From: Christian Brauner Date: Thu, 25 Apr 2019 14:40:40 +0000 (+0200) Subject: doc: add lxc.seccomp.notify.proxy X-Git-Tag: lxc-3.2.0~93^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a6437599caa44264d671daf660bb0d40073000d;p=thirdparty%2Flxc.git doc: add lxc.seccomp.notify.proxy Signed-off-by: Christian Brauner --- diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index ee78e49a3..4ed65f63a 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1873,8 +1873,27 @@ dev/null proc/kcore none bind,relative 0 0 2 blacklist mknod errno 0 + ioctl notify + + Specifying "errno" as action will cause LXC to register a seccomp filter + that will cause a specific errno to be returned ot the caller. The errno + value can be specified after the "errno" action word. + + + + Specifying "notify" as action will cause LXC to register a seccomp + listener and retrieve a listener file descriptor from the kernel. When a + syscall is made that is registered as "notify" the kernel will generate a + poll event and send a message over the file descriptor. The caller can + read this message, inspect the syscalls including its arguments. Based on + this information the caller is expected to send back a message informing + the kernel which action to take. Until that message is sent the kernel + will block the calling process. The format of the messages to read and + sent is documented in seccomp itself. + + @@ -1900,6 +1919,20 @@ dev/null proc/kcore none bind,relative 0 0 + + + + + + + Specify a unix socket to which LXC will connect and forward + seccomp events to. The path must by in the form + unix:/path/to/socket or unix:@socket. The former specifies a + path-bound unix domain socket while the latter specifies an + abstract unix domain socket. + + +