From 1793395c5c9ec8885cc5fe5d902c4378d58b3dee Mon Sep 17 00:00:00 2001
From: Tom Hromatka <tom.hromatka@oracle.com>
Date: Wed, 12 Feb 2025 10:34:52 -0700
Subject: [PATCH] doc: Add documentation for max kernel version attributes

Add documentation for SCMP_FLTATR_ACT_UNKNOWN and SCMP_FLTATR_CTL_KVER.

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
---
 doc/man/man3/seccomp_attr_set.3 | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3
index 571010ee..75d7bbbd 100644
--- a/doc/man/man3/seccomp_attr_set.3
+++ b/doc/man/man3/seccomp_attr_set.3
@@ -138,6 +138,18 @@ A flag to specify if libseccomp should request wait killable semantics when
 possible.  Defaults to off
 .RI ( value
 == 0).
+.TP
+.B SCMP_FLTATR_ACT_ENOSYS
+Action to take when an unknown (too new) syscall is invoked.  Used in
+conjunction with SCMP_FLTATR_CTL_KVER.  Defaults to SCMP_ACT_ERRNO(38)
+(ENOSYS).  If desired behavior differs from the default, then this attribute
+must be set prior to setting SCMP_FLTATR_CTL_KVERMAX.
+.TP
+.B SCMP_FLTATR_CTL_KVERMAX
+Maximum kernel version understood by the user application.  Syscalls from
+newer kernel versions will return with the action in SCMP_FLTATR_ACT_ENOSYS.
+Once SCMP_FLTATR_CTL_KVERMAX is set, no more rules can be added to the
+filter.  Attempting to add more rules will result in -EINVAL.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////