seccomp.2: Warn reader that SECCOMP_RET_TRACE can be overridden

Highlight to the reader that if another filter returns a
higher-precedence action value, then the ptracer will not
be notified.

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

diff --git a/man2/seccomp.2 b/man2/seccomp.2
index 9d42f22f932fbb88e998595cc25c9e6269f0f231..4cacbbde5d53c33bc0fee552df164b4dca86e514 100644 (file)
--- a/man2/seccomp.2
+++ b/man2/seccomp.2
@@ -606,6 +606,10 @@ allow use of
 of other
 sandboxed processes\(emwithout extreme care;
 ptracers can use this mechanism to escape from the seccomp sandbox.)
+.IP
+Note that a tracer process will not be notified
+if another filter returns an action value with a precedence greater than
+.BR SECCOMP_RET_TRACE .
 .TP
 .BR SECCOMP_RET_LOG " (since Linux 4.14)"
 .\" commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4