summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorRonny Chevalier <chevalier.ronny@gmail.com>2014-02-12 01:29:54 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-12 18:30:36 +0100
commitc0467cf387548dc98c0254f63553d862b35a84e5 (patch)
tree6ea69e522b79a81e5d7f1685ddbe50675ec0137c /man
parentc6f7b693fedfd822febc219868fc810c32d458c5 (diff)
syscallfilter: port to libseccomp
Diffstat (limited to 'man')
-rw-r--r--man/systemd.exec.xml18
1 files changed, 17 insertions, 1 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f4caccdd23..0c6ca5acfb 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1029,7 +1029,23 @@
merged. If the empty string is
assigned, the filter is reset, all
prior assignments will have no
- effect.</para></listitem>
+ effect.</para>
+
+ <para>If you specify both types of this option
+ (i.e. whitelisting and blacklisting) the first
+ encountered will take precedence and will
+ dictate the default action (termination
+ or approval of a system call). Then the
+ next occurrences of this option will add or
+ delete the listed system calls from the set
+ of the filtered system calls, depending of
+ its type and the default action (e.g. You
+ have started with a whitelisting of <function>
+ read</function> and <function>write</function>
+ and right after it add a blacklisting of
+ <function>write</function>, then <function>
+ write</function> will be removed from the set)
+ </para></listitem>
</varlistentry>
</variablelist>