doc: Add documentation for max kernel version attributes

Add documentation for SCMP_FLTATR_ACT_UNKNOWN and SCMP_FLTATR_CTL_KVER. Signed-off-by: Tom Hromatka <[email protected]>
drakenclimber · Feb 18, 2025 · 9db8052 · 9db8052
1 parent 5c3d2b7
commit 9db8052
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3
@@ -138,6 +138,18 @@ A flag to specify if libseccomp should request wait killable semantics when
 possible.  Defaults to off
 .RI ( value
 == 0).
+.TP
+.B SCMP_FLTATR_ACT_ENOSYS
+Action to take when an unknown (too new) syscall is invoked.  Used in
+conjunction with SCMP_FLTATR_CTL_KVER.  Defaults to SCMP_ACT_ERRNO(38)
+(ENOSYS).  If desired behavior differs from the default, then this attribute
+must be set prior to setting SCMP_FLTATR_CTL_KVERMAX.
+.TP
+.B SCMP_FLTATR_CTL_KVERMAX
+Maximum kernel version understood by the user application.  Syscalls from
+newer kernel versions will return with the action in SCMP_FLTATR_ACT_ENOSYS.
+Once SCMP_FLTATR_CTL_KVERMAX is set, no more rules can be added to the
+filter.  Attempting to add more rules will result in -EINVAL.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////