From: Michael Kerrisk Date: Thu, 29 Oct 2020 11:19:16 +0000 (+0100) Subject: seccomp_unotify.2: EXAMPLES: Improve comments describing checkNotificationIdIsValid() X-Git-Tag: man-pages-5.12~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f0ca7da712d02d5c59b8fbc66a8515b8a3f7ef3;p=thirdparty%2Fman-pages.git seccomp_unotify.2: EXAMPLES: Improve comments describing checkNotificationIdIsValid() Signed-off-by: Michael Kerrisk --- diff --git a/man2/seccomp_unotify.2 b/man2/seccomp_unotify.2 index f9053b8281..0bcabaa003 100644 --- a/man2/seccomp_unotify.2 +++ b/man2/seccomp_unotify.2 @@ -1315,11 +1315,14 @@ targetProcess(int sockPair[2], char *argv[]) } /* Check that the notification ID provided by a SECCOMP_IOCTL_NOTIF_RECV - operation is still valid. It will no longer be valid if the process - has terminated. This operation can be used when accessing /proc/PID - files in the target process in order to avoid TOCTOU race conditions - where the PID that is returned by SECCOMP_IOCTL_NOTIF_RECV terminates - and is reused by another process. */ + operation is still valid. It will no longer be valid if the target + process has terminated or is no longer blocked in the system call that + generated the notification (because it was interrupted by a signal). + + This operation can be used when doing such things as accessing + /proc/PID files in the target process in order to avoid TOCTOU race + conditions where the PID that is returned by SECCOMP_IOCTL_NOTIF_RECV + terminates and is reused by another process. */ static void checkNotificationIdIsValid(int notifyFd, uint64_t id) @@ -1349,7 +1352,8 @@ getTargetPathname(struct seccomp_notif *req, int notifyFd, if (procMemFd == \-1) errExit("\etS: open"); - /* Check that the process whose info we are accessing is still alive. + /* Check that the process whose info we are accessing is still alive + and blocked in the system call that caused the notification. If the SECCOMP_IOCTL_NOTIF_ID_VALID operation (performed in checkNotificationIdIsValid()) succeeds, we know that the /proc/PID/mem file descriptor that we opened corresponds to the