seccomp.2: Minor tweaks to Andy Lutomirski's patch

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

diff --git a/man2/seccomp.2 b/man2/seccomp.2
index e491825600e884768bf7a293cfdc78087f2025b5..2ab30b14a26f66950dcae890e96eb9595ddd4802 100644 (file)
--- a/man2/seccomp.2
+++ b/man2/seccomp.2
@@ -346,7 +346,8 @@ This means that a policy must either deny all syscalls with
 .BR __X32_SYSCALL_BIT
 or it must recognize syscalls with and without
 .BR __X32_SYSCALL_BIT
-set.  A list of syscalls to be denied based on
+set.
+A list of system calls to be denied based on
 .IR nr
 that does not also contain
 .IR nr
@@ -355,9 +356,9 @@ values with
 set can be bypassed by a malicious program that sets
 .BR __X32_SYSCALL_BIT .
 .PP
-Additionally, kernels prior to 5.4 incorrectly permitted
+Additionally, kernels prior to Linux 5.4 incorrectly permitted
 .IR nr
-in the ranges 512-547 as well as the corresponding non-x32 syscalls ored
+in the ranges 512-547 as well as the corresponding non-x32 syscalls ORed
 with
 .BR __X32_SYSCALL_BIT .
 For example,
@@ -369,11 +370,13 @@ For example,
 would result in invocations of
 .BR ptrace (2)
 with potentially confused x32-vs-x86_64 semantics in the kernel.
-Policies intended to work on kernels before 5.4 must ensure that they
-deny or otherwise correctly handle these system calls.  On kernels
-5.4 and newer, such system calls will return -ENOSYS without doing
-anything.
+Policies intended to work on kernels before Linux 5.4 must ensure that they
+deny or otherwise correctly handle these system calls.
+On Linux 5.4 and newer,
 .\" commit 6365b842aae4490ebfafadfc6bb27a6d3cc54757
+such system calls will fail with the error
+.BR ENOSYS ,
+without doing anything.
 .PP
 The
 .I instruction_pointer