# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR Free Software Foundation, Inc.
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2024-06-01 06:20+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: TH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "seccomp_unotify"
msgstr ""

#. type: TH
#: archlinux debian-unstable opensuse-tumbleweed
#, no-wrap
msgid "2024-05-02"
msgstr ""

#. type: TH
#: archlinux debian-unstable
#, no-wrap
msgid "Linux man-pages 6.8"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "NAME"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "seccomp_unotify - Seccomp user-space notification mechanism"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "LIBRARY"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Standard C library (I<libc>, I<-lc>)"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SYNOPSIS"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"B<#include E<lt>linux/seccomp.hE<gt>>\n"
"B<#include E<lt>linux/filter.hE<gt>>\n"
"B<#include E<lt>linux/audit.hE<gt>>\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<int seccomp(unsigned int >I<operation>B<, unsigned int >I<flags>B<, void *>I<args>B<);>\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<#include E<lt>sys/ioctl.hE<gt>>\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"B<int ioctl(int >I<fd>B<, SECCOMP_IOCTL_NOTIF_RECV,>\n"
"B<          struct seccomp_notif *>I<req>B<);>\n"
"B<int ioctl(int >I<fd>B<, SECCOMP_IOCTL_NOTIF_SEND,>\n"
"B<          struct seccomp_notif_resp *>I<resp>B<);>\n"
"B<int ioctl(int >I<fd>B<, SECCOMP_IOCTL_NOTIF_ID_VALID, __u64 *>I<id>B<);>\n"
"B<int ioctl(int >I<fd>B<, SECCOMP_IOCTL_NOTIF_ADDFD,>\n"
"B<          struct seccomp_notif_addfd *>I<addfd>B<);>\n"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "DESCRIPTION"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This page describes the user-space notification mechanism provided by the "
"Secure Computing (seccomp) facility.  As well as the use of the "
"B<SECCOMP_FILTER_FLAG_NEW_LISTENER> flag, the B<SECCOMP_RET_USER_NOTIF> "
"action value, and the B<SECCOMP_GET_NOTIF_SIZES> operation described in "
"B<seccomp>(2), this mechanism involves the use of a number of related "
"B<ioctl>(2)  operations (described below)."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Overview"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In conventional usage of a seccomp filter, the decision about how to treat a "
"system call is made by the filter itself.  By contrast, the user-space "
"notification mechanism allows the seccomp filter to delegate the handling of "
"the system call to another user-space process.  Note that this mechanism is "
"explicitly B<not> intended as a method implementing security policy; see "
"NOTES."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the discussion that follows, the thread(s) on which the seccomp filter is "
"installed is (are)  referred to as the I<target>, and the process that is "
"notified by the user-space notification mechanism is referred to as the "
"I<supervisor>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A suitably privileged supervisor can use the user-space notification "
"mechanism to perform actions on behalf of the target.  The advantage of the "
"user-space notification mechanism is that the supervisor will usually be "
"able to retrieve information about the target and the performed system call "
"that the seccomp filter itself cannot.  (A seccomp filter is limited in the "
"information it can obtain and the actions that it can perform because it is "
"running on a virtual machine inside the kernel.)"
msgstr ""

#. -------------------------------------
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"An overview of the steps performed by the target and the supervisor is as "
"follows:"
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(1)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The target establishes a seccomp filter in the usual manner, but with two "
"differences:"
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "\\[bu]"
msgstr ""

#
#
#.  FIXME
#.  Is the last sentence above correct?
#.  Kees Cook (25 Oct 2020) notes:
#.  I like this limitation, but I expect that it'll need to change in the
#.  future. Even with LSMs, we see the need for arbitrary stacking, and the
#.  idea of there being only 1 supervisor will eventually break down. Right
#.  now there is only 1 because only container managers are using this
#.  feature. But if some daemon starts using it to isolate some thread,
#.  suddenly it might break if a container manager is trying to listen to it
#.  too, etc. I expect it won't be needed soon, but I do think it'll change.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<seccomp>(2)  I<flags> argument includes the flag "
"B<SECCOMP_FILTER_FLAG_NEW_LISTENER>.  Consequently, the return value of the "
"(successful)  B<seccomp>(2)  call is a new \"listening\" file descriptor "
"that can be used to receive notifications.  Only one \"listening\" seccomp "
"filter can be installed for a thread."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In cases where it is appropriate, the seccomp filter returns the action "
"value B<SECCOMP_RET_USER_NOTIF>.  This return value will trigger a "
"notification event."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(2)"
msgstr ""

#.  Jann Horn:
#.      Instead of using unix domain sockets to send the fd to the
#.      parent, I think you could also use clone3() with
#.      flags==CLONE_FILES|SIGCHLD, dup2() the seccomp fd to an fd
#.      that was reserved in the parent, call unshare(CLONE_FILES)
#.      in the child after setting up the seccomp fd, and wake
#.      up the parent with something like pthread_cond_signal()?
#.      I'm not sure whether that'd look better or worse in the
#.      end though, so maybe just ignore this comment.
#. -------------------------------------
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In order that the supervisor can obtain notifications using the listening "
"file descriptor, (a duplicate of) that file descriptor must be passed from "
"the target to the supervisor.  One way in which this could be done is by "
"passing the file descriptor over a UNIX domain socket connection between the "
"target and the supervisor (using the B<SCM_RIGHTS> ancillary message type "
"described in B<unix>(7)).  Another way to do this is through the use of "
"B<pidfd_getfd>(2)."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(3)"
msgstr ""

#. -------------------------------------
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The supervisor will receive notification events on the listening file "
"descriptor.  These events are returned as structures of type "
"I<seccomp_notif>.  Because this structure and its size may evolve over "
"kernel versions, the supervisor must first determine the size of this "
"structure using the B<seccomp>(2)  B<SECCOMP_GET_NOTIF_SIZES> operation, "
"which returns a structure of type I<seccomp_notif_sizes>.  The supervisor "
"allocates a buffer of size I<seccomp_notif_sizes.seccomp_notif> bytes to "
"receive notification events.  In addition,the supervisor allocates another "
"buffer of size I<seccomp_notif_sizes.seccomp_notif_resp> bytes for the "
"response (a I<struct seccomp_notif_resp> structure)  that it will provide to "
"the kernel (and thus the target)."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(4)"
msgstr ""

#. -------------------------------------
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The target then performs its workload, which includes system calls that will "
"be controlled by the seccomp filter.  Whenever one of these system calls "
"causes the filter to return the B<SECCOMP_RET_USER_NOTIF> action value, the "
"kernel does I<not> (yet) execute the system call; instead, execution of the "
"target is temporarily blocked inside the kernel (in a sleep state that is "
"interruptible by signals)  and a notification event is generated on the "
"listening file descriptor."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(5)"
msgstr ""

#
#
#
#.  FIXME
#.  Christian Brauner:
#.  Do we support O_NONBLOCK with SECCOMP_IOCTL_NOTIF_RECV and if
#.  not should we?
#.  Michael Kerrisk:
#.  A quick test suggests that O_NONBLOCK has no effect on the blocking
#.  behavior of SECCOMP_IOCTL_NOTIF_RECV.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The supervisor can now repeatedly monitor the listening file descriptor for "
"B<SECCOMP_RET_USER_NOTIF>-triggered events.  To do this, the supervisor uses "
"the B<SECCOMP_IOCTL_NOTIF_RECV> B<ioctl>(2)  operation to read information "
"about a notification event; this operation blocks until an event is "
"available.  The operation returns a I<seccomp_notif> structure containing "
"information about the system call that is being attempted by the target.  "
"(As described in NOTES, the file descriptor can also be monitored with "
"B<select>(2), B<poll>(2), or B<epoll>(7).)"
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(6)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I<seccomp_notif> structure returned by the B<SECCOMP_IOCTL_NOTIF_RECV> "
"operation includes the same information (a I<seccomp_data> structure) that "
"was passed to the seccomp filter.  This information allows the supervisor to "
"discover the system call number and the arguments for the target's system "
"call.  In addition, the notification event contains the ID of the thread "
"that triggered the notification and a unique cookie value that is used in "
"subsequent B<SECCOMP_IOCTL_NOTIF_ID_VALID> and B<SECCOMP_IOCTL_NOTIF_SEND> "
"operations."
msgstr ""

#.  Tycho Andersen mentioned that there are alternatives to /proc/PID/mem,
#.  such as ptrace() and /proc/PID/map_files
#. -------------------------------------
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The information in the notification can be used to discover the values of "
"pointer arguments for the target's system call.  (This is something that "
"can't be done from within a seccomp filter.)  One way in which the "
"supervisor can do this is to open the corresponding I</proc/>tidI</mem> file "
"(see B<proc>(5))  and read bytes from the location that corresponds to one "
"of the pointer arguments whose value is supplied in the notification event.  "
"(The supervisor must be careful to avoid a race condition that can occur "
"when doing this; see the description of the B<SECCOMP_IOCTL_NOTIF_ID_VALID> "
"B<ioctl>(2)  operation below.)  In addition, the supervisor can access other "
"system information that is visible in user space but which is not accessible "
"from a seccomp filter."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(7)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Having obtained information as per the previous step, the supervisor may "
"then choose to perform an action in response to the target's system call "
"(which, as noted above, is not executed when the seccomp filter returns the "
"B<SECCOMP_RET_USER_NOTIF> action value)."
msgstr ""

#. -------------------------------------
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"One example use case here relates to containers.  The target may be located "
"inside a container where it does not have sufficient capabilities to mount a "
"filesystem in the container's mount namespace.  However, the supervisor may "
"be a more privileged process that does have sufficient capabilities to "
"perform the mount operation."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(8)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The supervisor then sends a response to the notification.  The information "
"in this response is used by the kernel to construct a return value for the "
"target's system call and provide a value that will be assigned to the "
"I<errno> variable of the target."
msgstr ""

#. -------------------------------------
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The response is sent using the B<SECCOMP_IOCTL_NOTIF_SEND> B<ioctl>(2)  "
"operation, which is used to transmit a I<seccomp_notif_resp> structure to "
"the kernel.  This structure includes a cookie value that the supervisor "
"obtained in the I<seccomp_notif> structure returned by the "
"B<SECCOMP_IOCTL_NOTIF_RECV> operation.  This cookie value allows the kernel "
"to associate the response with the target.  This structure must include the "
"cookie value that the supervisor obtained in the I<seccomp_notif> structure "
"returned by the B<SECCOMP_IOCTL_NOTIF_RECV> operation; the cookie allows the "
"kernel to associate the response with the target."
msgstr ""

#. type: IP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "(9)"
msgstr ""

#. -------------------------------------
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Once the notification has been sent, the system call in the target thread "
"unblocks, returning the information that was provided by the supervisor in "
"the notification response."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"As a variation on the last two steps, the supervisor can send a response "
"that tells the kernel that it should execute the target thread's system "
"call; see the discussion of B<SECCOMP_USER_NOTIF_FLAG_CONTINUE>, below."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "IOCTL OPERATIONS"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The following B<ioctl>(2)  operations are supported by the seccomp user-"
"space notification file descriptor.  For each of these operations, the first "
"(file descriptor) argument of B<ioctl>(2)  is the listening file descriptor "
"returned by a call to B<seccomp>(2)  with the "
"B<SECCOMP_FILTER_FLAG_NEW_LISTENER> flag."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SECCOMP_IOCTL_NOTIF_RECV"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<SECCOMP_IOCTL_NOTIF_RECV> operation (available since Linux 5.0) is "
"used to obtain a user-space notification event.  If no such event is "
"currently pending, the operation blocks until an event occurs.  The third "
"B<ioctl>(2)  argument is a pointer to a structure of the following form "
"which contains information about the event.  This structure must be zeroed "
"out before the call."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"struct seccomp_notif {\n"
"    __u64  id;              /* Cookie */\n"
"    __u32  pid;             /* TID of target thread */\n"
"    __u32  flags;           /* Currently unused (0) */\n"
"    struct seccomp_data data;   /* See seccomp(2) */\n"
"};\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "The fields in this structure are as follows:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<id>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This is a cookie for the notification.  Each such cookie is guaranteed to be "
"unique for the corresponding seccomp filter."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The cookie can be used with the B<SECCOMP_IOCTL_NOTIF_ID_VALID> B<ioctl>(2)  "
"operation described below."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When returning a notification response to the kernel, the supervisor must "
"include the cookie value in the I<seccomp_notif_resp> structure that is "
"specified as the argument of the B<SECCOMP_IOCTL_NOTIF_SEND> operation."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<pid>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This is the thread ID of the target thread that triggered the notification "
"event."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<flags>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This is a bit mask of flags providing further information on the event.  In "
"the current implementation, this field is always zero."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<data>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This is a I<seccomp_data> structure containing information about the system "
"call that triggered the notification.  This is the same structure that is "
"passed to the seccomp filter.  See B<seccomp>(2)  for details of this "
"structure."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"On success, this operation returns 0; on failure, -1 is returned, and "
"I<errno> is set to indicate the cause of the error.  This operation can fail "
"with the following errors:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EINVAL> (since Linux 5.5)"
msgstr ""

#.  commit 2882d53c9c6f3b8311d225062522f03772cf0179
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I<seccomp_notif> structure that was passed to the call contained nonzero "
"fields."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<ENOENT>"
msgstr ""

#
#
#
#
#
#.  FIXME
#.  From my experiments,
#.  it appears that if a SECCOMP_IOCTL_NOTIF_RECV is done after
#.  the target thread terminates, then the ioctl() simply
#.  blocks (rather than returning an error to indicate that the
#.  target no longer exists).
#.  I found that surprising, and it required some contortions in
#.  the example program.  It was not possible to code my SIGCHLD
#.  handler (which reaps the zombie when the worker/target
#.  terminates) to simply set a flag checked in the main
#.  handleNotifications() loop, since this created an
#.  unavoidable race where the child might terminate just after
#.  I had checked the flag, but before I blocked (forever!) in the
#.  SECCOMP_IOCTL_NOTIF_RECV operation. Instead, I had to code
#.  the signal handler to simply call _exit(2) in order to
#.  terminate the parent process (the supervisor).
#.  Is this expected behavior? It seems to me rather
#.  desirable that SECCOMP_IOCTL_NOTIF_RECV should give an error
#.  if the target has terminated.
#.  Jann posted a patch to rectify this, but there was no response
#.  (Lore link: https://bit.ly/3jvUBxk) to his question about fixing
#.  this issue. (I've tried building with the patch, but encountered
#.  an issue with the target process entering D state after a signal.)
#.  For now, this behavior is documented in BUGS.
#.  Kees Cook commented: Let's change [this] ASAP!
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The target thread was killed by a signal as the notification information was "
"being generated, or the target's (blocked) system call was interrupted by a "
"signal handler."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SECCOMP_IOCTL_NOTIF_ID_VALID"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<SECCOMP_IOCTL_NOTIF_ID_VALID> operation (available since Linux 5.0) is "
"used to check that a notification ID returned by an earlier "
"B<SECCOMP_IOCTL_NOTIF_RECV> operation is still valid (i.e., that the target "
"still exists and its system call is still blocked waiting for a response)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The third B<ioctl>(2)  argument is a pointer to the cookie (I<id>)  returned "
"by the B<SECCOMP_IOCTL_NOTIF_RECV> operation."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This operation is necessary to avoid race conditions that can occur when the "
"I<pid> returned by the B<SECCOMP_IOCTL_NOTIF_RECV> operation terminates, and "
"that process ID is reused by another process.  An example of this kind of "
"race is the following"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A notification is generated on the listening file descriptor.  The returned "
"I<seccomp_notif> contains the TID of the target thread (in the I<pid> field "
"of the structure)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "The target terminates."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Another thread or process is created on the system that by chance reuses the "
"TID that was freed when the target terminated."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The supervisor B<open>(2)s the I</proc/>tidI</mem> file for the TID obtained "
"in step 1, with the intention of (say)  inspecting the memory location(s) "
"that containing the argument(s) of the system call that triggered the "
"notification in step 1."
msgstr ""

#.  Jann Horn:
#.      the PID can be reused, but the /proc/$pid directory is
#.      internally not associated with the numeric PID, but,
#.      conceptually speaking, with a specific incarnation of the
#.      PID, or something like that.  (Actually, it is associated
#.      with the "struct pid", which is not reused, instead of the
#.      numeric PID.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the above scenario, the risk is that the supervisor may try to access the "
"memory of a process other than the target.  This race can be avoided by "
"following the call to B<open>(2)  with a B<SECCOMP_IOCTL_NOTIF_ID_VALID> "
"operation to verify that the process that generated the notification is "
"still alive.  (Note that if the target terminates after the latter step, a "
"subsequent B<read>(2)  from the file descriptor may return 0, indicating end "
"of file.)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"See NOTES for a discussion of other cases where "
"B<SECCOMP_IOCTL_NOTIF_ID_VALID> checks must be performed."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"On success (i.e., the notification ID is still valid), this operation "
"returns 0.  On failure (i.e., the notification ID is no longer valid), -1 is "
"returned, and I<errno> is set to B<ENOENT>."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SECCOMP_IOCTL_NOTIF_SEND"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<SECCOMP_IOCTL_NOTIF_SEND> operation (available since Linux 5.0)  is "
"used to send a notification response back to the kernel.  The third "
"B<ioctl>(2)  argument of this structure is a pointer to a structure of the "
"following form:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"struct seccomp_notif_resp {\n"
"    __u64 id;           /* Cookie value */\n"
"    __s64 val;          /* Success return value */\n"
"    __s32 error;        /* 0 (success) or negative error number */\n"
"    __u32 flags;        /* See below */\n"
"};\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "The fields of this structure are as follows:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This is the cookie value that was obtained using the "
"B<SECCOMP_IOCTL_NOTIF_RECV> operation.  This cookie value allows the kernel "
"to correctly associate this response with the system call that triggered the "
"user-space notification."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<val>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This is the value that will be used for a spoofed success return for the "
"target's system call; see below."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<error>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This is the value that will be used as the error number (I<errno>)  for a "
"spoofed error return for the target's system call; see below."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "This is a bit mask that includes zero or more of the following flags:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_USER_NOTIF_FLAG_CONTINUE> (since Linux 5.5)"
msgstr ""

#.  commit fb3c5386b382d4097476ce9647260fc89b34afdb
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Tell the kernel to execute the target's system call."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Two kinds of response are possible:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A response to the kernel telling it to execute the target's system call.  In "
"this case, the I<flags> field includes B<SECCOMP_USER_NOTIF_FLAG_CONTINUE> "
"and the I<error> and I<val> fields must be zero."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This kind of response can be useful in cases where the supervisor needs to "
"do deeper analysis of the target's system call than is possible from a "
"seccomp filter (e.g., examining the values of pointer arguments), and, "
"having decided that the system call does not require emulation by the "
"supervisor, the supervisor wants the system call to be executed normally in "
"the target."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<SECCOMP_USER_NOTIF_FLAG_CONTINUE> flag should be used with caution; "
"see NOTES."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A spoofed return value for the target's system call.  In this case, the "
"kernel does not execute the target's system call, instead causing the system "
"call to return a spoofed value as specified by fields of the "
"I<seccomp_notif_resp> structure.  The supervisor should set the fields of "
"this structure as follows:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "I<flags> does not contain B<SECCOMP_USER_NOTIF_FLAG_CONTINUE>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<error> is set either to 0 for a spoofed \"success\" return or to a "
"negative error number for a spoofed \"failure\" return.  In the former case, "
"the kernel causes the target's system call to return the value specified in "
"the I<val> field.  In the latter case, the kernel causes the target's system "
"call to return -1, and I<errno> is assigned the negated I<error> value."
msgstr ""

#
#
#
#.  FIXME
#.  Kees Cook suggested:
#.  Strictly speaking, this is architecture specific, but
#.  all architectures do it this way. Should seccomp enforce
#.  val == 0 when err != 0 ?
#.  Christian Brauner
#.  Feels like it should, at least for the SEND ioctl where we already
#.  verify that val and err are both 0 when CONTINUE is specified (as you
#.  pointed out correctly above).
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"I<val> is set to a value that will be used as the return value for a spoofed "
"\"success\" return for the target's system call.  The value in this field is "
"ignored if the I<error> field contains a nonzero value."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EINPROGRESS>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "A response to this notification has already been sent."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EINVAL>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "An invalid value was specified in the I<flags field.>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The I<flags> field contained B<SECCOMP_USER_NOTIF_FLAG_CONTINUE>, and the "
"I<error> or I<val> field was not zero."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The blocked system call in the target has been interrupted by a signal "
"handler or the target has terminated."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SECCOMP_IOCTL_NOTIF_ADDFD"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<SECCOMP_IOCTL_NOTIF_ADDFD> operation (available since Linux 5.9)  "
"allows the supervisor to install a file descriptor into the target's file "
"descriptor table.  Much like the use of B<SCM_RIGHTS> messages described in "
"B<unix>(7), this operation is semantically equivalent to duplicating a file "
"descriptor from the supervisor's file descriptor table into the target's "
"file descriptor table."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<SECCOMP_IOCTL_NOTIF_ADDFD> operation permits the supervisor to emulate "
"a target system call (such as B<socket>(2)  or B<openat>(2))  that generates "
"a file descriptor.  The supervisor can perform the system call that "
"generates the file descriptor (and associated open file description)  and "
"then use this operation to allocate a file descriptor that refers to the "
"same open file description in the target.  (For an explanation of open file "
"descriptions, see B<open>(2).)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Once this operation has been performed, the supervisor can close its copy of "
"the file descriptor."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the target, the received file descriptor is subject to the same Linux "
"Security Module (LSM) checks as are applied to a file descriptor that is "
"received in an B<SCM_RIGHTS> ancillary message.  If the file descriptor "
"refers to a socket, it inherits the cgroup version 1 network controller "
"settings (I<classid> and I<netprioidx>)  of the target."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The third B<ioctl>(2)  argument is a pointer to a structure of the following "
"form:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid ""
"struct seccomp_notif_addfd {\n"
"    __u64 id;           /* Cookie value */\n"
"    __u32 flags;        /* Flags */\n"
"    __u32 srcfd;        /* Local file descriptor number */\n"
"    __u32 newfd;        /* 0 or desired file descriptor\n"
"                           number in target */\n"
"    __u32 newfd_flags;  /* Flags to set on target file\n"
"                           descriptor */\n"
"};\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This field should be set to the notification ID (cookie value) that was "
"obtained via B<SECCOMP_IOCTL_NOTIF_RECV>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This field is a bit mask of flags that modify the behavior of the "
"operation.  Currently, only one flag is supported:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_ADDFD_FLAG_SETFD>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When allocating the file descriptor in the target, use the file descriptor "
"number specified in the I<newfd> field."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<SECCOMP_ADDFD_FLAG_SEND> (since Linux 5.14)"
msgstr ""

#.  commit 0ae71c7720e3ae3aabd2e8a072d27f7bd173d25c
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Perform the equivalent of B<SECCOMP_IOCTL_NOTIF_ADDFD> plus "
"B<SECCOMP_IOCTL_NOTIF_SEND> as an atomic operation.  On successful "
"invocation, the target process's I<errno> will be 0 and the return value "
"will be the file descriptor number that was allocated in the target.  If "
"allocating the file descriptor in the target fails, the target's system call "
"continues to be blocked until a successful response is sent."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<srcfd>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This field should be set to the number of the file descriptor in the "
"supervisor that is to be duplicated."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<newfd>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This field determines which file descriptor number is allocated in the "
"target.  If the B<SECCOMP_ADDFD_FLAG_SETFD> flag is set, then this field "
"specifies which file descriptor number should be allocated.  If this file "
"descriptor number is already open in the target, it is atomically closed and "
"reused.  If the descriptor duplication fails due to an LSM check, or if "
"I<srcfd> is not a valid file descriptor, the file descriptor I<newfd> will "
"not be closed in the target process."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the B<SECCOMP_ADDFD_FLAG_SETFD> flag it not set, then this field must be "
"0, and the kernel allocates the lowest unused file descriptor number in the "
"target."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "I<newfd_flags>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This field is a bit mask specifying flags that should be set on the file "
"descriptor that is received in the target process.  Currently, only the "
"following flag is implemented:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<O_CLOEXEC>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Set the close-on-exec flag on the received file descriptor."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"On success, this B<ioctl>(2)  call returns the number of the file descriptor "
"that was allocated in the target.  Assuming that the emulated system call is "
"one that returns a file descriptor as its function result (e.g., "
"B<socket>(2)), this value can be used as the return value (I<resp.val>)  "
"that is supplied in the response that is subsequently sent with the "
"B<SECCOMP_IOCTL_NOTIF_SEND> operation."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"On error, -1 is returned and I<errno> is set to indicate the cause of the "
"error."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "This operation can fail with the following errors:"
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EBADF>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Allocating the file descriptor in the target would cause the target's "
"B<RLIMIT_NOFILE> limit to be exceeded (see B<getrlimit>(2))."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EBUSY>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the flag B<SECCOMP_IOCTL_NOTIF_SEND> is used, this means the operation "
"can't proceed until other B<SECCOMP_IOCTL_NOTIF_ADDFD> requests are "
"processed."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The user-space notification specified in the I<id> field exists but has not "
"yet been fetched (by a B<SECCOMP_IOCTL_NOTIF_RECV>)  or has already been "
"responded to (by a B<SECCOMP_IOCTL_NOTIF_SEND>)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"An invalid flag was specified in the I<flags> or I<newfd_flags> field, or "
"the I<newfd> field is nonzero and the B<SECCOMP_ADDFD_FLAG_SETFD> flag was "
"not specified in the I<flags> field."
msgstr ""

#. type: TP
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "B<EMFILE>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The file descriptor number specified in I<newfd> exceeds the limit specified "
"in I</proc/sys/fs/nr_open>."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Here is some sample code (with error handling omitted) that uses the "
"B<SECCOMP_ADDFD_FLAG_SETFD> operation (here, to emulate a call to "
"B<openat>(2)):"
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"int fd, removeFd;\n"
"\\&\n"
"fd = openat(req-E<gt>data.args[0], path, req-E<gt>data.args[2],\n"
"                req-E<gt>data.args[3]);\n"
"\\&\n"
"struct seccomp_notif_addfd addfd;\n"
"addfd.id = req-E<gt>id; /* Cookie from SECCOMP_IOCTL_NOTIF_RECV */\n"
"addfd.srcfd = fd;\n"
"addfd.newfd = 0;\n"
"addfd.flags = 0;\n"
"addfd.newfd_flags = O_CLOEXEC;\n"
"\\&\n"
"targetFd = ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);\n"
"\\&\n"
"close(fd);          /* No longer needed in supervisor */\n"
"\\&\n"
"struct seccomp_notif_resp *resp;\n"
"    /* Code to allocate 'resp' omitted */\n"
"resp-E<gt>id = req-E<gt>id;\n"
"resp-E<gt>error = 0;        /* \"Success\" */\n"
"resp-E<gt>val = targetFd;\n"
"resp-E<gt>flags = 0;\n"
"ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_SEND, resp);\n"
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "NOTES"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"One example use case for the user-space notification mechanism is to allow a "
"container manager (a process which is typically running with more privilege "
"than the processes inside the container)  to mount block devices or create "
"device nodes for the container.  The mount use case provides an example of "
"where the B<SECCOMP_USER_NOTIF_FLAG_CONTINUE> B<ioctl>(2)  operation is "
"useful.  Upon receiving a notification for the B<mount>(2)  system call, the "
"container manager (the \"supervisor\") can distinguish a request to mount a "
"block filesystem (which would not be possible for a \"target\" process "
"inside the container)  and mount that file system.  If, on the other hand, "
"the container manager detects that the operation could be performed by the "
"process inside the container (e.g., a mount of a B<tmpfs>(5)  filesystem), "
"it can notify the kernel that the target process's B<mount>(2)  system call "
"can continue."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "select()/poll()/epoll semantics"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The file descriptor returned when B<seccomp>(2)  is employed with the "
"B<SECCOMP_FILTER_FLAG_NEW_LISTENER> flag can be monitored using B<poll>(2), "
"B<epoll>(7), and B<select>(2).  These interfaces indicate that the file "
"descriptor is ready as follows:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When a notification is pending, these interfaces indicate that the file "
"descriptor is readable.  Following such an indication, a subsequent "
"B<SECCOMP_IOCTL_NOTIF_RECV> B<ioctl>(2)  will not block, returning either "
"information about a notification or else failing with the error B<EINTR> if "
"the target has been killed by a signal or its system call has been "
"interrupted by a signal handler."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"After the notification has been received (i.e., by the "
"B<SECCOMP_IOCTL_NOTIF_RECV> B<ioctl>(2)  operation), these interfaces "
"indicate that the file descriptor is writable, meaning that a notification "
"response can be sent using the B<SECCOMP_IOCTL_NOTIF_SEND> B<ioctl>(2)  "
"operation."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"After the last thread using the filter has terminated and been reaped using "
"B<waitpid>(2)  (or similar), the file descriptor indicates an end-of-file "
"condition (readable in B<select>(2); B<POLLHUP>/B<EPOLLHUP> in B<poll>(2)/ "
"B<epoll_wait>(2))."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Design goals; use of SECCOMP_USER_NOTIF_FLAG_CONTINUE"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The intent of the user-space notification feature is to allow system calls "
"to be performed on behalf of the target.  The target's system call should "
"either be handled by the supervisor or allowed to continue normally in the "
"kernel (where standard security policies will be applied)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"B<Note well>: this mechanism must not be used to make security policy "
"decisions about the system call, which would be inherently race-prone for "
"reasons described next."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The B<SECCOMP_USER_NOTIF_FLAG_CONTINUE> flag must be used with caution.  If "
"set by the supervisor, the target's system call will continue.  However, "
"there is a time-of-check, time-of-use race here, since an attacker could "
"exploit the interval of time where the target is blocked waiting on the "
"\"continue\" response to do things such as rewriting the system call "
"arguments."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Note furthermore that a user-space notifier can be bypassed if the existing "
"filters allow the use of B<seccomp>(2)  or B<prctl>(2)  to install a filter "
"that returns an action value with a higher precedence than "
"B<SECCOMP_RET_USER_NOTIF> (see B<seccomp>(2))."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"It should thus be absolutely clear that the seccomp user-space notification "
"mechanism B<can not> be used to implement a security policy! It should only "
"ever be used in scenarios where a more privileged process supervises the "
"system calls of a lesser privileged target to get around kernel-enforced "
"security restrictions when the supervisor deems this safe.  In other words, "
"in order to continue a system call, the supervisor should be sure that "
"another security mechanism or the kernel itself will sufficiently block the "
"system call if its arguments are rewritten to something unsafe."
msgstr ""

#. type: SS
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Caveats regarding the use of I</proc/>tidI</mem>"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The discussion above noted the need to use the "
"B<SECCOMP_IOCTL_NOTIF_ID_VALID> B<ioctl>(2)  when opening the I</proc/>tidI</"
"mem> file of the target to avoid the possibility of accessing the memory of "
"the wrong process in the event that the target terminates and its ID is "
"recycled by another (unrelated) thread.  However, the use of this "
"B<ioctl>(2)  operation is also necessary in other situations, as explained "
"in the following paragraphs."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Consider the following scenario, where the supervisor tries to read the "
"pathname argument of a target's blocked B<mount>(2)  system call:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"From one of its functions (I<func()>), the target calls B<mount>(2), which "
"triggers a user-space notification and causes the target to block."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The supervisor receives the notification, opens I</proc/>tidI</mem>, and "
"(successfully) performs the B<SECCOMP_IOCTL_NOTIF_ID_VALID> check."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "The target receives a signal, which causes the B<mount>(2)  to abort."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "The signal handler executes in the target, and returns."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Upon return from the handler, the execution of I<func()> resumes, and it "
"returns (and perhaps other functions are called, overwriting the memory that "
"had been used for the stack frame of I<func()>)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Using the address provided in the notification information, the supervisor "
"reads from the target's memory location that used to contain the pathname."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The supervisor now calls B<mount>(2)  with some arbitrary bytes obtained in "
"the previous step."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The conclusion from the above scenario is this: since the target's blocked "
"system call may be interrupted by a signal handler, the supervisor must be "
"written to expect that the target may abandon its system call at B<any> "
"time; in such an event, any information that the supervisor obtained from "
"the target's memory must be considered invalid."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"To prevent such scenarios, every read from the target's memory must be "
"separated from use of the bytes so obtained by a "
"B<SECCOMP_IOCTL_NOTIF_ID_VALID> check.  In the above example, the check "
"would be placed between the two final steps.  An example of such a check is "
"shown in EXAMPLES."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Following on from the above, it should be clear that a write by the "
"supervisor into the target's memory can B<never> be considered safe."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Caveats regarding blocking system calls"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Suppose that the target performs a blocking system call (e.g., "
"B<accept>(2))  that the supervisor should handle.  The supervisor might then "
"in turn execute the same blocking system call."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In this scenario, it is important to note that if the target's system call "
"is now interrupted by a signal, the supervisor is I<not> informed of this.  "
"If the supervisor does not take suitable steps to actively discover that the "
"target's system call has been canceled, various difficulties can occur.  "
"Taking the example of B<accept>(2), the supervisor might remain blocked in "
"its B<accept>(2)  holding a port number that the target (which, after the "
"interruption by the signal handler, perhaps closed its listening socket) "
"might expect to be able to reuse in a B<bind>(2)  call."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Therefore, when the supervisor wishes to emulate a blocking system call, it "
"must do so in such a way that it gets informed if the target's system call "
"is interrupted by a signal handler.  For example, if the supervisor itself "
"executes the same blocking system call, then it could employ a separate "
"thread that uses the B<SECCOMP_IOCTL_NOTIF_ID_VALID> operation to check if "
"the target is still blocked in its system call.  Alternatively, in the "
"B<accept>(2)  example, the supervisor might use B<poll>(2)  to monitor both "
"the notification file descriptor (so as to discover when the target's "
"B<accept>(2)  call has been interrupted) and the listening file descriptor "
"(so as to know when a connection is available)."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the target's system call is interrupted, the supervisor must take care to "
"release resources (e.g., file descriptors)  that it acquired on behalf of "
"the target."
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Interaction with SA_RESTART signal handlers"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "Consider the following scenario:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The target process has used B<sigaction>(2)  to install a signal handler "
"with the B<SA_RESTART> flag."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The target has made a system call that triggered a seccomp user-space "
"notification and the target is currently blocked until the supervisor sends "
"a notification response."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "A signal is delivered to the target and the signal handler is executed."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"When (if) the supervisor attempts to send a notification response, the "
"B<SECCOMP_IOCTL_NOTIF_SEND> B<ioctl>(2))  operation will fail with the "
"B<ENOENT> error."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In this scenario, the kernel will restart the target's system call.  "
"Consequently, the supervisor will receive another user-space notification.  "
"Thus, depending on how many times the blocked system call is interrupted by "
"a signal handler, the supervisor may receive multiple notifications for the "
"same instance of a system call in the target."
msgstr ""

#
#
#.  FIXME
#.  About the above, Kees Cook commented:
#.  Does this need fixing? I imagine the correct behavior for this case
#.  would be a response to _SEND of EINPROGRESS and the target would see
#.  EINTR normally?
#.  I mean, it's not like seccomp doesn't already expose weirdness with
#.  syscall restarts. Not even arm64 compat agrees[3] with arm32 in this
#.  regard. :(
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"One oddity is that system call restarting as described in this scenario will "
"occur even for the blocking system calls listed in B<signal>(7)  that would "
"B<never> normally be restarted by the B<SA_RESTART> flag."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"Furthermore, if the supervisor response is a file descriptor added with "
"B<SECCOMP_IOCTL_NOTIF_ADDFD>, then the flag B<SECCOMP_ADDFD_FLAG_SEND> can "
"be used to atomically add the file descriptor and return that value, making "
"sure no file descriptors are inadvertently leaked into the target."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "BUGS"
msgstr ""

#
#.  or a poll/epoll/select
#.  FIXME
#.  Comment from Kees Cook:
#.  I want this fixed. It caused me no end of pain when building the
#.  selftests, and ended up spawning my implementing a global test timeout
#.  in kselftest. :P Before the usage counter refactor, there was no sane
#.  way to deal with this, but now I think we're close.
#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If a B<SECCOMP_IOCTL_NOTIF_RECV> B<ioctl>(2)  operation is performed after "
"the target terminates, then the B<ioctl>(2)  call simply blocks (rather than "
"returning an error to indicate that the target no longer exists)."
msgstr ""

#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "EXAMPLES"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The (somewhat contrived) program shown below demonstrates the use of the "
"interfaces described in this page.  The program creates a child process that "
"serves as the \"target\" process.  The child process installs a seccomp "
"filter that returns the B<SECCOMP_RET_USER_NOTIF> action value if a call is "
"made to B<mkdir>(2).  The child process then calls B<mkdir>(2)  once for "
"each of the supplied command-line arguments, and reports the result returned "
"by the call.  After processing all arguments, the child process terminates."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"The parent process acts as the supervisor, listening for the notifications "
"that are generated when the target process calls B<mkdir>(2).  When such a "
"notification occurs, the supervisor examines the memory of the target "
"process (using I</proc/>pidI</mem>)  to discover the pathname argument that "
"was supplied to the B<mkdir>(2)  call, and performs one of the following "
"actions:"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the pathname begins with the prefix \"/tmp/\", then the supervisor "
"attempts to create the specified directory, and then spoofs a return for the "
"target process based on the return value of the supervisor's B<mkdir>(2)  "
"call.  In the event that that call succeeds, the spoofed success return "
"value is the length of the pathname."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the pathname begins with \"./\" (i.e., it is a relative pathname), the "
"supervisor sends a B<SECCOMP_USER_NOTIF_FLAG_CONTINUE> response to the "
"kernel to say that the kernel should execute the target process's "
"B<mkdir>(2)  call."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the pathname begins with some other prefix, the supervisor spoofs an "
"error return for the target process, so that the target process's "
"B<mkdir>(2)  call appears to fail with the error B<EOPNOTSUPP> (\"Operation "
"not supported\").  Additionally, if the specified pathname is exactly \"/"
"bye\", then the supervisor terminates."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"This program can be used to demonstrate various aspects of the behavior of "
"the seccomp user-space notification mechanism.  To help aid such "
"demonstrations, the program logs various messages to show the operation of "
"the target process (lines prefixed \"T:\") and the supervisor (indented "
"lines prefixed \"S:\")."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the following example, the target attempts to create the directory I</tmp/"
"x>.  Upon receiving the notification, the supervisor creates the directory "
"on the target's behalf, and spoofs a success return to be received by the "
"target process's B<mkdir>(2)  call."
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<./seccomp_unotify /tmp/x>\n"
"T: PID = 23168\n"
"\\&\n"
"T: about to mkdir(\"/tmp/x\")\n"
"        S: got notification (ID 0x17445c4a0f4e0e3c) for PID 23168\n"
"        S: executing: mkdir(\"/tmp/x\", 0700)\n"
"        S: success! spoofed return = 6\n"
"        S: sending response (flags = 0; val = 6; error = 0)\n"
"T: SUCCESS: mkdir(2) returned 6\n"
"\\&\n"
"T: terminating\n"
"        S: target has terminated; bye\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the above output, note that the spoofed return value seen by the target "
"process is 6 (the length of the pathname I</tmp/x>), whereas a normal "
"B<mkdir>(2)  call returns 0 on success."
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the next example, the target attempts to create a directory using the "
"relative pathname I<./sub>.  Since this pathname starts with \"./\", the "
"supervisor sends a B<SECCOMP_USER_NOTIF_FLAG_CONTINUE> response to the "
"kernel, and the kernel then (successfully) executes the target process's "
"B<mkdir>(2)  call."
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<./seccomp_unotify ./sub>\n"
"T: PID = 23204\n"
"\\&\n"
"T: about to mkdir(\"./sub\")\n"
"        S: got notification (ID 0xddb16abe25b4c12) for PID 23204\n"
"        S: target can execute system call\n"
"        S: sending response (flags = 0x1; val = 0; error = 0)\n"
"T: SUCCESS: mkdir(2) returned 0\n"
"\\&\n"
"T: terminating\n"
"        S: target has terminated; bye\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the target process attempts to create a directory with a pathname that "
"doesn't start with \".\" and doesn't begin with the prefix \"/tmp/\", then "
"the supervisor spoofs an error return (B<EOPNOTSUPP>, \"Operation not "
"supported\")  for the target's B<mkdir>(2)  call (which is not executed):"
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<./seccomp_unotify /xxx>\n"
"T: PID = 23178\n"
"\\&\n"
"T: about to mkdir(\"/xxx\")\n"
"        S: got notification (ID 0xe7dc095d1c524e80) for PID 23178\n"
"        S: spoofing error response (Operation not supported)\n"
"        S: sending response (flags = 0; val = 0; error = -95)\n"
"T: ERROR: mkdir(2): Operation not supported\n"
"\\&\n"
"T: terminating\n"
"        S: target has terminated; bye\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"In the next example, the target process attempts to create a directory with "
"the pathname B</tmp/nosuchdir/b>.  Upon receiving the notification, the "
"supervisor attempts to create that directory, but the B<mkdir>(2)  call "
"fails because the directory B</tmp/nosuchdir> does not exist.  Consequently, "
"the supervisor spoofs an error return that passes the error that it received "
"back to the target process's B<mkdir>(2)  call."
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<./seccomp_unotify /tmp/nosuchdir/b>\n"
"T: PID = 23199\n"
"\\&\n"
"T: about to mkdir(\"/tmp/nosuchdir/b\")\n"
"        S: got notification (ID 0x8744454293506046) for PID 23199\n"
"        S: executing: mkdir(\"/tmp/nosuchdir/b\", 0700)\n"
"        S: failure! (errno = 2; No such file or directory)\n"
"        S: sending response (flags = 0; val = 0; error = -2)\n"
"T: ERROR: mkdir(2): No such file or directory\n"
"\\&\n"
"T: terminating\n"
"        S: target has terminated; bye\n"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"If the supervisor receives a notification and sees that the argument of the "
"target's B<mkdir>(2)  is the string \"/bye\", then (as well as spoofing an "
"B<EOPNOTSUPP> error), the supervisor terminates.  If the target process "
"subsequently executes another B<mkdir>(2)  that triggers its seccomp filter "
"to return the B<SECCOMP_RET_USER_NOTIF> action value, then the kernel causes "
"the target process's system call to fail with the error B<ENOSYS> "
"(\"Function not implemented\").  This is demonstrated by the following "
"example:"
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"$ B<./seccomp_unotify /bye /tmp/y>\n"
"T: PID = 23185\n"
"\\&\n"
"T: about to mkdir(\"/bye\")\n"
"        S: got notification (ID 0xa81236b1d2f7b0f4) for PID 23185\n"
"        S: spoofing error response (Operation not supported)\n"
"        S: sending response (flags = 0; val = 0; error = -95)\n"
"        S: terminating **********\n"
"T: ERROR: mkdir(2): Operation not supported\n"
"\\&\n"
"T: about to mkdir(\"/tmp/y\")\n"
"T: ERROR: mkdir(2): Function not implemented\n"
"\\&\n"
"T: terminating\n"
msgstr ""

#. type: SS
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "Program source"
msgstr ""

#. type: Plain text
#: archlinux debian-unstable fedora-40 fedora-rawhide mageia-cauldron
#: opensuse-tumbleweed
#, no-wrap
msgid ""
"#define _GNU_SOURCE\n"
"#include E<lt>err.hE<gt>\n"
"#include E<lt>errno.hE<gt>\n"
"#include E<lt>fcntl.hE<gt>\n"
"#include E<lt>limits.hE<gt>\n"
"#include E<lt>linux/audit.hE<gt>\n"
"#include E<lt>linux/filter.hE<gt>\n"
"#include E<lt>linux/seccomp.hE<gt>\n"
"#include E<lt>signal.hE<gt>\n"
"#include E<lt>stdbool.hE<gt>\n"
"#include E<lt>stddef.hE<gt>\n"
"#include E<lt>stdint.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>string.hE<gt>\n"
"#include E<lt>sys/ioctl.hE<gt>\n"
"#include E<lt>sys/prctl.hE<gt>\n"
"#include E<lt>sys/socket.hE<gt>\n"
"#include E<lt>sys/stat.hE<gt>\n"
"#include E<lt>sys/syscall.hE<gt>\n"
"#include E<lt>sys/types.hE<gt>\n"
"#include E<lt>sys/un.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
"\\&\n"
"#define ARRAY_SIZE(arr)  (sizeof(arr) / sizeof((arr)[0]))\n"
"\\&\n"
"/* Send the file descriptor \\[aq]fd\\[aq] over the connected UNIX domain socket\n"
"   \\[aq]sockfd\\[aq]. Returns 0 on success, or -1 on error. */\n"
"\\&\n"
"static int\n"
"sendfd(int sockfd, int fd)\n"
"{\n"
"    int             data;\n"
"    struct iovec    iov;\n"
"    struct msghdr   msgh;\n"
"    struct cmsghdr  *cmsgp;\n"
"\\&\n"
"    /* Allocate a char array of suitable size to hold the ancillary data.\n"
"       However, since this buffer is in reality a \\[aq]struct cmsghdr\\[aq], use a\n"
"       union to ensure that it is suitably aligned. */\n"
"    union {\n"
"        char   buf[CMSG_SPACE(sizeof(int))];\n"
"                        /* Space large enough to hold an \\[aq]int\\[aq] */\n"
"        struct cmsghdr align;\n"
"    } controlMsg;\n"
"\\&\n"
"    /* The \\[aq]msg_name\\[aq] field can be used to specify the address of the\n"
"       destination socket when sending a datagram. However, we do not\n"
"       need to use this field because \\[aq]sockfd\\[aq] is a connected socket. */\n"
"\\&\n"
"    msgh.msg_name = NULL;\n"
"    msgh.msg_namelen = 0;\n"
"\\&\n"
"    /* On Linux, we must transmit at least one byte of real data in\n"
"       order to send ancillary data. We transmit an arbitrary integer\n"
"       whose value is ignored by recvfd(). */\n"
"\\&\n"
"    msgh.msg_iov = &iov;\n"
"    msgh.msg_iovlen = 1;\n"
"    iov.iov_base = &data;\n"
"    iov.iov_len = sizeof(int);\n"
"    data = 12345;\n"
"\\&\n"
"    /* Set \\[aq]msghdr\\[aq] fields that describe ancillary data */\n"
"\\&\n"
"    msgh.msg_control = controlMsg.buf;\n"
"    msgh.msg_controllen = sizeof(controlMsg.buf);\n"
"\\&\n"
"    /* Set up ancillary data describing file descriptor to send */\n"
"\\&\n"
"    cmsgp = CMSG_FIRSTHDR(&msgh);\n"
"    cmsgp-E<gt>cmsg_level = SOL_SOCKET;\n"
"    cmsgp-E<gt>cmsg_type = SCM_RIGHTS;\n"
"    cmsgp-E<gt>cmsg_len = CMSG_LEN(sizeof(int));\n"
"    memcpy(CMSG_DATA(cmsgp), &fd, sizeof(int));\n"
"\\&\n"
"    /* Send real plus ancillary data */\n"
"\\&\n"
"    if (sendmsg(sockfd, &msgh, 0) == -1)\n"
"        return -1;\n"
"\\&\n"
"    return 0;\n"
"}\n"
"\\&\n"
"/* Receive a file descriptor on a connected UNIX domain socket. Returns\n"
"   the received file descriptor on success, or -1 on error. */\n"
"\\&\n"
"static int\n"
"recvfd(int sockfd)\n"
"{\n"
"    int            data, fd;\n"
"    ssize_t        nr;\n"
"    struct iovec   iov;\n"
"    struct msghdr  msgh;\n"
"\\&\n"
"    /* Allocate a char buffer for the ancillary data. See the comments\n"
"       in sendfd() */\n"
"    union {\n"
"        char   buf[CMSG_SPACE(sizeof(int))];\n"
"        struct cmsghdr align;\n"
"    } controlMsg;\n"
"    struct cmsghdr *cmsgp;\n"
"\\&\n"
"    /* The \\[aq]msg_name\\[aq] field can be used to obtain the address of the\n"
"       sending socket. However, we do not need this information. */\n"
"\\&\n"
"    msgh.msg_name = NULL;\n"
"    msgh.msg_namelen = 0;\n"
"\\&\n"
"    /* Specify buffer for receiving real data */\n"
"\\&\n"
"    msgh.msg_iov = &iov;\n"
"    msgh.msg_iovlen = 1;\n"
"    iov.iov_base = &data;       /* Real data is an \\[aq]int\\[aq] */\n"
"    iov.iov_len = sizeof(int);\n"
"\\&\n"
"    /* Set \\[aq]msghdr\\[aq] fields that describe ancillary data */\n"
"\\&\n"
"    msgh.msg_control = controlMsg.buf;\n"
"    msgh.msg_controllen = sizeof(controlMsg.buf);\n"
"\\&\n"
"    /* Receive real plus ancillary data; real data is ignored */\n"
"\\&\n"
"    nr = recvmsg(sockfd, &msgh, 0);\n"
"    if (nr == -1)\n"
"        return -1;\n"
"\\&\n"
"    cmsgp = CMSG_FIRSTHDR(&msgh);\n"
"\\&\n"
"    /* Check the validity of the \\[aq]cmsghdr\\[aq] */\n"
"\\&\n"
"    if (cmsgp == NULL\n"
"        || cmsgp-E<gt>cmsg_len != CMSG_LEN(sizeof(int))\n"
"        || cmsgp-E<gt>cmsg_level != SOL_SOCKET\n"
"        || cmsgp-E<gt>cmsg_type != SCM_RIGHTS)\n"
"    {\n"
"        errno = EINVAL;\n"
"        return -1;\n"
"    }\n"
"\\&\n"
"    /* Return the received file descriptor to our caller */\n"
"\\&\n"
"    memcpy(&fd, CMSG_DATA(cmsgp), sizeof(int));\n"
"    return fd;\n"
"}\n"
"\\&\n"
"static void\n"
"sigchldHandler(int sig)\n"
"{\n"
"    char msg[] = \"\\etS: target has terminated; bye\\en\";\n"
"\\&\n"
"    write(STDOUT_FILENO, msg, sizeof(msg) - 1);\n"
"    _exit(EXIT_SUCCESS);\n"
"}\n"
"\\&\n"
"static int\n"
"seccomp(unsigned int operation, unsigned int flags, void *args)\n"
"{\n"
"    return syscall(SYS_seccomp, operation, flags, args);\n"
"}\n"
"\\&\n"
"/* The following is the x86-64-specific BPF boilerplate code for checking\n"
"   that the BPF program is running on the right architecture + ABI. At\n"
"   completion of these instructions, the accumulator contains the system\n"
"   call number. */\n"
"\\&\n"
"/* For the x32 ABI, all system call numbers have bit 30 set */\n"
"\\&\n"
"#define X32_SYSCALL_BIT         0x40000000\n"
"\\&\n"
"#define X86_64_CHECK_ARCH_AND_LOAD_SYSCALL_NR \\e\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS, \\e\n"
"                 (offsetof(struct seccomp_data, arch))), \\e\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 0, 2), \\e\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS, \\e\n"
"                 (offsetof(struct seccomp_data, nr))), \\e\n"
"        BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, X32_SYSCALL_BIT, 0, 1), \\e\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)\n"
"\\&\n"
"/* installNotifyFilter() installs a seccomp filter that generates\n"
"   user-space notifications (SECCOMP_RET_USER_NOTIF) when the process\n"
"   calls mkdir(2); the filter allows all other system calls.\n"
"\\&\n"
"   The function return value is a file descriptor from which the\n"
"   user-space notifications can be fetched. */\n"
"\\&\n"
"static int\n"
"installNotifyFilter(void)\n"
"{\n"
"    int notifyFd;\n"
"\\&\n"
"    struct sock_filter filter[] = {\n"
"        X86_64_CHECK_ARCH_AND_LOAD_SYSCALL_NR,\n"
"\\&\n"
"        /* mkdir() triggers notification to user-space supervisor */\n"
"\\&\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_mkdir, 0, 1),\n"
"        BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_USER_NOTIF),\n"
"\\&\n"
"        /* Every other system call is allowed */\n"
"\\&\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),\n"
"    };\n"
"\\&\n"
"    struct sock_fprog prog = {\n"
"        .len = ARRAY_SIZE(filter),\n"
"        .filter = filter,\n"
"    };\n"
"\\&\n"
"    /* Install the filter with the SECCOMP_FILTER_FLAG_NEW_LISTENER flag;\n"
"       as a result, seccomp() returns a notification file descriptor. */\n"
"\\&\n"
"    notifyFd = seccomp(SECCOMP_SET_MODE_FILTER,\n"
"                       SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog);\n"
"    if (notifyFd == -1)\n"
"        err(EXIT_FAILURE, \"seccomp-install-notify-filter\");\n"
"\\&\n"
"    return notifyFd;\n"
"}\n"
"\\&\n"
"/* Close a pair of sockets created by socketpair() */\n"
"\\&\n"
"static void\n"
"closeSocketPair(int sockPair[2])\n"
"{\n"
"    if (close(sockPair[0]) == -1)\n"
"        err(EXIT_FAILURE, \"closeSocketPair-close-0\");\n"
"    if (close(sockPair[1]) == -1)\n"
"        err(EXIT_FAILURE, \"closeSocketPair-close-1\");\n"
"}\n"
"\\&\n"
"/* Implementation of the target process; create a child process that:\n"
"\\&\n"
"   (1) installs a seccomp filter with the\n"
"       SECCOMP_FILTER_FLAG_NEW_LISTENER flag;\n"
"   (2) writes the seccomp notification file descriptor returned from\n"
"       the previous step onto the UNIX domain socket, \\[aq]sockPair[0]\\[aq];\n"
"   (3) calls mkdir(2) for each element of \\[aq]argv\\[aq].\n"
"\\&\n"
"   The function return value in the parent is the PID of the child\n"
"   process; the child does not return from this function. */\n"
"\\&\n"
"static pid_t\n"
"targetProcess(int sockPair[2], char *argv[])\n"
"{\n"
"    int    notifyFd, s;\n"
"    pid_t  targetPid;\n"
"\\&\n"
"    targetPid = fork();\n"
"\\&\n"
"    if (targetPid == -1)\n"
"        err(EXIT_FAILURE, \"fork\");\n"
"\\&\n"
"    if (targetPid E<gt> 0)          /* In parent, return PID of child */\n"
"        return targetPid;\n"
"\\&\n"
"    /* Child falls through to here */\n"
"\\&\n"
"    printf(\"T: PID = %ld\\en\", (long) getpid());\n"
"\\&\n"
"    /* Install seccomp filter(s) */\n"
"\\&\n"
"    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))\n"
"        err(EXIT_FAILURE, \"prctl\");\n"
"\\&\n"
"    notifyFd = installNotifyFilter();\n"
"\\&\n"
"    /* Pass the notification file descriptor to the tracing process over\n"
"       a UNIX domain socket */\n"
"\\&\n"
"    if (sendfd(sockPair[0], notifyFd) == -1)\n"
"        err(EXIT_FAILURE, \"sendfd\");\n"
"\\&\n"
"    /* Notification and socket FDs are no longer needed in target */\n"
"\\&\n"
"    if (close(notifyFd) == -1)\n"
"        err(EXIT_FAILURE, \"close-target-notify-fd\");\n"
"\\&\n"
"    closeSocketPair(sockPair);\n"
"\\&\n"
"    /* Perform a mkdir() call for each of the command-line arguments */\n"
"\\&\n"
"    for (char **ap = argv; *ap != NULL; ap++) {\n"
"        printf(\"\\enT: about to mkdir(\\e\"%s\\e\")\\en\", *ap);\n"
"\\&\n"
"        s = mkdir(*ap, 0700);\n"
"        if (s == -1)\n"
"            perror(\"T: ERROR: mkdir(2)\");\n"
"        else\n"
"            printf(\"T: SUCCESS: mkdir(2) returned %d\\en\", s);\n"
"    }\n"
"\\&\n"
"    printf(\"\\enT: terminating\\en\");\n"
"    exit(EXIT_SUCCESS);\n"
"}\n"
"\\&\n"
"/* Check that the notification ID provided by a SECCOMP_IOCTL_NOTIF_RECV\n"
"   operation is still valid. It will no longer be valid if the target\n"
"   process has terminated or is no longer blocked in the system call that\n"
"   generated the notification (because it was interrupted by a signal).\n"
"\\&\n"
"   This operation can be used when doing such things as accessing\n"
"   /proc/PID files in the target process in order to avoid TOCTOU race\n"
"   conditions where the PID that is returned by SECCOMP_IOCTL_NOTIF_RECV\n"
"   terminates and is reused by another process. */\n"
"\\&\n"
"static bool\n"
"cookieIsValid(int notifyFd, uint64_t id)\n"
"{\n"
"    return ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) == 0;\n"
"}\n"
"\\&\n"
"/* Access the memory of the target process in order to fetch the\n"
"   pathname referred to by the system call argument \\[aq]argNum\\[aq] in\n"
"   \\[aq]req-E<gt>data.args[]\\[aq].  The pathname is returned in \\[aq]path\\[aq],\n"
"   a buffer of \\[aq]len\\[aq] bytes allocated by the caller.\n"
"\\&\n"
"   Returns true if the pathname is successfully fetched, and false\n"
"   otherwise. For possible causes of failure, see the comments below. */\n"
"\\&\n"
"static bool\n"
"getTargetPathname(struct seccomp_notif *req, int notifyFd,\n"
"                  int argNum, char *path, size_t len)\n"
"{\n"
"    int      procMemFd;\n"
"    char     procMemPath[PATH_MAX];\n"
"    ssize_t  nread;\n"
"\\&\n"
"    snprintf(procMemPath, sizeof(procMemPath), \"/proc/%d/mem\", req-E<gt>pid);\n"
"\\&\n"
"    procMemFd = open(procMemPath, O_RDONLY | O_CLOEXEC);\n"
"    if (procMemFd == -1)\n"
"        return false;\n"
"\\&\n"
"    /* Check that the process whose info we are accessing is still alive\n"
"       and blocked in the system call that caused the notification.\n"
"       If the SECCOMP_IOCTL_NOTIF_ID_VALID operation (performed in\n"
"       cookieIsValid()) succeeded, we know that the /proc/PID/mem file\n"
"       descriptor that we opened corresponded to the process for which we\n"
"       received a notification. If that process subsequently terminates,\n"
"       then read() on that file descriptor will return 0 (EOF). */\n"
"\\&\n"
"    if (!cookieIsValid(notifyFd, req-E<gt>id)) {\n"
"        close(procMemFd);\n"
"        return false;\n"
"    }\n"
"\\&\n"
"    /* Read bytes at the location containing the pathname argument */\n"
"\\&\n"
"    nread = pread(procMemFd, path, len, req-E<gt>data.args[argNum]);\n"
"\\&\n"
"    close(procMemFd);\n"
"\\&\n"
"    if (nread E<lt>= 0)\n"
"        return false;\n"
"\\&\n"
"    /* Once again check that the notification ID is still valid. The\n"
"       case we are particularly concerned about here is that just\n"
"       before we fetched the pathname, the target\\[aq]s blocked system\n"
"       call was interrupted by a signal handler, and after the handler\n"
"       returned, the target carried on execution (past the interrupted\n"
"       system call). In that case, we have no guarantees about what we\n"
"       are reading, since the target\\[aq]s memory may have been arbitrarily\n"
"       changed by subsequent operations. */\n"
"\\&\n"
"    if (!cookieIsValid(notifyFd, req-E<gt>id)) {\n"
"        perror(\"\\etS: notification ID check failed!!!\");\n"
"        return false;\n"
"    }\n"
"\\&\n"
"    /* Even if the target\\[aq]s system call was not interrupted by a signal,\n"
"       we have no guarantees about what was in the memory of the target\n"
"       process. (The memory may have been modified by another thread, or\n"
"       even by an external attacking process.) We therefore treat the\n"
"       buffer returned by pread() as untrusted input. The buffer should\n"
"       contain a terminating null byte; if not, then we will trigger an\n"
"       error for the target process. */\n"
"\\&\n"
"    if (strnlen(path, nread) E<lt> nread)\n"
"        return true;\n"
"\\&\n"
"    return false;\n"
"}\n"
"\\&\n"
"/* Allocate buffers for the seccomp user-space notification request and\n"
"   response structures. It is the caller\\[aq]s responsibility to free the\n"
"   buffers returned via \\[aq]req\\[aq] and \\[aq]resp\\[aq]. */\n"
"\\&\n"
"static void\n"
"allocSeccompNotifBuffers(struct seccomp_notif **req,\n"
"                         struct seccomp_notif_resp **resp,\n"
"                         struct seccomp_notif_sizes *sizes)\n"
"{\n"
"    size_t  resp_size;\n"
"\\&\n"
"    /* Discover the sizes of the structures that are used to receive\n"
"       notifications and send notification responses, and allocate\n"
"       buffers of those sizes. */\n"
"\\&\n"
"    if (seccomp(SECCOMP_GET_NOTIF_SIZES, 0, sizes) == -1)\n"
"        err(EXIT_FAILURE, \"seccomp-SECCOMP_GET_NOTIF_SIZES\");\n"
"\\&\n"
"    *req = malloc(sizes-E<gt>seccomp_notif);\n"
"    if (*req == NULL)\n"
"        err(EXIT_FAILURE, \"malloc-seccomp_notif\");\n"
"\\&\n"
"    /* When allocating the response buffer, we must allow for the fact\n"
"       that the user-space binary may have been built with user-space\n"
"       headers where \\[aq]struct seccomp_notif_resp\\[aq] is bigger than the\n"
"       response buffer expected by the (older) kernel. Therefore, we\n"
"       allocate a buffer that is the maximum of the two sizes. This\n"
"       ensures that if the supervisor places bytes into the response\n"
"       structure that are past the response size that the kernel expects,\n"
"       then the supervisor is not touching an invalid memory location. */\n"
"\\&\n"
"    resp_size = sizes-E<gt>seccomp_notif_resp;\n"
"    if (sizeof(struct seccomp_notif_resp) E<gt> resp_size)\n"
"        resp_size = sizeof(struct seccomp_notif_resp);\n"
"\\&\n"
"    *resp = malloc(resp_size);\n"
"    if (*resp == NULL)\n"
"        err(EXIT_FAILURE, \"malloc-seccomp_notif_resp\");\n"
"\\&\n"
"}\n"
"\\&\n"
"/* Handle notifications that arrive via the SECCOMP_RET_USER_NOTIF file\n"
"   descriptor, \\[aq]notifyFd\\[aq]. */\n"
"\\&\n"
"static void\n"
"handleNotifications(int notifyFd)\n"
"{\n"
"    bool                        pathOK;\n"
"    char                        path[PATH_MAX];\n"
"    struct seccomp_notif        *req;\n"
"    struct seccomp_notif_resp   *resp;\n"
"    struct seccomp_notif_sizes  sizes;\n"
"\\&\n"
"    allocSeccompNotifBuffers(&req, &resp, &sizes);\n"
"\\&\n"
"    /* Loop handling notifications */\n"
"\\&\n"
"    for (;;) {\n"
"\\&\n"
"        /* Wait for next notification, returning info in \\[aq]*req\\[aq] */\n"
"\\&\n"
"        memset(req, 0, sizes.seccomp_notif);\n"
"        if (ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_RECV, req) == -1) {\n"
"            if (errno == EINTR)\n"
"                continue;\n"
"            err(EXIT_FAILURE, \"\\etS: ioctl-SECCOMP_IOCTL_NOTIF_RECV\");\n"
"        }\n"
"\\&\n"
"        printf(\"\\etS: got notification (ID %#llx) for PID %d\\en\",\n"
"               req-E<gt>id, req-E<gt>pid);\n"
"\\&\n"
"        /* The only system call that can generate a notification event\n"
"           is mkdir(2). Nevertheless, we check that the notified system\n"
"           call is indeed mkdir() as kind of future-proofing of this\n"
"           code in case the seccomp filter is later modified to\n"
"           generate notifications for other system calls. */\n"
"\\&\n"
"        if (req-E<gt>data.nr != SYS_mkdir) {\n"
"            printf(\"\\etS: notification contained unexpected \"\n"
"                   \"system call number; bye!!!\\en\");\n"
"            exit(EXIT_FAILURE);\n"
"        }\n"
"\\&\n"
"        pathOK = getTargetPathname(req, notifyFd, 0, path, sizeof(path));\n"
"\\&\n"
"        /* Prepopulate some fields of the response */\n"
"\\&\n"
"        resp-E<gt>id = req-E<gt>id;     /* Response includes notification ID */\n"
"        resp-E<gt>flags = 0;\n"
"        resp-E<gt>val = 0;\n"
"\\&\n"
"        /* If getTargetPathname() failed, trigger an EINVAL error\n"
"           response (sending this response may yield an error if the\n"
"           failure occurred because the notification ID was no longer\n"
"           valid); if the directory is in /tmp, then create it on behalf\n"
"           of the supervisor; if the pathname starts with \\[aq].\\[aq], tell the\n"
"           kernel to let the target process execute the mkdir();\n"
"           otherwise, give an error for a directory pathname in any other\n"
"           location. */\n"
"\\&\n"
"        if (!pathOK) {\n"
"            resp-E<gt>error = -EINVAL;\n"
"            printf(\"\\etS: spoofing error for invalid pathname (%s)\\en\",\n"
"                   strerror(-resp-E<gt>error));\n"
"        } else if (strncmp(path, \"/tmp/\", strlen(\"/tmp/\")) == 0) {\n"
"            printf(\"\\etS: executing: mkdir(\\e\"%s\\e\", %#llo)\\en\",\n"
"                   path, req-E<gt>data.args[1]);\n"
"\\&\n"
"            if (mkdir(path, req-E<gt>data.args[1]) == 0) {\n"
"                resp-E<gt>error = 0;            /* \"Success\" */\n"
"                resp-E<gt>val = strlen(path);   /* Used as return value of\n"
"                                               mkdir() in target */\n"
"                printf(\"\\etS: success! spoofed return = %lld\\en\",\n"
"                       resp-E<gt>val);\n"
"            } else {\n"
"\\&\n"
"                /* If mkdir() failed in the supervisor, pass the error\n"
"                   back to the target */\n"
"\\&\n"
"                resp-E<gt>error = -errno;\n"
"                printf(\"\\etS: failure! (errno = %d; %s)\\en\", errno,\n"
"                       strerror(errno));\n"
"            }\n"
"        } else if (strncmp(path, \"./\", strlen(\"./\")) == 0) {\n"
"            resp-E<gt>error = resp-E<gt>val = 0;\n"
"            resp-E<gt>flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;\n"
"            printf(\"\\etS: target can execute system call\\en\");\n"
"        } else {\n"
"            resp-E<gt>error = -EOPNOTSUPP;\n"
"            printf(\"\\etS: spoofing error response (%s)\\en\",\n"
"                   strerror(-resp-E<gt>error));\n"
"        }\n"
"\\&\n"
"        /* Send a response to the notification */\n"
"\\&\n"
"        printf(\"\\etS: sending response \"\n"
"               \"(flags = %#x; val = %lld; error = %d)\\en\",\n"
"               resp-E<gt>flags, resp-E<gt>val, resp-E<gt>error);\n"
"\\&\n"
"        if (ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_SEND, resp) == -1) {\n"
"            if (errno == ENOENT)\n"
"                printf(\"\\etS: response failed with ENOENT; \"\n"
"                       \"perhaps target process\\[aq]s syscall was \"\n"
"                       \"interrupted by a signal?\\en\");\n"
"            else\n"
"                perror(\"ioctl-SECCOMP_IOCTL_NOTIF_SEND\");\n"
"        }\n"
"\\&\n"
"        /* If the pathname is just \"/bye\", then the supervisor breaks out\n"
"           of the loop and terminates. This allows us to see what happens\n"
"           if the target process makes further calls to mkdir(2). */\n"
"\\&\n"
"        if (strcmp(path, \"/bye\") == 0)\n"
"            break;\n"
"    }\n"
"\\&\n"
"    free(req);\n"
"    free(resp);\n"
"    printf(\"\\etS: terminating **********\\en\");\n"
"    exit(EXIT_FAILURE);\n"
"}\n"
"\\&\n"
"/* Implementation of the supervisor process:\n"
"\\&\n"
"   (1) obtains the notification file descriptor from \\[aq]sockPair[1]\\[aq]\n"
"   (2) handles notifications that arrive on that file descriptor. */\n"
"\\&\n"
"static void\n"
"supervisor(int sockPair[2])\n"
"{\n"
"    int notifyFd;\n"
"\\&\n"
"    notifyFd = recvfd(sockPair[1]);\n"
"\\&\n"
"    if (notifyFd == -1)\n"
"        err(EXIT_FAILURE, \"recvfd\");\n"
"\\&\n"
"    closeSocketPair(sockPair);  /* We no longer need the socket pair */\n"
"\\&\n"
"    handleNotifications(notifyFd);\n"
"}\n"
"\\&\n"
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    int               sockPair[2];\n"
"    struct sigaction  sa;\n"
"\\&\n"
"    setbuf(stdout, NULL);\n"
"\\&\n"
"    if (argc E<lt> 2) {\n"
"        fprintf(stderr, \"At least one pathname argument is required\\en\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
"\\&\n"
"    /* Create a UNIX domain socket that is used to pass the seccomp\n"
"       notification file descriptor from the target process to the\n"
"       supervisor process. */\n"
"\\&\n"
"    if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockPair) == -1)\n"
"        err(EXIT_FAILURE, \"socketpair\");\n"
"\\&\n"
"    /* Create a child process--the \"target\"--that installs seccomp\n"
"       filtering. The target process writes the seccomp notification\n"
"       file descriptor onto \\[aq]sockPair[0]\\[aq] and then calls mkdir(2) for\n"
"       each directory in the command-line arguments. */\n"
"\\&\n"
"    (void) targetProcess(sockPair, &argv[optind]);\n"
"\\&\n"
"    /* Catch SIGCHLD when the target terminates, so that the\n"
"       supervisor can also terminate. */\n"
"\\&\n"
"    sa.sa_handler = sigchldHandler;\n"
"    sa.sa_flags = 0;\n"
"    sigemptyset(&sa.sa_mask);\n"
"    if (sigaction(SIGCHLD, &sa, NULL) == -1)\n"
"        err(EXIT_FAILURE, \"sigaction\");\n"
"\\&\n"
"    supervisor(sockPair);\n"
"\\&\n"
"    exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""

#.  SRC END
#. type: SH
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
#, no-wrap
msgid "SEE ALSO"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid "B<ioctl>(2), B<pidfd_getfd>(2), B<pidfd_open>(2), B<seccomp>(2)"
msgstr ""

#. type: Plain text
#: archlinux debian-bookworm debian-unstable fedora-40 fedora-rawhide
#: mageia-cauldron opensuse-leap-15-6 opensuse-tumbleweed
msgid ""
"A further example program can be found in the kernel source file I<samples/"
"seccomp/user-trap.c>."
msgstr ""

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "2023-02-10"
msgstr ""

#. type: TH
#: debian-bookworm
#, no-wrap
msgid "Linux man-pages 6.03"
msgstr ""

#. type: IP
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "+"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "int fd, removeFd;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"fd = openat(req-E<gt>data.args[0], path, req-E<gt>data.args[2],\n"
"                req-E<gt>data.args[3]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"struct seccomp_notif_addfd addfd;\n"
"addfd.id = req-E<gt>id; /* Cookie from SECCOMP_IOCTL_NOTIF_RECV */\n"
"addfd.srcfd = fd;\n"
"addfd.newfd = 0;\n"
"addfd.flags = 0;\n"
"addfd.newfd_flags = O_CLOEXEC;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "targetFd = ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "close(fd);          /* No longer needed in supervisor */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"struct seccomp_notif_resp *resp;\n"
"    /* Code to allocate 'resp' omitted */\n"
"resp-E<gt>id = req-E<gt>id;\n"
"resp-E<gt>error = 0;        /* \"Success\" */\n"
"resp-E<gt>val = targetFd;\n"
"resp-E<gt>flags = 0;\n"
"ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_SEND, resp);\n"
msgstr ""

#. type: SS
#: debian-bookworm
#, no-wrap
msgid "Caveats regarding the use of /proc/[tid]/mem"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"$ B<./seccomp_unotify /tmp/x>\n"
"T: PID = 23168\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"T: about to mkdir(\"/tmp/x\")\n"
"        S: got notification (ID 0x17445c4a0f4e0e3c) for PID 23168\n"
"        S: executing: mkdir(\"/tmp/x\", 0700)\n"
"        S: success! spoofed return = 6\n"
"        S: sending response (flags = 0; val = 6; error = 0)\n"
"T: SUCCESS: mkdir(2) returned 6\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"T: terminating\n"
"        S: target has terminated; bye\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"$ B<./seccomp_unotify ./sub>\n"
"T: PID = 23204\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"T: about to mkdir(\"./sub\")\n"
"        S: got notification (ID 0xddb16abe25b4c12) for PID 23204\n"
"        S: target can execute system call\n"
"        S: sending response (flags = 0x1; val = 0; error = 0)\n"
"T: SUCCESS: mkdir(2) returned 0\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"$ B<./seccomp_unotify /xxx>\n"
"T: PID = 23178\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"T: about to mkdir(\"/xxx\")\n"
"        S: got notification (ID 0xe7dc095d1c524e80) for PID 23178\n"
"        S: spoofing error response (Operation not supported)\n"
"        S: sending response (flags = 0; val = 0; error = -95)\n"
"T: ERROR: mkdir(2): Operation not supported\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"$ B<./seccomp_unotify /tmp/nosuchdir/b>\n"
"T: PID = 23199\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"T: about to mkdir(\"/tmp/nosuchdir/b\")\n"
"        S: got notification (ID 0x8744454293506046) for PID 23199\n"
"        S: executing: mkdir(\"/tmp/nosuchdir/b\", 0700)\n"
"        S: failure! (errno = 2; No such file or directory)\n"
"        S: sending response (flags = 0; val = 0; error = -2)\n"
"T: ERROR: mkdir(2): No such file or directory\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"$ B<./seccomp_unotify /bye /tmp/y>\n"
"T: PID = 23185\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"T: about to mkdir(\"/bye\")\n"
"        S: got notification (ID 0xa81236b1d2f7b0f4) for PID 23185\n"
"        S: spoofing error response (Operation not supported)\n"
"        S: sending response (flags = 0; val = 0; error = -95)\n"
"        S: terminating **********\n"
"T: ERROR: mkdir(2): Operation not supported\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"T: about to mkdir(\"/tmp/y\")\n"
"T: ERROR: mkdir(2): Function not implemented\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "T: terminating\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"#define _GNU_SOURCE\n"
"#include E<lt>err.hE<gt>\n"
"#include E<lt>errno.hE<gt>\n"
"#include E<lt>fcntl.hE<gt>\n"
"#include E<lt>limits.hE<gt>\n"
"#include E<lt>linux/audit.hE<gt>\n"
"#include E<lt>linux/filter.hE<gt>\n"
"#include E<lt>linux/seccomp.hE<gt>\n"
"#include E<lt>signal.hE<gt>\n"
"#include E<lt>stdbool.hE<gt>\n"
"#include E<lt>stddef.hE<gt>\n"
"#include E<lt>stdint.hE<gt>\n"
"#include E<lt>stdio.hE<gt>\n"
"#include E<lt>stdlib.hE<gt>\n"
"#include E<lt>string.hE<gt>\n"
"#include E<lt>sys/ioctl.hE<gt>\n"
"#include E<lt>sys/prctl.hE<gt>\n"
"#include E<lt>sys/socket.hE<gt>\n"
"#include E<lt>sys/stat.hE<gt>\n"
"#include E<lt>sys/syscall.hE<gt>\n"
"#include E<lt>sys/types.hE<gt>\n"
"#include E<lt>sys/un.hE<gt>\n"
"#include E<lt>unistd.hE<gt>\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "#define ARRAY_SIZE(arr)  (sizeof(arr) / sizeof((arr)[0]))\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Send the file descriptor \\[aq]fd\\[aq] over the connected UNIX domain socket\n"
"   \\[aq]sockfd\\[aq]. Returns 0 on success, or -1 on error. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static int\n"
"sendfd(int sockfd, int fd)\n"
"{\n"
"    int             data;\n"
"    struct iovec    iov;\n"
"    struct msghdr   msgh;\n"
"    struct cmsghdr  *cmsgp;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Allocate a char array of suitable size to hold the ancillary data.\n"
"       However, since this buffer is in reality a \\[aq]struct cmsghdr\\[aq], use a\n"
"       union to ensure that it is suitably aligned. */\n"
"    union {\n"
"        char   buf[CMSG_SPACE(sizeof(int))];\n"
"                        /* Space large enough to hold an \\[aq]int\\[aq] */\n"
"        struct cmsghdr align;\n"
"    } controlMsg;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* The \\[aq]msg_name\\[aq] field can be used to specify the address of the\n"
"       destination socket when sending a datagram. However, we do not\n"
"       need to use this field because \\[aq]sockfd\\[aq] is a connected socket. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    msgh.msg_name = NULL;\n"
"    msgh.msg_namelen = 0;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* On Linux, we must transmit at least one byte of real data in\n"
"       order to send ancillary data. We transmit an arbitrary integer\n"
"       whose value is ignored by recvfd(). */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    msgh.msg_iov = &iov;\n"
"    msgh.msg_iovlen = 1;\n"
"    iov.iov_base = &data;\n"
"    iov.iov_len = sizeof(int);\n"
"    data = 12345;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Set \\[aq]msghdr\\[aq] fields that describe ancillary data */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    msgh.msg_control = controlMsg.buf;\n"
"    msgh.msg_controllen = sizeof(controlMsg.buf);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Set up ancillary data describing file descriptor to send */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    cmsgp = CMSG_FIRSTHDR(&msgh);\n"
"    cmsgp-E<gt>cmsg_level = SOL_SOCKET;\n"
"    cmsgp-E<gt>cmsg_type = SCM_RIGHTS;\n"
"    cmsgp-E<gt>cmsg_len = CMSG_LEN(sizeof(int));\n"
"    memcpy(CMSG_DATA(cmsgp), &fd, sizeof(int));\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Send real plus ancillary data */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (sendmsg(sockfd, &msgh, 0) == -1)\n"
"        return -1;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    return 0;\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Receive a file descriptor on a connected UNIX domain socket. Returns\n"
"   the received file descriptor on success, or -1 on error. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static int\n"
"recvfd(int sockfd)\n"
"{\n"
"    int            data, fd;\n"
"    ssize_t        nr;\n"
"    struct iovec   iov;\n"
"    struct msghdr  msgh;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Allocate a char buffer for the ancillary data. See the comments\n"
"       in sendfd() */\n"
"    union {\n"
"        char   buf[CMSG_SPACE(sizeof(int))];\n"
"        struct cmsghdr align;\n"
"    } controlMsg;\n"
"    struct cmsghdr *cmsgp;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* The \\[aq]msg_name\\[aq] field can be used to obtain the address of the\n"
"       sending socket. However, we do not need this information. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Specify buffer for receiving real data */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    msgh.msg_iov = &iov;\n"
"    msgh.msg_iovlen = 1;\n"
"    iov.iov_base = &data;       /* Real data is an \\[aq]int\\[aq] */\n"
"    iov.iov_len = sizeof(int);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Receive real plus ancillary data; real data is ignored */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    nr = recvmsg(sockfd, &msgh, 0);\n"
"    if (nr == -1)\n"
"        return -1;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    cmsgp = CMSG_FIRSTHDR(&msgh);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Check the validity of the \\[aq]cmsghdr\\[aq] */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (cmsgp == NULL\n"
"        || cmsgp-E<gt>cmsg_len != CMSG_LEN(sizeof(int))\n"
"        || cmsgp-E<gt>cmsg_level != SOL_SOCKET\n"
"        || cmsgp-E<gt>cmsg_type != SCM_RIGHTS)\n"
"    {\n"
"        errno = EINVAL;\n"
"        return -1;\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Return the received file descriptor to our caller */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    memcpy(&fd, CMSG_DATA(cmsgp), sizeof(int));\n"
"    return fd;\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"sigchldHandler(int sig)\n"
"{\n"
"    char msg[] = \"\\etS: target has terminated; bye\\en\";\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    write(STDOUT_FILENO, msg, sizeof(msg) - 1);\n"
"    _exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static int\n"
"seccomp(unsigned int operation, unsigned int flags, void *args)\n"
"{\n"
"    return syscall(SYS_seccomp, operation, flags, args);\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* The following is the x86-64-specific BPF boilerplate code for checking\n"
"   that the BPF program is running on the right architecture + ABI. At\n"
"   completion of these instructions, the accumulator contains the system\n"
"   call number. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "/* For the x32 ABI, all system call numbers have bit 30 set */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "#define X32_SYSCALL_BIT         0x40000000\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"#define X86_64_CHECK_ARCH_AND_LOAD_SYSCALL_NR \\e\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS, \\e\n"
"                 (offsetof(struct seccomp_data, arch))), \\e\n"
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 0, 2), \\e\n"
"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS, \\e\n"
"                 (offsetof(struct seccomp_data, nr))), \\e\n"
"        BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, X32_SYSCALL_BIT, 0, 1), \\e\n"
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* installNotifyFilter() installs a seccomp filter that generates\n"
"   user-space notifications (SECCOMP_RET_USER_NOTIF) when the process\n"
"   calls mkdir(2); the filter allows all other system calls.\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   The function return value is a file descriptor from which the\n"
"   user-space notifications can be fetched. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static int\n"
"installNotifyFilter(void)\n"
"{\n"
"    int notifyFd;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    struct sock_filter filter[] = {\n"
"        X86_64_CHECK_ARCH_AND_LOAD_SYSCALL_NR,\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "        /* mkdir() triggers notification to user-space supervisor */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_mkdir, 0, 1),\n"
"        BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_USER_NOTIF),\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "        /* Every other system call is allowed */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),\n"
"    };\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    struct sock_fprog prog = {\n"
"        .len = ARRAY_SIZE(filter),\n"
"        .filter = filter,\n"
"    };\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Install the filter with the SECCOMP_FILTER_FLAG_NEW_LISTENER flag;\n"
"       as a result, seccomp() returns a notification file descriptor. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    notifyFd = seccomp(SECCOMP_SET_MODE_FILTER,\n"
"                       SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog);\n"
"    if (notifyFd == -1)\n"
"        err(EXIT_FAILURE, \"seccomp-install-notify-filter\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    return notifyFd;\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "/* Close a pair of sockets created by socketpair() */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"closeSocketPair(int sockPair[2])\n"
"{\n"
"    if (close(sockPair[0]) == -1)\n"
"        err(EXIT_FAILURE, \"closeSocketPair-close-0\");\n"
"    if (close(sockPair[1]) == -1)\n"
"        err(EXIT_FAILURE, \"closeSocketPair-close-1\");\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "/* Implementation of the target process; create a child process that:\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   (1) installs a seccomp filter with the\n"
"       SECCOMP_FILTER_FLAG_NEW_LISTENER flag;\n"
"   (2) writes the seccomp notification file descriptor returned from\n"
"       the previous step onto the UNIX domain socket, \\[aq]sockPair[0]\\[aq];\n"
"   (3) calls mkdir(2) for each element of \\[aq]argv\\[aq].\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   The function return value in the parent is the PID of the child\n"
"   process; the child does not return from this function. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static pid_t\n"
"targetProcess(int sockPair[2], char *argv[])\n"
"{\n"
"    int    notifyFd, s;\n"
"    pid_t  targetPid;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    targetPid = fork();\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (targetPid == -1)\n"
"        err(EXIT_FAILURE, \"fork\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (targetPid E<gt> 0)          /* In parent, return PID of child */\n"
"        return targetPid;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Child falls through to here */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    printf(\"T: PID = %ld\\en\", (long) getpid());\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Install seccomp filter(s) */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))\n"
"        err(EXIT_FAILURE, \"prctl\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    notifyFd = installNotifyFilter();\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Pass the notification file descriptor to the tracing process over\n"
"       a UNIX domain socket */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (sendfd(sockPair[0], notifyFd) == -1)\n"
"        err(EXIT_FAILURE, \"sendfd\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Notification and socket FDs are no longer needed in target */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (close(notifyFd) == -1)\n"
"        err(EXIT_FAILURE, \"close-target-notify-fd\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    closeSocketPair(sockPair);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Perform a mkdir() call for each of the command-line arguments */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    for (char **ap = argv; *ap != NULL; ap++) {\n"
"        printf(\"\\enT: about to mkdir(\\e\"%s\\e\")\\en\", *ap);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        s = mkdir(*ap, 0700);\n"
"        if (s == -1)\n"
"            perror(\"T: ERROR: mkdir(2)\");\n"
"        else\n"
"            printf(\"T: SUCCESS: mkdir(2) returned %d\\en\", s);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    printf(\"\\enT: terminating\\en\");\n"
"    exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Check that the notification ID provided by a SECCOMP_IOCTL_NOTIF_RECV\n"
"   operation is still valid. It will no longer be valid if the target\n"
"   process has terminated or is no longer blocked in the system call that\n"
"   generated the notification (because it was interrupted by a signal).\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   This operation can be used when doing such things as accessing\n"
"   /proc/PID files in the target process in order to avoid TOCTOU race\n"
"   conditions where the PID that is returned by SECCOMP_IOCTL_NOTIF_RECV\n"
"   terminates and is reused by another process. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static bool\n"
"cookieIsValid(int notifyFd, uint64_t id)\n"
"{\n"
"    return ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) == 0;\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Access the memory of the target process in order to fetch the\n"
"   pathname referred to by the system call argument \\[aq]argNum\\[aq] in\n"
"   \\[aq]req-E<gt>data.args[]\\[aq].  The pathname is returned in \\[aq]path\\[aq],\n"
"   a buffer of \\[aq]len\\[aq] bytes allocated by the caller.\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   Returns true if the pathname is successfully fetched, and false\n"
"   otherwise. For possible causes of failure, see the comments below. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static bool\n"
"getTargetPathname(struct seccomp_notif *req, int notifyFd,\n"
"                  int argNum, char *path, size_t len)\n"
"{\n"
"    int      procMemFd;\n"
"    char     procMemPath[PATH_MAX];\n"
"    ssize_t  nread;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    snprintf(procMemPath, sizeof(procMemPath), \"/proc/%d/mem\", req-E<gt>pid);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    procMemFd = open(procMemPath, O_RDONLY | O_CLOEXEC);\n"
"    if (procMemFd == -1)\n"
"        return false;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Check that the process whose info we are accessing is still alive\n"
"       and blocked in the system call that caused the notification.\n"
"       If the SECCOMP_IOCTL_NOTIF_ID_VALID operation (performed in\n"
"       cookieIsValid()) succeeded, we know that the /proc/PID/mem file\n"
"       descriptor that we opened corresponded to the process for which we\n"
"       received a notification. If that process subsequently terminates,\n"
"       then read() on that file descriptor will return 0 (EOF). */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (!cookieIsValid(notifyFd, req-E<gt>id)) {\n"
"        close(procMemFd);\n"
"        return false;\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Read bytes at the location containing the pathname argument */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    nread = pread(procMemFd, path, len, req-E<gt>data.args[argNum]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    close(procMemFd);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (nread E<lt>= 0)\n"
"        return false;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Once again check that the notification ID is still valid. The\n"
"       case we are particularly concerned about here is that just\n"
"       before we fetched the pathname, the target\\[aq]s blocked system\n"
"       call was interrupted by a signal handler, and after the handler\n"
"       returned, the target carried on execution (past the interrupted\n"
"       system call). In that case, we have no guarantees about what we\n"
"       are reading, since the target\\[aq]s memory may have been arbitrarily\n"
"       changed by subsequent operations. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (!cookieIsValid(notifyFd, req-E<gt>id)) {\n"
"        perror(\"\\etS: notification ID check failed!!!\");\n"
"        return false;\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Even if the target\\[aq]s system call was not interrupted by a signal,\n"
"       we have no guarantees about what was in the memory of the target\n"
"       process. (The memory may have been modified by another thread, or\n"
"       even by an external attacking process.) We therefore treat the\n"
"       buffer returned by pread() as untrusted input. The buffer should\n"
"       contain a terminating null byte; if not, then we will trigger an\n"
"       error for the target process. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (strnlen(path, nread) E<lt> nread)\n"
"        return true;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    return false;\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Allocate buffers for the seccomp user-space notification request and\n"
"   response structures. It is the caller\\[aq]s responsibility to free the\n"
"   buffers returned via \\[aq]req\\[aq] and \\[aq]resp\\[aq]. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"allocSeccompNotifBuffers(struct seccomp_notif **req,\n"
"                         struct seccomp_notif_resp **resp,\n"
"                         struct seccomp_notif_sizes *sizes)\n"
"{\n"
"    size_t  resp_size;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Discover the sizes of the structures that are used to receive\n"
"       notifications and send notification responses, and allocate\n"
"       buffers of those sizes. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (seccomp(SECCOMP_GET_NOTIF_SIZES, 0, sizes) == -1)\n"
"        err(EXIT_FAILURE, \"seccomp-SECCOMP_GET_NOTIF_SIZES\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    *req = malloc(sizes-E<gt>seccomp_notif);\n"
"    if (*req == NULL)\n"
"        err(EXIT_FAILURE, \"malloc-seccomp_notif\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* When allocating the response buffer, we must allow for the fact\n"
"       that the user-space binary may have been built with user-space\n"
"       headers where \\[aq]struct seccomp_notif_resp\\[aq] is bigger than the\n"
"       response buffer expected by the (older) kernel. Therefore, we\n"
"       allocate a buffer that is the maximum of the two sizes. This\n"
"       ensures that if the supervisor places bytes into the response\n"
"       structure that are past the response size that the kernel expects,\n"
"       then the supervisor is not touching an invalid memory location. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    resp_size = sizes-E<gt>seccomp_notif_resp;\n"
"    if (sizeof(struct seccomp_notif_resp) E<gt> resp_size)\n"
"        resp_size = sizeof(struct seccomp_notif_resp);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    *resp = malloc(resp_size);\n"
"    if (*resp == NULL)\n"
"        err(EXIT_FAILURE, \"malloc-seccomp_notif_resp\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"/* Handle notifications that arrive via the SECCOMP_RET_USER_NOTIF file\n"
"   descriptor, \\[aq]notifyFd\\[aq]. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"handleNotifications(int notifyFd)\n"
"{\n"
"    bool                        pathOK;\n"
"    char                        path[PATH_MAX];\n"
"    struct seccomp_notif        *req;\n"
"    struct seccomp_notif_resp   *resp;\n"
"    struct seccomp_notif_sizes  sizes;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    allocSeccompNotifBuffers(&req, &resp, &sizes);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    /* Loop handling notifications */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    for (;;) {\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "        /* Wait for next notification, returning info in \\[aq]*req\\[aq] */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        memset(req, 0, sizes.seccomp_notif);\n"
"        if (ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_RECV, req) == -1) {\n"
"            if (errno == EINTR)\n"
"                continue;\n"
"            err(EXIT_FAILURE, \"\\etS: ioctl-SECCOMP_IOCTL_NOTIF_RECV\");\n"
"        }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        printf(\"\\etS: got notification (ID %#llx) for PID %d\\en\",\n"
"               req-E<gt>id, req-E<gt>pid);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* The only system call that can generate a notification event\n"
"           is mkdir(2). Nevertheless, we check that the notified system\n"
"           call is indeed mkdir() as kind of future-proofing of this\n"
"           code in case the seccomp filter is later modified to\n"
"           generate notifications for other system calls. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        if (req-E<gt>data.nr != SYS_mkdir) {\n"
"            printf(\"\\etS: notification contained unexpected \"\n"
"                   \"system call number; bye!!!\\en\");\n"
"            exit(EXIT_FAILURE);\n"
"        }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "        pathOK = getTargetPathname(req, notifyFd, 0, path, sizeof(path));\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "        /* Prepopulate some fields of the response */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        resp-E<gt>id = req-E<gt>id;     /* Response includes notification ID */\n"
"        resp-E<gt>flags = 0;\n"
"        resp-E<gt>val = 0;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* If getTargetPathname() failed, trigger an EINVAL error\n"
"           response (sending this response may yield an error if the\n"
"           failure occurred because the notification ID was no longer\n"
"           valid); if the directory is in /tmp, then create it on behalf\n"
"           of the supervisor; if the pathname starts with \\[aq].\\[aq], tell the\n"
"           kernel to let the target process execute the mkdir();\n"
"           otherwise, give an error for a directory pathname in any other\n"
"           location. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        if (!pathOK) {\n"
"            resp-E<gt>error = -EINVAL;\n"
"            printf(\"\\etS: spoofing error for invalid pathname (%s)\\en\",\n"
"                   strerror(-resp-E<gt>error));\n"
"        } else if (strncmp(path, \"/tmp/\", strlen(\"/tmp/\")) == 0) {\n"
"            printf(\"\\etS: executing: mkdir(\\e\"%s\\e\", %#llo)\\en\",\n"
"                   path, req-E<gt>data.args[1]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"            if (mkdir(path, req-E<gt>data.args[1]) == 0) {\n"
"                resp-E<gt>error = 0;            /* \"Success\" */\n"
"                resp-E<gt>val = strlen(path);   /* Used as return value of\n"
"                                               mkdir() in target */\n"
"                printf(\"\\etS: success! spoofed return = %lld\\en\",\n"
"                       resp-E<gt>val);\n"
"            } else {\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"                /* If mkdir() failed in the supervisor, pass the error\n"
"                   back to the target */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"                resp-E<gt>error = -errno;\n"
"                printf(\"\\etS: failure! (errno = %d; %s)\\en\", errno,\n"
"                       strerror(errno));\n"
"            }\n"
"        } else if (strncmp(path, \"./\", strlen(\"./\")) == 0) {\n"
"            resp-E<gt>error = resp-E<gt>val = 0;\n"
"            resp-E<gt>flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;\n"
"            printf(\"\\etS: target can execute system call\\en\");\n"
"        } else {\n"
"            resp-E<gt>error = -EOPNOTSUPP;\n"
"            printf(\"\\etS: spoofing error response (%s)\\en\",\n"
"                   strerror(-resp-E<gt>error));\n"
"        }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "        /* Send a response to the notification */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        printf(\"\\etS: sending response \"\n"
"               \"(flags = %#x; val = %lld; error = %d)\\en\",\n"
"               resp-E<gt>flags, resp-E<gt>val, resp-E<gt>error);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        if (ioctl(notifyFd, SECCOMP_IOCTL_NOTIF_SEND, resp) == -1) {\n"
"            if (errno == ENOENT)\n"
"                printf(\"\\etS: response failed with ENOENT; \"\n"
"                       \"perhaps target process\\[aq]s syscall was \"\n"
"                       \"interrupted by a signal?\\en\");\n"
"            else\n"
"                perror(\"ioctl-SECCOMP_IOCTL_NOTIF_SEND\");\n"
"        }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        /* If the pathname is just \"/bye\", then the supervisor breaks out\n"
"           of the loop and terminates. This allows us to see what happens\n"
"           if the target process makes further calls to mkdir(2). */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"        if (strcmp(path, \"/bye\") == 0)\n"
"            break;\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    free(req);\n"
"    free(resp);\n"
"    printf(\"\\etS: terminating **********\\en\");\n"
"    exit(EXIT_FAILURE);\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "/* Implementation of the supervisor process:\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"   (1) obtains the notification file descriptor from \\[aq]sockPair[1]\\[aq]\n"
"   (2) handles notifications that arrive on that file descriptor. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"static void\n"
"supervisor(int sockPair[2])\n"
"{\n"
"    int notifyFd;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    notifyFd = recvfd(sockPair[1]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (notifyFd == -1)\n"
"        err(EXIT_FAILURE, \"recvfd\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    closeSocketPair(sockPair);  /* We no longer need the socket pair */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    handleNotifications(notifyFd);\n"
"}\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"int\n"
"main(int argc, char *argv[])\n"
"{\n"
"    int               sockPair[2];\n"
"    struct sigaction  sa;\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    setbuf(stdout, NULL);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (argc E<lt> 2) {\n"
"        fprintf(stderr, \"At least one pathname argument is required\\en\");\n"
"        exit(EXIT_FAILURE);\n"
"    }\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Create a UNIX domain socket that is used to pass the seccomp\n"
"       notification file descriptor from the target process to the\n"
"       supervisor process. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockPair) == -1)\n"
"        err(EXIT_FAILURE, \"socketpair\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Create a child process--the \"target\"--that installs seccomp\n"
"       filtering. The target process writes the seccomp notification\n"
"       file descriptor onto \\[aq]sockPair[0]\\[aq] and then calls mkdir(2) for\n"
"       each directory in the command-line arguments. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    (void) targetProcess(sockPair, &argv[optind]);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    /* Catch SIGCHLD when the target terminates, so that the\n"
"       supervisor can also terminate. */\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    sa.sa_handler = sigchldHandler;\n"
"    sa.sa_flags = 0;\n"
"    sigemptyset(&sa.sa_mask);\n"
"    if (sigaction(SIGCHLD, &sa, NULL) == -1)\n"
"        err(EXIT_FAILURE, \"sigaction\");\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid "    supervisor(sockPair);\n"
msgstr ""

#. type: Plain text
#: debian-bookworm opensuse-leap-15-6
#, no-wrap
msgid ""
"    exit(EXIT_SUCCESS);\n"
"}\n"
msgstr ""

#. type: TH
#: fedora-40 fedora-rawhide mageia-cauldron
#, no-wrap
msgid "2023-10-31"
msgstr ""

#. type: TH
#: fedora-40 mageia-cauldron
#, no-wrap
msgid "Linux man-pages 6.06"
msgstr ""

#. type: TH
#: fedora-rawhide
#, no-wrap
msgid "Linux man-pages 6.7"
msgstr ""

#. type: TH
#: opensuse-leap-15-6
#, no-wrap
msgid "2023-04-03"
msgstr ""

#. type: TH
#: opensuse-leap-15-6
#, no-wrap
msgid "Linux man-pages 6.04"
msgstr ""

#. type: TH
#: opensuse-tumbleweed
#, no-wrap
msgid "Linux man-pages (unreleased)"
msgstr ""