seccomp.2, seccomp_user_notif.2: Clarify that there can be only one SECCOMP_FILTER_FL...

Reported-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

diff --git a/man2/seccomp.2 b/man2/seccomp.2
index 7617537cebc6c244e5330b2e4d7dcbb3f475d15a..362210551cdc181a95ce7651bacea69b20211702 100644 (file)
--- a/man2/seccomp.2
+++ b/man2/seccomp.2
@@ -222,6 +222,11 @@ return a new user-space notification file descriptor.
 When the filter returns
 .BR SECCOMP_RET_USER_NOTIF
 a notification will be sent to this file descriptor.
+.IP
+At most one seccomp filter using the
+.BR SECCOMP_FILTER_FLAG_NEW_LISTENER
+flag can be installed for a thread.
+.IP
 See
 .BR seccomp_user_notif (2)
 for further details.
@@ -798,6 +803,12 @@ capability in its user namespace, or had not set
 before using
 .BR SECCOMP_SET_MODE_FILTER .
 .TP
+.BR EBUSY
+While installing a new filter, the
+.BR SECCOMP_FILTER_FLAG_NEW_LISTENER
+flag was specified,
+but a previous filter had already been installed with that flag.
+.TP
 .BR EFAULT
 .IR args
 was not a valid address.

diff --git a/man2/seccomp_user_notif.2 b/man2/seccomp_user_notif.2
index 7a4b9d3b41753a34daf5a68e31c7add057cc0044..322386da52a88544e3592dc74471a1938309229a 100644 (file)
--- a/man2/seccomp_user_notif.2
+++ b/man2/seccomp_user_notif.2
@@ -92,6 +92,7 @@ Consequently, the return value  of the (successful)
 .BR seccomp (2)
 call is a new "listening"
 file descriptor that can be used to receive notifications.
+Only one such "listener" can be established.
 .IP \(bu
 In cases where it is appropriate, the seccomp filter returns the action value
 .BR SECCOMP_RET_USER_NOTIF .