# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR Free Software Foundation, Inc.
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2024-06-01 06:20+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: TH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "seccomp"
msgstr ""

#. type: TH
#: archlinux debian-unstable opensuse-tumbleweed
#, no-wrap
msgid "2024-05-02"
msgstr ""

#. type: TH
#: archlinux debian-unstable
#, no-wrap
msgid "Linux man-pages 6.8"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "NAME"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "seccomp - operate on Secure Computing state of the process"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "LIBRARY"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Standard C library (I<libc>, I<-lc>)"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SYNOPSIS"
msgstr ""

#.  Kees Cook noted: Anything that uses SECCOMP_RET_TRACE returns will
#.                   need <sys/ptrace.h>
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"B<#include E<lt>linux/seccomp.hE<gt>>  /* Definition of B<SECCOMP_*> constants */\n"
"B<#include E<lt>linux/filter.hE<gt>>   /* Definition of B<struct sock_fprog> */\n"
"B<#include E<lt>linux/audit.hE<gt>>    /* Definition of B<AUDIT_*> constants */\n"
"B<#include E<lt>linux/signal.hE<gt>>   /* Definition of B<SIG*> constants */\n"
"B<#include E<lt>sys/ptrace.hE<gt>>     /* Definition of B<PTRACE_*> constants */\n"
"B<#include E<lt>sys/syscall.hE<gt>>    /* Definition of B<SYS_*> constants */\n"
"B<#include E<lt>unistd.hE<gt>>\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"B<int syscall(SYS_seccomp, unsigned int >I<operation>B<, unsigned int >I<flags>B<,>\n"
"B<            void *>I<args>B<);>\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<Note>: glibc provides no wrapper for B<seccomp>(), necessitating the use "
"of B<syscall>(2)."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "DESCRIPTION"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<seccomp>()  system call operates on the Secure Computing (seccomp) "
"state of the calling process."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Currently, Linux supports the following I<operation> values:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_SET_MODE_STRICT>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The only system calls that the calling thread is permitted to make are "
"B<read>(2), B<write>(2), B<_exit>(2)  (but not B<exit_group>(2)), and "
"B<sigreturn>(2).  Other system calls result in the termination of the "
"calling thread, or termination of the entire process with the B<SIGKILL> "
"signal when there is only one thread.  Strict secure computing mode is "
"useful for number-crunching applications that may need to execute untrusted "
"byte code, perhaps obtained by reading from a pipe or socket."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Note that although the calling thread can no longer call B<sigprocmask>(2), "
"it can use B<sigreturn>(2)  to block all signals apart from B<SIGKILL> and "
"B<SIGSTOP>.  This means that B<alarm>(2)  (for example) is not sufficient "
"for restricting the process's execution time.  Instead, to reliably "
"terminate the process, B<SIGKILL> must be used.  This can be done by using "
"B<timer_create>(2)  with B<SIGEV_SIGNAL> and I<sigev_signo> set to "
"B<SIGKILL>, or by using B<setrlimit>(2)  to set the hard limit for "
"B<RLIMIT_CPU>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This operation is available only if the kernel is configured with "
"B<CONFIG_SECCOMP> enabled."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "The value of I<flags> must be 0, and I<args> must be NULL."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "This operation is functionally identical to the call:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);\n"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_SET_MODE_FILTER>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The system calls allowed are defined by a pointer to a Berkeley Packet "
"Filter (BPF) passed via I<args>.  This argument is a pointer to a I<struct\\ "
"sock_fprog>; it can be designed to filter arbitrary system calls and system "
"call arguments.  If the filter is invalid, B<seccomp>()  fails, returning "
"B<EINVAL> in I<errno>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If B<fork>(2)  or B<clone>(2)  is allowed by the filter, any child processes "
"will be constrained to the same system call filters as the parent.  If "
"B<execve>(2)  is allowed, the existing filters will be preserved across a "
"call to B<execve>(2)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In order to use the B<SECCOMP_SET_MODE_FILTER> operation, either the calling "
"thread must have the B<CAP_SYS_ADMIN> capability in its user namespace, or "
"the thread must already have the I<no_new_privs> bit set.  If that bit was "
"not already set by an ancestor of this thread, the thread must make the "
"following call:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "prctl(PR_SET_NO_NEW_PRIVS, 1);\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Otherwise, the B<SECCOMP_SET_MODE_FILTER> operation fails and returns "
"B<EACCES> in I<errno>.  This requirement ensures that an unprivileged "
"process cannot apply a malicious filter and then invoke a set-user-ID or "
"other privileged program using B<execve>(2), thus potentially compromising "
"that program.  (Such a malicious filter might, for example, cause an attempt "
"to use B<setuid>(2)  to set the caller's user IDs to nonzero values to "
"instead return 0 without actually making the system call.  Thus, the program "
"might be tricked into retaining superuser privileges in circumstances where "
"it is possible to influence it to do dangerous things because it did not "
"actually drop privileges.)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If B<prctl>(2)  or B<seccomp>()  is allowed by the attached filter, further "
"filters may be added.  This will increase evaluation time, but allows for "
"further reduction of the attack surface during execution of a thread."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<SECCOMP_SET_MODE_FILTER> operation is available only if the kernel is "
"configured with B<CONFIG_SECCOMP_FILTER> enabled."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When I<flags> is 0, this operation is functionally identical to the call:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "The recognized I<flags> are:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_FILTER_FLAG_LOG> (since Linux 4.14)"
msgstr ""

#.  commit e66a39977985b1e69e17c4042cb290768eca9b02
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"All filter return actions except B<SECCOMP_RET_ALLOW> should be logged.  An "
"administrator may override this filter flag by preventing specific actions "
"from being logged via the I</proc/sys/kernel/seccomp/actions_logged> file."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_FILTER_FLAG_NEW_LISTENER> (since Linux 5.0)"
msgstr ""

#.  commit 6a21cc50f0c7f87dae5259f6cfefe024412313f6
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"After successfully installing the filter program, return a new user-space "
"notification file descriptor.  (The close-on-exec flag is set for the file "
"descriptor.)  When the filter returns B<SECCOMP_RET_USER_NOTIF> a "
"notification will be sent to this file descriptor."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"At most one seccomp filter using the B<SECCOMP_FILTER_FLAG_NEW_LISTENER> "
"flag can be installed for a thread."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "See B<seccomp_unotify>(2)  for further details."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_FILTER_FLAG_SPEC_ALLOW> (since Linux 4.17)"
msgstr ""

#.  commit 00a02d0c502a06d15e07b857f8ff921e3e402675
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Disable Speculative Store Bypass mitigation."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_FILTER_FLAG_TSYNC>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When adding a new filter, synchronize all other threads of the calling "
"process to the same seccomp filter tree.  A \"filter tree\" is the ordered "
"list of filters attached to a thread.  (Attaching identical filters in "
"separate B<seccomp>()  calls results in different filters from this "
"perspective.)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If any thread cannot synchronize to the same filter tree, the call will not "
"attach the new seccomp filter, and will fail, returning the first thread ID "
"found that cannot synchronize.  Synchronization will fail if another thread "
"in the same process is in B<SECCOMP_MODE_STRICT> or if it has attached new "
"seccomp filters to itself, diverging from the calling thread's filter tree."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_GET_ACTION_AVAIL> (since Linux 4.14)"
msgstr ""

#.  commit d612b1fd8010d0d67b5287fe146b8b55bcbb8655
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Test to see if an action is supported by the kernel.  This operation is "
"helpful to confirm that the kernel knows of a more recently added filter "
"return action since the kernel treats all unknown actions as "
"B<SECCOMP_RET_KILL_PROCESS>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The value of I<flags> must be 0, and I<args> must be a pointer to an "
"unsigned 32-bit filter return action."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_GET_NOTIF_SIZES> (since Linux 5.0)"
msgstr ""

#.  commit 6a21cc50f0c7f87dae5259f6cfefe024412313f6
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Get the sizes of the seccomp user-space notification structures.  Since "
"these structures may evolve and grow over time, this command can be used to "
"determine how much memory to allocate for sending and receiving "
"notifications."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The value of I<flags> must be 0, and I<args> must be a pointer to a I<struct "
"seccomp_notif_sizes>, which has the following form:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"struct seccomp_notif_sizes\n"
"    __u16 seccomp_notif;      /* Size of notification structure */\n"
"    __u16 seccomp_notif_resp; /* Size of response structure */\n"
"    __u16 seccomp_data;       /* Size of \\[aq]struct seccomp_data\\[aq] */\n"
"};\n"
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Filters"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When adding filters via B<SECCOMP_SET_MODE_FILTER>, I<args> points to a "
"filter program:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"struct sock_fprog {\n"
"    unsigned short      len;    /* Number of BPF instructions */\n"
"    struct sock_filter *filter; /* Pointer to array of\n"
"                                   BPF instructions */\n"
"};\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Each program must contain one or more BPF instructions:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"struct sock_filter {            /* Filter block */\n"
"    __u16 code;                 /* Actual filter code */\n"
"    __u8  jt;                   /* Jump true */\n"
"    __u8  jf;                   /* Jump false */\n"
"    __u32 k;                    /* Generic multiuse field */\n"
"};\n"
msgstr ""

#.  Quoting Kees Cook:
#.      If BPF even allows changing the data, it's not copied back to
#.      the syscall when it runs. Anything wanting to do things like
#.      that would need to use ptrace to catch the call and directly
#.      modify the registers before continuing with the call.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When executing the instructions, the BPF program operates on the system call "
"information made available (i.e., use the B<BPF_ABS> addressing mode) as a "
"(read-only)  buffer of the following form:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"struct seccomp_data {\n"
"    int   nr;                   /* System call number */\n"
"    __u32 arch;                 /* AUDIT_ARCH_* value\n"
"                                   (see E<lt>linux/audit.hE<gt>) */\n"
"    __u64 instruction_pointer;  /* CPU instruction pointer */\n"
"    __u64 args[6];              /* Up to 6 system call arguments */\n"
"};\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Because numbering of system calls varies between architectures and some "
"architectures (e.g., x86-64) allow user-space code to use the calling "
"conventions of multiple architectures (and the convention being used may "
"vary over the life of a process that uses B<execve>(2)  to execute binaries "
"that employ the different conventions), it is usually necessary to verify "
"the value of the I<arch> field."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"It is strongly recommended to use an allow-list approach whenever possible "
"because such an approach is more robust and simple.  A deny-list will have "
"to be updated whenever a potentially dangerous system call is added (or a "
"dangerous flag or option if those are deny-listed), and it is often possible "
"to alter the representation of a value without altering its meaning, leading "
"to a deny-list bypass.  See also I<Caveats> below."
msgstr ""

#
#.  As noted by Dave Drysdale in a note at the end of
#.  https://lwn.net/Articles/604515/
#.      One additional detail to point out for the x32 ABI case:
#.      the syscall number gets a high bit set (__X32_SYSCALL_BIT),
#.      to mark it as an x32 call.
#.      If x32 support is included in the kernel, then __SYSCALL_MASK
#.      will have a value that is not all-ones, and this will trigger
#.      an extra instruction in system_call to mask off the extra bit,
#.      so that the syscall table indexing still works.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I<arch> field is not unique for all calling conventions.  The x86-64 ABI "
"and the x32 ABI both use B<AUDIT_ARCH_X86_64> as I<arch>, and they run on "
"the same processors.  Instead, the mask B<__X32_SYSCALL_BIT> is used on the "
"system call number to tell the two ABIs apart."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This means that a policy must either deny all syscalls with "
"B<__X32_SYSCALL_BIT> or it must recognize syscalls with and without "
"B<__X32_SYSCALL_BIT> set.  A list of system calls to be denied based on "
"I<nr> that does not also contain I<nr> values with B<__X32_SYSCALL_BIT> set "
"can be bypassed by a malicious program that sets B<__X32_SYSCALL_BIT>."
msgstr ""

#.  commit 6365b842aae4490ebfafadfc6bb27a6d3cc54757
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Additionally, kernels prior to Linux 5.4 incorrectly permitted I<nr> in the "
"ranges 512-547 as well as the corresponding non-x32 syscalls ORed with "
"B<__X32_SYSCALL_BIT>.  For example, I<nr> == 521 and I<nr> == (101 | "
"B<__X32_SYSCALL_BIT>)  would result in invocations of B<ptrace>(2)  with "
"potentially confused x32-vs-x86_64 semantics in the kernel.  Policies "
"intended to work on kernels before Linux 5.4 must ensure that they deny or "
"otherwise correctly handle these system calls.  On Linux 5.4 and newer, such "
"system calls will fail with the error B<ENOSYS>, without doing anything."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I<instruction_pointer> field provides the address of the machine-"
"language instruction that performed the system call.  This might be useful "
"in conjunction with the use of I</proc/>pidI</maps> to perform checks based "
"on which region (mapping) of the program made the system call.  (Probably, "
"it is wise to lock down the B<mmap>(2)  and B<mprotect>(2)  system calls to "
"prevent the program from subverting such checks.)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When checking values from I<args>, keep in mind that arguments are often "
"silently truncated before being processed, but after the seccomp check.  For "
"example, this happens if the i386 ABI is used on an x86-64 kernel: although "
"the kernel will normally not look beyond the 32 lowest bits of the "
"arguments, the values of the full 64-bit registers will be present in the "
"seccomp data.  A less surprising example is that if the x86-64 ABI is used "
"to perform a system call that takes an argument of type I<int>, the more-"
"significant half of the argument register is ignored by the system call, but "
"visible in the seccomp data."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A seccomp filter returns a 32-bit value consisting of two parts: the most "
"significant 16 bits (corresponding to the mask defined by the constant "
"B<SECCOMP_RET_ACTION_FULL>)  contain one of the \"action\" values listed "
"below; the least significant 16-bits (defined by the constant "
"B<SECCOMP_RET_DATA>)  are \"data\" to be associated with this return value."
msgstr ""

#
#.  From an Aug 2015 conversation with Kees Cook where I asked why *all*
#.  filters are applied even if one of the early filters returns
#.  SECCOMP_RET_KILL:
#.      It's just because it would be an optimization that would only speed up
#.      the RET_KILL case, but it's the uncommon one and the one that doesn't
#.      benefit meaningfully from such a change (you need to kill the process
#.      really quickly?). We would speed up killing a program at the (albeit
#.      tiny) expense to all other filtered programs. Best to keep the filter
#.      execution logic clear, simple, and as fast as possible for all
#.      filters.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If multiple filters exist, they are I<all> executed, in reverse order of "
"their addition to the filter tree\\[em]that is, the most recently installed "
"filter is executed first.  (Note that all filters will be called even if one "
"of the earlier filters returns B<SECCOMP_RET_KILL>.  This is done to "
"simplify the kernel code and to provide a tiny speed-up in the execution of "
"sets of filters by avoiding a check for this uncommon case.)  The return "
"value for the evaluation of a given system call is the first-seen action "
"value of highest precedence (along with its accompanying data)  returned by "
"execution of all of the filters."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In decreasing order of precedence, the action values that may be returned by "
"a seccomp filter are:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_RET_KILL_PROCESS> (since Linux 4.14)"
msgstr ""

#.  commit 4d3b0b05aae9ee9ce0970dc4cc0fb3fad5e85945
#.  commit 0466bdb99e8744bc9befa8d62a317f0fd7fd7421
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This value results in immediate termination of the process, with a core "
"dump.  The system call is not executed.  By contrast with "
"B<SECCOMP_RET_KILL_THREAD> below, all threads in the thread group are "
"terminated.  (For a discussion of thread groups, see the description of the "
"B<CLONE_THREAD> flag in B<clone>(2).)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The process terminates I<as though> killed by a B<SIGSYS> signal.  Even if a "
"signal handler has been registered for B<SIGSYS>, the handler will be "
"ignored in this case and the process always terminates.  To a parent process "
"that is waiting on this process (using B<waitpid>(2)  or similar), the "
"returned I<wstatus> will indicate that its child was terminated as though by "
"a B<SIGSYS> signal."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_RET_KILL_THREAD> (or B<SECCOMP_RET_KILL>)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This value results in immediate termination of the thread that made the "
"system call.  The system call is not executed.  Other threads in the same "
"thread group will continue to execute."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The thread terminates I<as though> killed by a B<SIGSYS> signal.  See "
"B<SECCOMP_RET_KILL_PROCESS> above."
msgstr ""

#.  See these commits:
#.  seccomp: dump core when using SECCOMP_RET_KILL
#.     (b25e67161c295c98acda92123b2dd1e7d8642901)
#.  seccomp: Only dump core when single-threaded
#.     (d7276e321ff8a53106a59c85ca46d03e34288893)
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Before Linux 4.11, any process terminated in this way would not trigger a "
"coredump (even though B<SIGSYS> is documented in B<signal>(7)  as having a "
"default action of termination with a core dump).  Since Linux 4.11, a single-"
"threaded process will dump core if terminated in this way."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"With the addition of B<SECCOMP_RET_KILL_PROCESS> in Linux 4.14, "
"B<SECCOMP_RET_KILL_THREAD> was added as a synonym for B<SECCOMP_RET_KILL>, "
"in order to more clearly distinguish the two actions."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"B<Note>: the use of B<SECCOMP_RET_KILL_THREAD> to kill a single thread in a "
"multithreaded process is likely to leave the process in a permanently "
"inconsistent and possibly corrupt state."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_RET_TRAP>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This value results in the kernel sending a thread-directed B<SIGSYS> signal "
"to the triggering thread.  (The system call is not executed.)  Various "
"fields will be set in the I<siginfo_t> structure (see B<sigaction>(2))  "
"associated with signal:"
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "\\[bu]"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<si_signo> will contain B<SIGSYS>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<si_call_addr> will show the address of the system call instruction."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<si_syscall> and I<si_arch> will indicate which system call was attempted."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<si_code> will contain B<SYS_SECCOMP>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<si_errno> will contain the B<SECCOMP_RET_DATA> portion of the filter "
"return value."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The program counter will be as though the system call happened (i.e., the "
"program counter will not point to the system call instruction).  The return "
"value register will contain an architecture-dependent value; if resuming "
"execution, set it to something appropriate for the system call.  (The "
"architecture dependency is because replacing it with B<ENOSYS> could "
"overwrite some useful information.)"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_RET_ERRNO>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This value results in the B<SECCOMP_RET_DATA> portion of the filter's return "
"value being passed to user space as the I<errno> value without executing the "
"system call."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_RET_USER_NOTIF> (since Linux 5.0)"
msgstr ""

#.  commit 6a21cc50f0c7f87dae5259f6cfefe024412313f6
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Forward the system call to an attached user-space supervisor process to "
"allow that process to decide what to do with the system call.  If there is "
"no attached supervisor (either because the filter was not installed with the "
"B<SECCOMP_FILTER_FLAG_NEW_LISTENER> flag or because the file descriptor was "
"closed), the filter returns B<ENOSYS> (similar to what happens when a filter "
"returns B<SECCOMP_RET_TRACE> and there is no tracer).  See "
"B<seccomp_unotify>(2)  for further details."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Note that the supervisor process will not be notified if another filter "
"returns an action value with a precedence greater than "
"B<SECCOMP_RET_USER_NOTIF>."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_RET_TRACE>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When returned, this value will cause the kernel to attempt to notify a "
"B<ptrace>(2)-based tracer prior to executing the system call.  If there is "
"no tracer present, the system call is not executed and returns a failure "
"status with I<errno> set to B<ENOSYS>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A tracer will be notified if it requests B<PTRACE_O_TRACESECCOMP> using "
"I<ptrace(PTRACE_SETOPTIONS)>.  The tracer will be notified of a "
"B<PTRACE_EVENT_SECCOMP> and the B<SECCOMP_RET_DATA> portion of the filter's "
"return value will be available to the tracer via B<PTRACE_GETEVENTMSG>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The tracer can skip the system call by changing the system call number to "
"-1.  Alternatively, the tracer can change the system call requested by "
"changing the system call to a valid system call number.  If the tracer asks "
"to skip the system call, then the system call will appear to return the "
"value that the tracer puts in the return value register."
msgstr ""

#.  This was changed in ce6526e8afa4.
#.  A related hole, using PTRACE_SYSCALL instead of SECCOMP_RET_TRACE, was
#.  changed in arch-specific commits, e.g. 93e35efb8de4 for X86 and
#.  0f3912fd934c for ARM.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Before Linux 4.8, the seccomp check will not be run again after the tracer "
"is notified.  (This means that, on older kernels, seccomp-based sandboxes "
"B<must not> allow use of B<ptrace>(2)\\[em]even of other sandboxed "
"processes\\[em]without extreme care; ptracers can use this mechanism to "
"escape from the seccomp sandbox.)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Note that a tracer process will not be notified if another filter returns an "
"action value with a precedence greater than B<SECCOMP_RET_TRACE>."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_RET_LOG> (since Linux 4.14)"
msgstr ""

#.  commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This value results in the system call being executed after the filter return "
"action is logged.  An administrator may override the logging of this action "
"via the I</proc/sys/kernel/seccomp/actions_logged> file."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_RET_ALLOW>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "This value results in the system call being executed."
msgstr ""

#.  commit 4d3b0b05aae9ee9ce0970dc4cc0fb3fad5e85945
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If an action value other than one of the above is specified, then the filter "
"action is treated as either B<SECCOMP_RET_KILL_PROCESS> (since Linux 4.14)  "
"or B<SECCOMP_RET_KILL_THREAD> (in Linux 4.13 and earlier)."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "/proc interfaces"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The files in the directory I</proc/sys/kernel/seccomp> provide additional "
"seccomp information and configuration:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<actions_avail> (since Linux 4.14)"
msgstr ""

#.  commit 8e5f1ad116df6b0de65eac458d5e7c318d1c05af
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A read-only ordered list of seccomp filter return actions in string form.  "
"The ordering, from left-to-right, is in decreasing order of precedence.  The "
"list represents the set of seccomp filter return actions supported by the "
"kernel."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<actions_logged> (since Linux 4.14)"
msgstr ""

#.  commit 0ddec0fc8900201c0897b87b762b7c420436662f
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A read-write ordered list of seccomp filter return actions that are allowed "
"to be logged.  Writes to the file do not need to be in ordered form but "
"reads from the file will be ordered in the same way as the I<actions_avail> "
"file."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"It is important to note that the value of I<actions_logged> does not prevent "
"certain filter return actions from being logged when the audit subsystem is "
"configured to audit a task.  If the action is not found in the "
"I<actions_logged> file, the final decision on whether to audit the action "
"for that task is ultimately left up to the audit subsystem to decide for all "
"filter return actions other than B<SECCOMP_RET_ALLOW>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The \"allow\" string is not accepted in the I<actions_logged> file as it is "
"not possible to log B<SECCOMP_RET_ALLOW> actions.  Attempting to write "
"\"allow\" to the file will fail with the error B<EINVAL>."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Audit logging of seccomp actions"
msgstr ""

#.  commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4
#.  or auditing could be enabled via the netlink API (AUDIT_SET)
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Since Linux 4.14, the kernel provides the facility to log the actions "
"returned by seccomp filters in the audit log.  The kernel makes the decision "
"to log an action based on the action type, whether or not the action is "
"present in the I<actions_logged> file, and whether kernel auditing is "
"enabled (e.g., via the kernel boot option I<audit=1>).  The rules are as "
"follows:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "If the action is B<SECCOMP_RET_ALLOW>, the action is not logged."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Otherwise, if the action is either B<SECCOMP_RET_KILL_PROCESS> or "
"B<SECCOMP_RET_KILL_THREAD>, and that action appears in the I<actions_logged> "
"file, the action is logged."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Otherwise, if the filter has requested logging (the "
"B<SECCOMP_FILTER_FLAG_LOG> flag)  and the action appears in the "
"I<actions_logged> file, the action is logged."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Otherwise, if kernel auditing is enabled and the process is being audited "
"(B<autrace>(8)), the action is logged."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Otherwise, the action is not logged."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "RETURN VALUE"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"On success, B<seccomp>()  returns 0.  On error, if "
"B<SECCOMP_FILTER_FLAG_TSYNC> was used, the return value is the ID of the "
"thread that caused the synchronization failure.  (This ID is a kernel thread "
"ID of the type returned by B<clone>(2)  and B<gettid>(2).)  On other errors, "
"-1 is returned, and I<errno> is set to indicate the error."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "ERRORS"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "B<seccomp>()  can fail for the following reasons:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EACCES>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The caller did not have the B<CAP_SYS_ADMIN> capability in its user "
"namespace, or had not set I<no_new_privs> before using "
"B<SECCOMP_SET_MODE_FILTER>."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EBUSY>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"While installing a new filter, the B<SECCOMP_FILTER_FLAG_NEW_LISTENER> flag "
"was specified, but a previous filter had already been installed with that "
"flag."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EFAULT>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<args> was not a valid address."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EINVAL>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<operation> is unknown or is not supported by this kernel version or "
"configuration."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "The specified I<flags> are invalid for the given I<operation>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<operation> included B<BPF_ABS>, but the specified offset was not aligned "
"to a 32-bit boundary or exceeded I<sizeof(struct\\ seccomp_data)>."
msgstr ""

#.  See kernel/seccomp.c::seccomp_may_assign_mode() in Linux 3.18 sources
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A secure computing mode has already been set, and I<operation> differs from "
"the existing setting."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the filter program "
"pointed to by I<args> was not valid or the length of the filter program was "
"zero or exceeded B<BPF_MAXINSNS> (4096) instructions."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<ENOMEM>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Out of memory."
msgstr ""

#.  ENOMEM in kernel/seccomp.c::seccomp_attach_filter() in Linux 3.18 sources
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The total length of all filter programs attached to the calling thread would "
"exceed B<MAX_INSNS_PER_PATH> (32768) instructions.  Note that for the "
"purposes of calculating this limit, each already existing filter program "
"incurs an overhead penalty of 4 instructions."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EOPNOTSUPP>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<operation> specified B<SECCOMP_GET_ACTION_AVAIL>, but the kernel does not "
"support the filter return action specified by I<args>."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<ESRCH>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Another thread caused a failure during thread sync, but its ID could not be "
"determined."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "STANDARDS"
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
msgid "Linux."
msgstr ""

#. type: SH
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "HISTORY"
msgstr ""

#.  FIXME . Add glibc version
#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
msgid "Linux 3.17."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "NOTES"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Rather than hand-coding seccomp filters as shown in the example below, you "
"may prefer to employ the I<libseccomp> library, which provides a front-end "
"for generating seccomp filters."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I<Seccomp> field of the I</proc/>pidI</status> file provides a method of "
"viewing the seccomp mode of a process; see B<proc>(5)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"B<seccomp>()  provides a superset of the functionality provided by the "
"B<prctl>(2)  B<PR_SET_SECCOMP> operation (which does not support I<flags>)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Since Linux 4.4, the B<ptrace>(2)  B<PTRACE_SECCOMP_GET_FILTER> operation "
"can be used to dump a process's seccomp filters."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Architecture support for seccomp BPF"
msgstr ""

#.  Check by grepping for HAVE_ARCH_SECCOMP_FILTER in Kconfig files in
#.  kernel source. Last checked in Linux 4.16-rc source.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Architecture support for seccomp BPF filtering is available on the following "
"architectures:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "x86-64, i386, x32 (since Linux 3.5)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "ARM (since Linux 3.8)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "s390 (since Linux 3.8)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "MIPS (since Linux 3.16)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "ARM-64 (since Linux 3.19)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "PowerPC (since Linux 4.3)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Tile (since Linux 4.3)"
msgstr ""

#.  User mode Linux since Linux 4.6
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "PA-RISC (since Linux 4.6)"
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Caveats"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"There are various subtleties to consider when applying seccomp filters to a "
"program, including the following:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Some traditional system calls have user-space implementations in the "
"B<vdso>(7)  on many architectures.  Notable examples include "
"B<clock_gettime>(2), B<gettimeofday>(2), and B<time>(2).  On such "
"architectures, seccomp filtering for these system calls will have no "
"effect.  (However, there are cases where the B<vdso>(7)  implementations may "
"fall back to invoking the true system call, in which case seccomp filters "
"would see the system call.)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Seccomp filtering is based on system call numbers.  However, applications "
"typically do not directly invoke system calls, but instead call wrapper "
"functions in the C library which in turn invoke the system calls.  "
"Consequently, one must be aware of the following:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The glibc wrappers for some traditional system calls may actually employ "
"system calls with different names in the kernel.  For example, the "
"B<exit>(2)  wrapper function actually employs the B<exit_group>(2)  system "
"call, and the B<fork>(2)  wrapper function actually calls B<clone>(2)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The behavior of wrapper functions may vary across architectures, according "
"to the range of system calls provided on those architectures.  In other "
"words, the same wrapper function may invoke different system calls on "
"different architectures."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Finally, the behavior of wrapper functions can change across glibc "
"versions.  For example, in older versions, the glibc wrapper function for "
"B<open>(2)  invoked the system call of the same name, but starting in glibc "
"2.26, the implementation switched to calling B<openat>(2)  on all "
"architectures."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The consequence of the above points is that it may be necessary to filter "
"for a system call other than might be expected.  Various manual pages in "
"Section 2 provide helpful details about the differences between wrapper "
"functions and the underlying system calls in subsections entitled I<C "
"library/kernel differences>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Furthermore, note that the application of seccomp filters even risks causing "
"bugs in an application, when the filters cause unexpected failures for "
"legitimate operations that the application might need to perform.  Such bugs "
"may not easily be discovered when testing the seccomp filters if the bugs "
"occur in rarely used application code paths."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Seccomp-specific BPF details"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Note the following BPF details specific to seccomp filters:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<BPF_H> and B<BPF_B> size modifiers are not supported: all operations "
"must load and store (4-byte) words (B<BPF_W>)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"To access the contents of the I<seccomp_data> buffer, use the B<BPF_ABS> "
"addressing mode modifier."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<BPF_LEN> addressing mode modifier yields an immediate mode operand "
"whose value is the size of the I<seccomp_data> buffer."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "EXAMPLES"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The program below accepts four or more arguments.  The first three arguments "
"are a system call number, a numeric architecture identifier, and an error "
"number.  The program uses these values to construct a BPF filter that is "
"used at run time to perform the following checks:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the program is not running on the specified architecture, the BPF filter "
"causes system calls to fail with the error B<ENOSYS>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the program attempts to execute the system call with the specified "
"number, the BPF filter causes the system call to fail, with I<errno> being "
"set to the specified error number."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The remaining command-line arguments specify the pathname and additional "
"arguments of a program that the example program should attempt to execute "
"using B<execv>(3)  (a library function that employs the B<execve>(2)  system "
"call).  Some example runs of the program are shown below."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"First, we display the architecture that we are running on (x86-64)  and then "
"construct a shell function that looks up system call numbers on this "
"architecture:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<uname -m>\n"
"x86_64\n"
"$ B<syscall_nr() {\n"
"    cat /usr/src/linux/arch/x86/syscalls/syscall_64.tbl | \\e\n"
"    awk \\[aq]$2 != \"x32\" && $3 == \"\\[aq]$1\\[aq]\" { print $1 }\\[aq]\n"
"}>\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When the BPF filter rejects a system call (case [2] above), it causes the "
"system call to fail with the error number specified on the command line.  In "
"the experiments shown here, we'll use error number 99:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<errno 99>\n"
"EADDRNOTAVAIL 99 Cannot assign requested address\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the following example, we attempt to run the command B<whoami>(1), but "
"the BPF filter rejects the B<execve>(2)  system call, so that the command is "
"not even executed:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<syscall_nr execve>\n"
"59\n"
"$ B<./a.out>\n"
"Usage: ./a.out E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> E<lt>progE<gt> [E<lt>argsE<gt>]\n"
"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x40000003\n"
"                 AUDIT_ARCH_X86_64: 0xC000003E\n"
"$ B<./a.out 59 0xC000003E 99 /bin/whoami>\n"
"execv: Cannot assign requested address\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the next example, the BPF filter rejects the B<write>(2)  system call, so "
"that, although it is successfully started, the B<whoami>(1)  command is not "
"able to write output:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<syscall_nr write>\n"
"1\n"
"$ B<./a.out 1 0xC000003E 99 /bin/whoami>\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the final example, the BPF filter rejects a system call that is not used "
"by the B<whoami>(1)  command, so it is able to successfully execute and "
"produce output:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<syscall_nr preadv>\n"
"295\n"
"$ B<./a.out 295 0xC000003E 99 /bin/whoami>\n"
"cecilia\n"
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Program source"
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"#include E<lt>linux/audit.hE<gt>\n"
"#include E<lt>linux/filter.hE<gt>\n"
"#include E<lt>linux/seccomp.hE<gt>\n"
"#include E<lt>stddef.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>sys/prctl.hE<gt>\n"
"#include E<lt>sys/syscall.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"\\&\n"
"#define X32_SYSCALL_BIT 0x40000000\n"
"#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))\n"
"\\&\n"
"static int\n"
"install_filter(int syscall_nr, unsigned int t_arch, int f_errno)\n"
"{\n"
"    unsigned int upper_nr_limit = 0xffffffff;\n"
"\\&\n"
"    /* Assume that AUDIT_ARCH_X86_64 means the normal x86-64 ABI\n"
"       (in the x32 ABI, all system calls have bit 30 set in the\n"
"       \\[aq]nr\\[aq] field, meaning the numbers are E<gt>= X32_SYSCALL_BIT). */\n"
"    if (t_arch == AUDIT_ARCH_X86_64)\n"
"        upper_nr_limit = X32_SYSCALL_BIT - 1;\n"
"\\&\n"
"    struct sock_filter filter[] = {\n"
"        /* [0] Load architecture from \\[aq]seccomp_data\\[aq] buffer into\n"
"               accumulator. */\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
"                 (offsetof(struct seccomp_data, arch))),\n"
"\\&\n"
"        /* [1] Jump forward 5 instructions if architecture does not\n"
"               match \\[aq]t_arch\\[aq]. */\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 5),\n"
"\\&\n"
"        /* [2] Load system call number from \\[aq]seccomp_data\\[aq] buffer into\n"
"               accumulator. */\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
"                 (offsetof(struct seccomp_data, nr))),\n"
"\\&\n"
"        /* [3] Check ABI - only needed for x86-64 in deny-list use\n"
"               cases.  Use BPF_JGT instead of checking against the bit\n"
"               mask to avoid having to reload the syscall number. */\n"
"        BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0),\n"
"\\&\n"
"        /* [4] Jump forward 1 instruction if system call number\n"
"               does not match \\[aq]syscall_nr\\[aq]. */\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),\n"
"\\&\n"
"        /* [5] Matching architecture and system call: don\\[aq]t execute\n"
"           the system call, and return \\[aq]f_errno\\[aq] in \\[aq]errno\\[aq]. */\n"
"        BPF_STMT(BPF_RET | BPF_K,\n"
"                 SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),\n"
"\\&\n"
"        /* [6] Destination of system call number mismatch: allow other\n"
"               system calls. */\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),\n"
"\\&\n"
"        /* [7] Destination of architecture mismatch: kill process. */\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS),\n"
"    };\n"
"\\&\n"
"    struct sock_fprog prog = {\n"
"        .len = ARRAY_SIZE(filter),\n"
"        .filter = filter,\n"
"    };\n"
"\\&\n"
"    if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog)) {\n"
"        perror(\"seccomp\");\n"
"        return 1;\n"
"    }\n"
"\\&\n"
"    return 0;\n"
"}\n"
"\\&\n"
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    if (argc E<lt> 5) {\n"
"        fprintf(stderr, \"Usage: \"\n"
"                \"%s E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> E<lt>progE<gt> [E<lt>argsE<gt>]\\en\"\n"
"                \"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x%X\\en\"\n"
"                \"                 AUDIT_ARCH_X86_64: 0x%X\\en\"\n"
"                \"\\en\", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {\n"
"        perror(\"prctl\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    if (install_filter(strtol(argv[1], NULL, 0),\n"
"                       strtoul(argv[2], NULL, 0),\n"
"                       strtol(argv[3], NULL, 0)))\n"
"        exit(EXIT_FAILURE);\n"
"\\&\n"
"    execv(argv[4], &argv[4]);\n"
"    perror(\"execv\");\n"
"    exit(EXIT_FAILURE);\n"
"}\n"
msgstr ""

#.  SRC END
#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SEE ALSO"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"B<bpfc>(1), B<strace>(1), B<bpf>(2), B<prctl>(2), B<ptrace>(2), "
"B<seccomp_unotify>(2), B<sigaction>(2), B<proc>(5), B<signal>(7), "
"B<socket>(7)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Various pages from the I<libseccomp> library, including: "
"B<scmp_sys_resolver>(1), B<seccomp_export_bpf>(3), B<seccomp_init>(3), "
"B<seccomp_load>(3), and B<seccomp_rule_add>(3)."
msgstr ""

#.  commit c061f33f35be0ccc80f4b8e0aea5dfd2ed7e01a3
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The kernel source files I<Documentation/networking/filter.txt> and "
"I<Documentation/userspace-api/seccomp_filter.rst> (or I<Documentation/prctl/"
"seccomp_filter.txt> before Linux 4.13)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"McCanne, S.\\& and Jacobson, V.\\& (1992)  I<The BSD Packet Filter: A New "
"Architecture for User-level Packet Capture>, Proceedings of the USENIX "
"Winter 1993 Conference E<.UR http://www.tcpdump.org/papers/bpf-usenix93.pdf> "
"E<.UE>"
msgstr ""

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "2023-02-05"
msgstr ""

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "Linux man-pages 6.03"
msgstr ""

#. type: SH
#: debian-bookworm
#, no-wrap
msgid "VERSIONS"
msgstr ""

#.  FIXME . Add glibc version
#. type: Plain text
#: debian-bookworm
msgid "The B<seccomp>()  system call first appeared in Linux 3.17."
msgstr ""

#. type: Plain text
#: debian-bookworm
msgid "The B<seccomp>()  system call is a nonstandard Linux extension."
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"#include E<lt>linux/audit.hE<gt>\n"
"#include E<lt>linux/filter.hE<gt>\n"
"#include E<lt>linux/seccomp.hE<gt>\n"
"#include E<lt>stddef.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>sys/prctl.hE<gt>\n"
"#include E<lt>sys/syscall.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"#define X32_SYSCALL_BIT 0x40000000\n"
"#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static int\n"
"install_filter(int syscall_nr, unsigned int t_arch, int f_errno)\n"
"{\n"
"    unsigned int upper_nr_limit = 0xffffffff;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Assume that AUDIT_ARCH_X86_64 means the normal x86-64 ABI\n"
"       (in the x32 ABI, all system calls have bit 30 set in the\n"
"       \\[aq]nr\\[aq] field, meaning the numbers are E<gt>= X32_SYSCALL_BIT). */\n"
"    if (t_arch == AUDIT_ARCH_X86_64)\n"
"        upper_nr_limit = X32_SYSCALL_BIT - 1;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    struct sock_filter filter[] = {\n"
"        /* [0] Load architecture from \\[aq]seccomp_data\\[aq] buffer into\n"
"               accumulator. */\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
"                 (offsetof(struct seccomp_data, arch))),\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* [1] Jump forward 5 instructions if architecture does not\n"
"               match \\[aq]t_arch\\[aq]. */\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 5),\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* [2] Load system call number from \\[aq]seccomp_data\\[aq] buffer into\n"
"               accumulator. */\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
"                 (offsetof(struct seccomp_data, nr))),\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* [3] Check ABI - only needed for x86-64 in deny-list use\n"
"               cases.  Use BPF_JGT instead of checking against the bit\n"
"               mask to avoid having to reload the syscall number. */\n"
"        BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0),\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* [4] Jump forward 1 instruction if system call number\n"
"               does not match \\[aq]syscall_nr\\[aq]. */\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* [5] Matching architecture and system call: don\\[aq]t execute\n"
"           the system call, and return \\[aq]f_errno\\[aq] in \\[aq]errno\\[aq]. */\n"
"        BPF_STMT(BPF_RET | BPF_K,\n"
"                 SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* [6] Destination of system call number mismatch: allow other\n"
"               system calls. */\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* [7] Destination of architecture mismatch: kill process. */\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS),\n"
"    };\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    struct sock_fprog prog = {\n"
"        .len = ARRAY_SIZE(filter),\n"
"        .filter = filter,\n"
"    };\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog)) {\n"
"        perror(\"seccomp\");\n"
"        return 1;\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    return 0;\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    if (argc E<lt> 5) {\n"
"        fprintf(stderr, \"Usage: \"\n"
"                \"%s E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> E<lt>progE<gt> [E<lt>argsE<gt>]\\en\"\n"
"                \"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x%X\\en\"\n"
"                \"                 AUDIT_ARCH_X86_64: 0x%X\\en\"\n"
"                \"\\en\", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {\n"
"        perror(\"prctl\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (install_filter(strtol(argv[1], NULL, 0),\n"
"                       strtoul(argv[2], NULL, 0),\n"
"                       strtol(argv[3], NULL, 0)))\n"
"        exit(EXIT_FAILURE);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    execv(argv[4], &argv[4]);\n"
"    perror(\"execv\");\n"
"    exit(EXIT_FAILURE);\n"
"}\n"
msgstr ""

#. type: TH
#: fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "2023-10-31"
msgstr ""

#. type: TH
#: fedora-40 mageia-cauldron
#, no-wrap
msgid "Linux man-pages 6.06"
msgstr ""

#. type: TH
#: fedora-rawhide
#, no-wrap
msgid "Linux man-pages 6.7"
msgstr ""

#. type: TH
#: opensuse-leap-15-6
#, no-wrap
msgid "2023-03-30"
msgstr ""

#. type: TH
#: opensuse-leap-15-6
#, no-wrap
msgid "Linux man-pages 6.04"
msgstr ""

#. type: TH
#: opensuse-tumbleweed
#, no-wrap
msgid "Linux man-pages (unreleased)"
msgstr ""