diff options
author | Michael Kerrisk <mtk.manpages@gmail.com> | 2015-09-05 08:43:31 +0200 |
---|---|---|
committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2015-09-05 08:43:31 +0200 |
commit | 712551eaadb5d50f75395a980132d7e691ad877e (patch) | |
tree | 65720a63647a8df1b4d2a1b019685bf89f2d87ae | |
parent | 944a31e27f52cb18b8875c8659d8938fda00e171 (diff) | |
download | man-pages-712551eaadb5d50f75395a980132d7e691ad877e.tar.gz |
seccomp.2: Describe use of 'instruction_pointer' data field
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
-rw-r--r-- | man2/seccomp.2 | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/man2/seccomp.2 b/man2/seccomp.2 index 8b869a9f57..8b0bd6e38e 100644 --- a/man2/seccomp.2 +++ b/man2/seccomp.2 @@ -306,6 +306,20 @@ but also to explicitly reject all system calls that contain in .IR nr . +The +.I instruction_pointer +field provides the address of the machine-language instruction that +performed the system call. +This might be useful in conjunction with the use of +.I /proc/[pid]/maps +to perform checks based on which region (mapping) of the program +made the system call. +(Probably, it is wise to lock down the +.BR mmap (2) +and +.BR mprotect (2) +system calls to prevent the program from subverting such checks.) + When checking values from .IR args against a blacklist, keep in mind that arguments are often @@ -777,6 +791,7 @@ main(int argc, char **argv) .BR prctl (2), .BR ptrace (2), .BR sigaction (2), +.BR proc (5), .BR signal (7), .BR socket (7) .sp |