diff options
Diffstat (limited to 'kernel/seccomp.c')
| -rw-r--r-- | kernel/seccomp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index b35c21503a36..f6d76bebe69f 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c | |||
| @@ -39,7 +39,7 @@ | |||
| 39 | * is only needed for handling filters shared across tasks. | 39 | * is only needed for handling filters shared across tasks. |
| 40 | * @prev: points to a previously installed, or inherited, filter | 40 | * @prev: points to a previously installed, or inherited, filter |
| 41 | * @len: the number of instructions in the program | 41 | * @len: the number of instructions in the program |
| 42 | * @insns: the BPF program instructions to evaluate | 42 | * @insnsi: the BPF program instructions to evaluate |
| 43 | * | 43 | * |
| 44 | * seccomp_filter objects are organized in a tree linked via the @prev | 44 | * seccomp_filter objects are organized in a tree linked via the @prev |
| 45 | * pointer. For any task, it appears to be a singly-linked list starting | 45 | * pointer. For any task, it appears to be a singly-linked list starting |
| @@ -220,7 +220,7 @@ static long seccomp_attach_filter(struct sock_fprog *fprog) | |||
| 220 | return -ENOMEM; | 220 | return -ENOMEM; |
| 221 | 221 | ||
| 222 | /* | 222 | /* |
| 223 | * Installing a seccomp filter requires that the task have | 223 | * Installing a seccomp filter requires that the task has |
| 224 | * CAP_SYS_ADMIN in its namespace or be running with no_new_privs. | 224 | * CAP_SYS_ADMIN in its namespace or be running with no_new_privs. |
| 225 | * This avoids scenarios where unprivileged tasks can affect the | 225 | * This avoids scenarios where unprivileged tasks can affect the |
| 226 | * behavior of privileged children. | 226 | * behavior of privileged children. |