ptrace.2: Document PTRACE_O_SUSPEND_SECCOMP flag

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> CC: Kees Cook <keescook@chromium.org> CC: Andy Lutomirski <luto@amacapital.net> CC: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Tycho Andersen <tycho.andersen@canonical.com> 2015-09-11 13:53:28 +0200
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2015-09-11 14:00:31 +0200
commit: e3cfeba2ff4f4aa45d8f0ea47c2ce6aa3c04c546 (patch)
tree: 6fcf8cad1ff980cdefb5a3c9cd65197c7a02eb5a
parent: a0742a27bedebf401a2270970368624fd11861be (diff)
download: man-pages-e3cfeba2ff4f4aa45d8f0ea47c2ce6aa3c04c546.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/man2/ptrace.2 b/man2/ptrace.2
index c2c92cdf16..47c96b1c24 100644
--- a/man2/ptrace.2
+++ b/man2/ptrace.2
@@ -592,6 +592,18 @@ The seccomp event message data (from the
 .BR SECCOMP_RET_DATA
 portion of the seccomp filter rule) can be retrieved with
 .BR PTRACE_GETEVENTMSG .
+.TP
+.BR PTRACE_O_SUSPEND_SECCOMP " (since Linux 4.2)"
+Suspend the tracee's seccomp protections. This applies regardless of mode, and
+can be used when the tracee has not yet installed seccomp filters. That is, a
+valid usecase is to suspend a tracee's seccomp protections before they are
+installed by the tracee, let the tracee install the filters, and then clear
+this flag when the filters should be resumed. Setting this option requires that
+the tracer have
+.BR CAP_SYS_ADMIN ,
+not have any seccomp protections installed, and not have
+.BR PTRACE_O_SUSPEND_SECCOMP
+set on itself.
 .RE
 .TP
 .BR PTRACE_GETEVENTMSG " (since Linux 2.5.46)"
author	Tycho Andersen <tycho.andersen@canonical.com>	2015-09-11 13:53:28 +0200
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2015-09-11 14:00:31 +0200
commit	e3cfeba2ff4f4aa45d8f0ea47c2ce6aa3c04c546 (patch)
tree	6fcf8cad1ff980cdefb5a3c9cd65197c7a02eb5a
parent	a0742a27bedebf401a2270970368624fd11861be (diff)
download	man-pages-e3cfeba2ff4f4aa45d8f0ea47c2ce6aa3c04c546.tar.gz