seccomp.2: Describe use of 'instruction_pointer' data field

author Michael Kerrisk <mtk.manpages@gmail.com>

Sat, 5 Sep 2015 06:43:31 +0000 (08:43 +0200)

committer Michael Kerrisk <mtk.manpages@gmail.com>

Sat, 5 Sep 2015 06:43:31 +0000 (08:43 +0200)
author Michael Kerrisk <mtk.manpages@gmail.com>
Sat, 5 Sep 2015 06:43:31 +0000 (08:43 +0200)
committer Michael Kerrisk <mtk.manpages@gmail.com>
Sat, 5 Sep 2015 06:43:31 +0000 (08:43 +0200)
diff --git a/man2/seccomp.2 b/man2/seccomp.2

index 8b869a9f57f70005f85a9d2310f8f29503f0ba45..8b0bd6e38ec55fc0cc332bde6021c3deb49f2254 100644 (file)
--- a/man2/seccomp.2
+++ b/man2/seccomp.2
@@ -306,6 +306,20 @@ but also to explicitly reject all system calls that contain
  in
  .IR nr .
  
+The
+.I instruction_pointer
+field provides the address of the machine-language instruction that
+performed the system call.
+This might be useful in conjunction with the use of
+.I /proc/[pid]/maps
+to perform checks based on which region (mapping) of the program
+made the system call.
+(Probably, it is wise to lock down the
+.BR mmap (2)
+and
+.BR mprotect (2)
+system calls to prevent the program from subverting such checks.)
+
  When checking values from
  .IR args
  against a blacklist, keep in mind that arguments are often
@@ -777,6 +791,7 @@ main(int argc, char **argv)
  .BR prctl (2),
  .BR ptrace (2),
  .BR sigaction (2),
+.BR proc (5),
  .BR signal (7),
  .BR socket (7)
  .sp
author	Michael Kerrisk <mtk.manpages@gmail.com>
	Sat, 5 Sep 2015 06:43:31 +0000 (08:43 +0200)
committer	Michael Kerrisk <mtk.manpages@gmail.com>
	Sat, 5 Sep 2015 06:43:31 +0000 (08:43 +0200)