несмотря на то, что описание B в B(7) " "сообщает, что по умолчанию завершение приводит к дампу). Начиная с Linux " "4.11 для процесса с единственной нитью будет сделан дамп, если он " "завершается при таких обстоятельствах." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "With the addition of B in Linux 4.14, " "B was added as a synonym for B, " "in order to more clearly distinguish the two actions." msgstr "" "В дополнении к B в Linux 4.14 как синоним " "B добавлено значение B, для более " "ясного различения двух этих действий." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B: the use of B to kill a single thread in a " "multithreaded process is likely to leave the process in a permanently " "inconsistent and possibly corrupt state." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This value results in the kernel sending a thread-directed B signal " "to the triggering thread. (The system call is not executed.) Various " "fields will be set in the I structure (see B(2)) " "associated with signal:" msgstr "" "Это значение приводит к отправке ядром направленного в нить сигнала " "B возбудившей нити (системный вызов не выполняется). Заполняются " "некоторые поля структуры I (смотрите B(2)), связанные " "с сигналом:" #. type: IP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "\\[bu]" msgstr "\\[bu]" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I will contain B." msgstr "В I будет содержаться значение B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I will show the address of the system call instruction." msgstr "В I будет показан адрес инструкции системного вызова." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I and I will indicate which system call was attempted." msgstr "" "В I и I будет указываться какой системный вызов была " "попытка запустить." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I will contain B." msgstr "В I будет содержаться значение B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I will contain the B portion of the filter " "return value." msgstr "" "В I будет содержаться часть B из возвращаемого " "значения фильтра." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The program counter will be as though the system call happened (i.e., the " "program counter will not point to the system call instruction). The return " "value register will contain an architecture-dependent value; if resuming " "execution, set it to something appropriate for the system call. (The " "architecture dependency is because replacing it with B could " "overwrite some useful information.)" msgstr "" "Программный счётчик будет таким же как при системном вызове (т. е., " "программный счётчик не будет указывать на инструкцию системного вызова). В " "регистре возвращаемого значения будет содержаться значение, зависящее от " "архитектуры; если выполнение продолжится, оно равно чему-нибудь подходящему " "для системного вызова (зависимость от архитектуры возникает из-за того, что " "при замене его на B может перезаписаться какая-нибудь полезная " "информация)." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This value results in the B portion of the filter's return " "value being passed to user space as the I value without executing the " "system call." msgstr "" "Это значение приводит к тому, что часть B возвращаемого " "значения фильтра передаётся в пространство пользователя в виде значения " "I без выполнения системного вызова." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (since Linux 5.0)" msgstr "B (начиная с Linux 5.0)" #. commit 6a21cc50f0c7f87dae5259f6cfefe024412313f6 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Forward the system call to an attached user-space supervisor process to " "allow that process to decide what to do with the system call. If there is " "no attached supervisor (either because the filter was not installed with the " "B flag or because the file descriptor was " "closed), the filter returns B (similar to what happens when a filter " "returns B and there is no tracer). See " "B(2) for further details." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that the supervisor process will not be notified if another filter " "returns an action value with a precedence greater than " "B." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "When returned, this value will cause the kernel to attempt to notify a " "B(2)-based tracer prior to executing the system call. If there is " "no tracer present, the system call is not executed and returns a failure " "status with I set to B." msgstr "" "При возврате это значение заставит ядро попытаться уведомить трассировщик на " "основе B(2) до выполнения системного вызова. Если трассировщика нет, " "то системный вызов не выполняется и возвращается состояние ошибки со " "значением I равным B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A tracer will be notified if it requests B using " "I. The tracer will be notified of a " "B and the B portion of the filter's " "return value will be available to the tracer via B." msgstr "" "Трассировщик будет уведомлён, если он запросил B " "посредством I. Трассировщик будет уведомлён о " "B, а часть B возвращаемого значения " "фильтра будет доступна через B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The tracer can skip the system call by changing the system call number to " "-1. Alternatively, the tracer can change the system call requested by " "changing the system call to a valid system call number. If the tracer asks " "to skip the system call, then the system call will appear to return the " "value that the tracer puts in the return value register." msgstr "" "Трассировщик может пропустить системный вызов, изменив номер системного " "вызова на -1. Или же он может изменить запрашиваемый системный вызов на " "системный вызов с другим номером. Если трассировщик просит пропустить " "системный вызов, то системный вызов появится в возвращаемом значении, " "которое трассировщик помещает в регистр возвращаемого значения." #. This was changed in ce6526e8afa4. #. A related hole, using PTRACE_SYSCALL instead of SECCOMP_RET_TRACE, was #. changed in arch-specific commits, e.g. 93e35efb8de4 for X86 and #. 0f3912fd934c for ARM. #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "Before kernel 4.8, the seccomp check will not be run again after the " #| "tracer is notified. (This means that, on older kernels, seccomp-based " #| "sandboxes B allow use of B(2)\\(emeven of other " #| "sandboxed processes\\(emwithout extreme care; ptracers can use this " #| "mechanism to escape from the seccomp sandbox.)" msgid "" "Before Linux 4.8, the seccomp check will not be run again after the tracer " "is notified. (This means that, on older kernels, seccomp-based sandboxes " "B allow use of B(2)\\[em]even of other sandboxed processes" "\\[em]without extreme care; ptracers can use this mechanism to escape from " "the seccomp sandbox.)" msgstr "" "До ядра 4.8 проверка seccomp не будет запущена ещё раз после уведомления " "трассировщика (для старых ядер это означает, что ограниченные окружения " "(sandbox) на основе seccomp B<не должны> позволять использовать B(2) " "— даже другим процессам в окружении — без максимальной предосторожности; " "ptracer-ы могут использовать этот механизм для выхода из окружения seccomp)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Note that a tracer process will not be notified if another filter returns an " "action value with a precedence greater than B." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B (since Linux 4.14)" msgstr "B (начиная с Linux 4.14)" #. commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "This value results in the system call being executed after the filter return " "action is logged. An administrator may override the logging of this action " "via the I file." msgstr "" "Это значение приводит к выполнению системного вызова после протоколирования " "фильтра, возвращающего действие. Администратор может заменить " "протоколирование этого действия в файле I." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "This value results in the system call being executed." msgstr "Это значение приводит к выполнению системного вызова." #. commit 4d3b0b05aae9ee9ce0970dc4cc0fb3fad5e85945 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "If an action value other than one of the above is specified, then the filter " "action is treated as either B (since Linux 4.14) " "or B (in Linux 4.13 and earlier)." msgstr "" "Если значение действия ни одно из указанных выше, то действием фильтра " "считается или B (начиная с Linux 4.14), или " "B (в Linux 4.13 и старее)." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "/proc interfaces" msgstr "Интерфейс /proc" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The files in the directory I provide additional " "seccomp information and configuration:" msgstr "" "Файлы в каталоге I предоставляют дополнительную " "информацию seccomp и настройку:" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I (since Linux 4.14)" msgstr "I (начиная с Linux 4.14)" #. commit 8e5f1ad116df6b0de65eac458d5e7c318d1c05af #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A read-only ordered list of seccomp filter return actions in string form. " "The ordering, from left-to-right, is in decreasing order of precedence. The " "list represents the set of seccomp filter return actions supported by the " "kernel." msgstr "" "Доступный только для чтения упорядоченный список возвращаемых действий " "фильтром seccomp в виде строки. Список упорядочен слева направо в порядке " "уменьшения приоритета. Представляет собой набор возвращаемых фильтром " "seccomp действий, поддерживаемых ядром." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "I (since Linux 4.14)" msgstr "I (начиная с Linux 4.14)" #. commit 0ddec0fc8900201c0897b87b762b7c420436662f #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A read-write ordered list of seccomp filter return actions that are allowed " "to be logged. Writes to the file do not need to be in ordered form but " "reads from the file will be ordered in the same way as the I " "file." msgstr "" "Доступный для чтения-записи упорядоченный список возвращаемых действий " "фильтром seccomp, которые разрешено протоколировать. Записи в файл не нужно " "упорядочивать, но прочитанные данные будут упорядочены также как в файле " "I." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "It is important to note that the value of I does not prevent " "certain filter return actions from being logged when the audit subsystem is " "configured to audit a task. If the action is not found in the " "I file, the final decision on whether to audit the action " "for that task is ultimately left up to the audit subsystem to decide for all " "filter return actions other than B." msgstr "" "Важно отметить, что значение I не останавливает от " "протоколирования определённого фильтра возвращаемых действий, если " "подсистема аудита настроена на аудит задачи. Если действие не найдено в " "файле I, то конечное решение об аудите действия для этой " "задачи, в конечном итоге, основывается на действие подсистемы аудита для " "всех фильтров возвращающих действия, кроме B." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The \"allow\" string is not accepted in the I file as it is " "not possible to log B actions. Attempting to write " "\"allow\" to the file will fail with the error B." msgstr "" "Строка «allow» недопустима в файле I, так как невозможно " "протоколирование действий B. Попытка записи «allow» в " "файле завершится ошибкой B." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Audit logging of seccomp actions" msgstr "Ведение журнала контроля действий seccomp" #. commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4 #. or auditing could be enabled via the netlink API (AUDIT_SET) #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Since Linux 4.14, the kernel provides the facility to log the actions " "returned by seccomp filters in the audit log. The kernel makes the decision " "to log an action based on the action type, whether or not the action is " "present in the I file, and whether kernel auditing is " "enabled (e.g., via the kernel boot option I). The rules are as " "follows:" msgstr "" "Начиная с Linux 4.14 ядро позволяет протоколировать действия, возвращаемые " "фильтрами seccomp в журнал контроля (audit log). Ядро принимает решение о " "протоколировании действие основываясь на типе действия, имеется ли действие " "в файле I и включён ли контроль в ядре (например, " "посредством параметра загрузки ядра I). Правила следующие:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "If the action is B, the action is not logged." msgstr "Если действие — B, то оно не протоколируется." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Otherwise, if the action is either B or " "B, and that action appears in the I " "file, the action is logged." msgstr "" "В противном случае, если действие B или " "B, и это действие есть в файле I, " "то действие протоколируется." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Otherwise, if the filter has requested logging (the " "B flag) and the action appears in the " "I file, the action is logged." msgstr "" "В противном случае, если для фильтра запрошено протоколирование (флаг " "B) и действие есть в файле I, то " "действие протоколируется." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Otherwise, if kernel auditing is enabled and the process is being audited " "(B(8)), the action is logged." msgstr "" "В противном случае, если включён контроль в ядре и процесс контролируется " "(B(8)), то действие протоколируется." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Otherwise, the action is not logged." msgstr "В противном случае действие не протоколируется." #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "RETURN VALUE" msgstr "ВОЗВРАЩАЕМОЕ ЗНАЧЕНИЕ" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "On success, B() returns 0. On error, if " #| "B was used, the return value is the ID of the " #| "thread that caused the synchronization failure. (This ID is a kernel " #| "thread ID of the type returned by B(2) and B(2).) On " #| "other errors, -1 is returned, and I is set to indicate the cause " #| "of the error." msgid "" "On success, B() returns 0. On error, if " "B was used, the return value is the ID of the " "thread that caused the synchronization failure. (This ID is a kernel thread " "ID of the type returned by B(2) and B(2).) On other errors, " "-1 is returned, and I is set to indicate the error." msgstr "" "При успешном выполнении B() возвращает 0. При ошибке, если был " "использован B, то возвращается ID нити, которая " "была причиной ошибки синхронизации (данный ID — идентификатор нити ядра с " "типом, возвращаемом B(2) и B(2)). При других ошибках " "возвращается -1 и в I записывается причина ошибки." #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "ERRORS" msgstr "ОШИБКИ" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "B() can fail for the following reasons:" msgstr "" "Функция B() может завершиться с ошибкой по следующим причинам:" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The caller did not have the B capability in its user " "namespace, or had not set I before using " "B." msgstr "" "У вызывающего нет мандата B в своём пространстве имён " "пользователя или не установлен I до использования " "B." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "While installing a new filter, the B flag " "was specified, but a previous filter had already been installed with that " "flag." msgstr "" #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "I was not a valid address." msgstr "Аргумент I не содержит допустимого адреса." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I is unknown or is not supported by this kernel version or " "configuration." msgstr "" "Аргумент I неизвестен или не поддерживается этой версией ядра или " "из-за настроек." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "The specified I are invalid for the given I." msgstr "" "Указанное значение I некорректно для заданного значения I." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "" #| "I included B, but the specified offset was not " #| "aligned to a 32-bit boundary or exceeded I." msgid "" "I included B, but the specified offset was not aligned " "to a 32-bit boundary or exceeded I." msgstr "" "Значение I включает B, но указанное смещение не " "выровнено по 32-битной границе или превышает I." #. See kernel/seccomp.c::seccomp_may_assign_mode() in Linux 3.18 sources #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "A secure computing mode has already been set, and I differs from " "the existing setting." msgstr "" "Режим безопасных вычислений уже включён, и значение I отличается " "от существующей настройки." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I specified B, but the filter program " "pointed to by I was not valid or the length of the filter program was " "zero or exceeded B (4096) instructions." msgstr "" "В I указано B, но фильтрующая программа, " "задаваемая в I, некорректна или её длина равна 0 или превышает " "B (4096) инструкций." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Out of memory." msgstr "Не хватает памяти." #. ENOMEM in kernel/seccomp.c::seccomp_attach_filter() in Linux 3.18 sources #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The total length of all filter programs attached to the calling thread would " "exceed B (32768) instructions. Note that for the " "purposes of calculating this limit, each already existing filter program " "incurs an overhead penalty of 4 instructions." msgstr "" "Общая длина всех фильтрующих программ, присоединённых к вызывающей нити, " "превысила бы B (32768) инструкций. Заметим, что для " "вычисления этого предела на каждую уже существующую фильтрующую программу " "прибавляются ещё 4 инструкции." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "I specified B, but the kernel does not " "support the filter return action specified by I." msgstr "" "В I указано B, но ядро не поддерживает " "фильтр, возвращающий действие, указанное в I." #. type: TP #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "B" msgstr "B" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Another thread caused a failure during thread sync, but its ID could not be " "determined." msgstr "" "Во время синхронизации нити произошла ошибка в другой нити, но её ID " "невозможно определить." #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "STANDARDS" msgstr "СТАНДАРТЫ" #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed msgid "Linux." msgstr "Linux." #. type: SH #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "HISTORY" msgstr "ИСТОРИЯ" #. FIXME . Add glibc version #. type: Plain text #: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron #: opensuse-leap-15-6 opensuse-tumbleweed #, fuzzy #| msgid "Linux" msgid "Linux 3.17." msgstr "Linux" #. type: SH #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "NOTES" msgstr "ПРИМЕЧАНИЯ" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Rather than hand-coding seccomp filters as shown in the example below, you " "may prefer to employ the I library, which provides a front-end " "for generating seccomp filters." msgstr "" "Вместо ручного кодирования фильтров seccomp, как показано в примере ниже, вы " "можете воспользоваться библиотекой I, которая предоставляет " "клиентскую часть для генерации фильтров seccomp." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "The I field of the IpidI file provides a method of " "viewing the seccomp mode of a process; see B(5)." msgstr "" "В поле I файла IpidI отображается метод просмотра " "режима seccomp в процессе; смотрите B(5)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "B() provides a superset of the functionality provided by the " "B(2) B operation (which does not support I)." msgstr "" "Вызов B() предоставляет больше возможностей по сравнению с " "операцией B B(2) (которая не поддерживает I)." #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Since Linux 4.4, the B(2) B operation " "can be used to dump a process's seccomp filters." msgstr "" "Начиная с Linux 4.4, вызов B(2) с операцией " "B можно использовать для получения дампа фильтров " "seccomp процесса." #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Architecture support for seccomp BPF" msgstr "Архитектурная поддержка seccomp BPF" #. Check by grepping for HAVE_ARCH_SECCOMP_FILTER in Kconfig files in #. kernel source. Last checked in Linux 4.16-rc source. #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Architecture support for seccomp BPF filtering is available on the following " "architectures:" msgstr "" "Архитектурная поддержка фильтрации seccomp BPF доступна на следующих " "архитектурах:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "x86-64, i386, x32 (since Linux 3.5)" msgstr "x86-64, i386, x32 (начиная с Linux 3.5)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "ARM (since Linux 3.8)" msgstr "ARM (начиная с Linux 3.8)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "s390 (since Linux 3.8)" msgstr "s390 (начиная с Linux 3.8)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "MIPS (since Linux 3.16)" msgstr "MIPS (начиная с Linux 3.16)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "ARM-64 (since Linux 3.19)" msgstr "ARM-64 (начиная с Linux 3.19)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "PowerPC (since Linux 4.3)" msgstr "PowerPC (начиная с Linux 4.3)" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "Tile (since Linux 4.3)" msgstr "Tile (начиная с Linux 4.3)" #. User mode Linux since Linux 4.6 #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "PA-RISC (since Linux 4.6)" msgstr "PA-RISC (начиная с Linux 4.6)" #. type: SS #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed #, no-wrap msgid "Caveats" msgstr "Предостережения" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "There are various subtleties to consider when applying seccomp filters to a " "program, including the following:" msgstr "" "Есть различные тонкости, которые нужно учитывать при применении фильтров " "seccomp к программе:" #. type: Plain text #: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide #: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Some traditional system calls have user-space implementations in the " "B(7) on many architectures. Notable examples include " "B(2), B(2), and B