From fb903f8c3fcf51e213491199ae75ef1f3ed3b1ef Mon Sep 17 00:00:00 2001
From: Akihiro MOTOKI <amotoki@gmail.com>
Date: Sun, 11 Jan 2015 04:04:48 +0900
Subject: [PATCH] Add seccomp.2 to po4a/process

---
 po4a/process/po/ja.po       | 982 +++++++++++++++++++++++++++++++++++++++++++-
 po4a/process/po/process.pot | 930 +++++++++++++++++++++++++++++++++++++++--
 stats/process               |   1 +
 untrans.html                |   3 +-
 4 files changed, 1876 insertions(+), 40 deletions(-)

diff --git a/po4a/process/po/ja.po b/po4a/process/po/ja.po
index e23bbd30..89d29e0d 100644
--- a/po4a/process/po/ja.po
+++ b/po4a/process/po/ja.po
@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2015-01-11 03:53+0900\n"
+"POT-Creation-Date: 2015-01-11 04:00+0900\n"
 "PO-Revision-Date: 2015-01-09 07:03+0900\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -43,7 +43,7 @@ msgstr "2008-06-16"
 #: build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26
 #: build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31
 #: build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27
-#: build/C/man7/user_namespaces.7:27
+#: build/C/man7/user_namespaces.7:27 build/C/man2/seccomp.2:27
 #, no-wrap
 msgid "Linux"
 msgstr "Linux"
@@ -64,7 +64,7 @@ msgstr "Linux"
 #: build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26
 #: build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31
 #: build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27
-#: build/C/man7/user_namespaces.7:27
+#: build/C/man7/user_namespaces.7:27 build/C/man2/seccomp.2:27
 #, no-wrap
 msgid "Linux Programmer's Manual"
 msgstr "Linux Programmer's Manual"
@@ -85,7 +85,7 @@ msgstr "Linux Programmer's Manual"
 #: build/C/man2/setpgid.2:49 build/C/man2/setresuid.2:27
 #: build/C/man2/setreuid.2:46 build/C/man2/setsid.2:32
 #: build/C/man2/setuid.2:31 build/C/man7/svipc.7:41 build/C/man3/ulimit.3:28
-#: build/C/man7/user_namespaces.7:28
+#: build/C/man7/user_namespaces.7:28 build/C/man2/seccomp.2:28
 #, no-wrap
 msgid "NAME"
 msgstr "名前"
@@ -108,6 +108,7 @@ msgstr "acct - プロセス・アカウントのオンとオフを切り換え
 #: build/C/man2/setpgid.2:51 build/C/man2/setresuid.2:29
 #: build/C/man2/setreuid.2:48 build/C/man2/setsid.2:34
 #: build/C/man2/setuid.2:33 build/C/man7/svipc.7:43 build/C/man3/ulimit.3:30
+#: build/C/man2/seccomp.2:30
 #, no-wrap
 msgid "SYNOPSIS"
 msgstr "書式"
@@ -156,7 +157,7 @@ msgstr ""
 #: build/C/man2/setpgid.2:100 build/C/man2/setresuid.2:37
 #: build/C/man2/setreuid.2:70 build/C/man2/setsid.2:41
 #: build/C/man2/setuid.2:39 build/C/man7/svipc.7:49 build/C/man3/ulimit.3:34
-#: build/C/man7/user_namespaces.7:30
+#: build/C/man7/user_namespaces.7:30 build/C/man2/seccomp.2:43
 #, no-wrap
 msgid "DESCRIPTION"
 msgstr "説明"
@@ -186,6 +187,7 @@ msgstr ""
 #: build/C/man2/setgid.2:53 build/C/man2/setpgid.2:195
 #: build/C/man2/setresuid.2:64 build/C/man2/setreuid.2:93
 #: build/C/man2/setsid.2:54 build/C/man2/setuid.2:70 build/C/man3/ulimit.3:67
+#: build/C/man2/seccomp.2:342
 #, no-wrap
 msgid "RETURN VALUE"
 msgstr "返り値"
@@ -214,6 +216,7 @@ msgstr ""
 #: build/C/man2/setgid.2:58 build/C/man2/setpgid.2:216
 #: build/C/man2/setresuid.2:76 build/C/man2/setreuid.2:105
 #: build/C/man2/setsid.2:61 build/C/man2/setuid.2:82 build/C/man3/ulimit.3:74
+#: build/C/man2/seccomp.2:358
 #, no-wrap
 msgid "ERRORS"
 msgstr "エラー"
@@ -243,6 +246,7 @@ msgstr ""
 #: build/C/man2/acct.2:77 build/C/man2/capget.2:180 build/C/man7/cpuset.7:1172
 #: build/C/man2/getgroups.2:107 build/C/man2/getresuid.2:56
 #: build/C/man2/getrlimit.2:467 build/C/man2/getrusage.2:194
+#: build/C/man2/seccomp.2:369
 #, no-wrap
 msgid "B<EFAULT>"
 msgstr "B<EFAULT>"
@@ -323,13 +327,15 @@ msgstr "指定されたファイルが存在しない。"
 
 #. type: TP
 #: build/C/man2/acct.2:103 build/C/man7/cpuset.7:1287
-#: build/C/man2/getgroups.2:127
+#: build/C/man2/getgroups.2:127 build/C/man2/seccomp.2:413
+#: build/C/man2/seccomp.2:416
 #, no-wrap
 msgid "B<ENOMEM>"
 msgstr "B<ENOMEM>"
 
 #. type: Plain text
 #: build/C/man2/acct.2:106 build/C/man2/getgroups.2:130
+#: build/C/man2/seccomp.2:416
 msgid "Out of memory."
 msgstr "メモリ不足。"
 
@@ -425,7 +431,7 @@ msgstr "使用可能なファイル構造体がないか、メモリが足りな
 #: build/C/man2/setpgid.2:250 build/C/man2/setresuid.2:109
 #: build/C/man2/setreuid.2:148 build/C/man2/setsid.2:68
 #: build/C/man2/setuid.2:117 build/C/man3/ulimit.3:78
-#: build/C/man7/user_namespaces.7:645
+#: build/C/man7/user_namespaces.7:645 build/C/man2/seccomp.2:435
 #, no-wrap
 msgid "CONFORMING TO"
 msgstr "準拠"
@@ -455,6 +461,7 @@ msgstr "SVr4, 4.3BSD (POSIX ではない)。"
 #: build/C/man2/setpgid.2:272 build/C/man2/setresuid.2:112
 #: build/C/man2/setreuid.2:154 build/C/man2/setsid.2:70
 #: build/C/man2/setuid.2:122 build/C/man7/user_namespaces.7:648
+#: build/C/man2/seccomp.2:439
 #, no-wrap
 msgid "NOTES"
 msgstr "注意"
@@ -493,7 +500,7 @@ msgstr ""
 #: build/C/man2/setpgid.2:340 build/C/man2/setresuid.2:132
 #: build/C/man2/setreuid.2:194 build/C/man2/setsid.2:93
 #: build/C/man2/setuid.2:145 build/C/man7/svipc.7:335 build/C/man3/ulimit.3:83
-#: build/C/man7/user_namespaces.7:1011
+#: build/C/man7/user_namespaces.7:1011 build/C/man2/seccomp.2:662
 #, no-wrap
 msgid "SEE ALSO"
 msgstr "関連項目"
@@ -519,7 +526,7 @@ msgstr "B<acct>(5)"
 #: build/C/man2/setpgid.2:347 build/C/man2/setresuid.2:142
 #: build/C/man2/setreuid.2:203 build/C/man2/setsid.2:100
 #: build/C/man2/setuid.2:153 build/C/man7/svipc.7:353 build/C/man3/ulimit.3:88
-#: build/C/man7/user_namespaces.7:1027
+#: build/C/man7/user_namespaces.7:1027 build/C/man2/seccomp.2:678
 #, no-wrap
 msgid "COLOPHON"
 msgstr "この文書について"
@@ -540,7 +547,7 @@ msgstr "この文書について"
 #: build/C/man2/setpgid.2:355 build/C/man2/setresuid.2:150
 #: build/C/man2/setreuid.2:211 build/C/man2/setsid.2:108
 #: build/C/man2/setuid.2:161 build/C/man7/svipc.7:361 build/C/man3/ulimit.3:96
-#: build/C/man7/user_namespaces.7:1035
+#: build/C/man7/user_namespaces.7:1035 build/C/man2/seccomp.2:686
 #, fuzzy
 #| msgid ""
 #| "This page is part of release 3.76 of the Linux I<man-pages> project.  A "
@@ -792,7 +799,7 @@ msgstr ""
 #: build/C/man2/getresuid.2:60 build/C/man2/getrlimit.2:499
 #: build/C/man2/getsid.2:75 build/C/man2/ioprio_set.2:193
 #: build/C/man2/setfsgid.2:71 build/C/man2/setfsuid.2:71
-#: build/C/man2/setresuid.2:107
+#: build/C/man2/setresuid.2:107 build/C/man2/seccomp.2:430
 #, no-wrap
 msgid "VERSIONS"
 msgstr "バージョン"
@@ -1062,6 +1069,10 @@ msgstr "B<CAP_DAC_READ_SEARCH>"
 #: build/C/man7/user_namespaces.7:477 build/C/man7/user_namespaces.7:479
 #: build/C/man7/user_namespaces.7:492 build/C/man7/user_namespaces.7:505
 #: build/C/man7/user_namespaces.7:532 build/C/man7/user_namespaces.7:541
+#: build/C/man2/seccomp.2:265 build/C/man2/seccomp.2:269
+#: build/C/man2/seccomp.2:272 build/C/man2/seccomp.2:277
+#: build/C/man2/seccomp.2:281 build/C/man2/seccomp.2:455
+#: build/C/man2/seccomp.2:463 build/C/man2/seccomp.2:469
 #, no-wrap
 msgid "*"
 msgstr "*"
@@ -3353,7 +3364,9 @@ msgstr ""
 #: build/C/man2/ioprio_set.2:170 build/C/man2/seteuid.2:80
 #: build/C/man2/setgid.2:59 build/C/man2/setpgid.2:225
 #: build/C/man2/setresuid.2:99 build/C/man2/setreuid.2:128
-#: build/C/man2/setuid.2:105
+#: build/C/man2/setuid.2:105 build/C/man2/seccomp.2:373
+#: build/C/man2/seccomp.2:380 build/C/man2/seccomp.2:387
+#: build/C/man2/seccomp.2:393 build/C/man2/seccomp.2:402
 #, no-wrap
 msgid "B<EINVAL>"
 msgstr "B<EINVAL>"
@@ -3399,7 +3412,7 @@ msgstr ""
 #: build/C/man2/capget.2:215 build/C/man7/cpuset.7:1330
 #: build/C/man2/getpriority.2:126 build/C/man2/getrlimit.2:495
 #: build/C/man2/getsid.2:70 build/C/man2/ioprio_set.2:187
-#: build/C/man2/setpgid.2:240
+#: build/C/man2/setpgid.2:240 build/C/man2/seccomp.2:426
 #, no-wrap
 msgid "B<ESRCH>"
 msgstr "B<ESRCH>"
@@ -5274,7 +5287,7 @@ msgstr ""
 #. type: SH
 #: build/C/man7/cpuset.7:1365 build/C/man2/getrlimit.2:703
 #: build/C/man7/namespaces.7:361 build/C/man7/pid_namespaces.7:353
-#: build/C/man7/user_namespaces.7:677
+#: build/C/man7/user_namespaces.7:677 build/C/man2/seccomp.2:476
 #, no-wrap
 msgid "EXAMPLE"
 msgstr "例"
@@ -9904,7 +9917,7 @@ msgid "PID_NAMESPACES"
 msgstr "PID_NAMESPACES"
 
 #. type: TH
-#: build/C/man7/pid_namespaces.7:27
+#: build/C/man7/pid_namespaces.7:27 build/C/man2/seccomp.2:27
 #, fuzzy, no-wrap
 #| msgid "2014-01-07"
 msgid "2015-01-10"
@@ -13629,7 +13642,7 @@ msgstr ""
 "   22 pts/3    R+     0:00 ps ax\n"
 
 #. type: SS
-#: build/C/man7/user_namespaces.7:758
+#: build/C/man7/user_namespaces.7:758 build/C/man2/seccomp.2:574
 #, no-wrap
 msgid "Program source"
 msgstr "プログラムのソース"
@@ -14259,6 +14272,943 @@ msgid ""
 msgstr ""
 "カーネルのソーフファイル I<Documentation/namespaces/resource-control.txt>"
 
+#. type: TH
+#: build/C/man2/seccomp.2:27
+#, no-wrap
+msgid "SECCOMP"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:30
+msgid "seccomp - operate on Secure Computing state of the process"
+msgstr ""
+
+#.  Kees Cook noted: Anything that uses SECCOMP_RET_TRACE returns will
+#.                   need <sys/ptrace.h>
+#. type: Plain text
+#: build/C/man2/seccomp.2:39
+#, fuzzy, no-wrap
+#| msgid ""
+#| "#define _GNU_SOURCE\n"
+#| "#define _FILE_OFFSET_BITS 64\n"
+#| "#include E<lt>stdio.hE<gt>\n"
+#| "#include E<lt>time.hE<gt>\n"
+#| "#include E<lt>stdlib.hE<gt>\n"
+#| "#include E<lt>unistd.hE<gt>\n"
+#| "#include E<lt>sys/resource.hE<gt>\n"
+msgid ""
+"B<#include E<lt>linux/seccomp.hE<gt>>\n"
+"B<#include E<lt>linux/filter.hE<gt>>\n"
+"B<#include E<lt>linux/audit.hE<gt>>\n"
+"B<#include E<lt>linux/signal.hE<gt>>\n"
+"B<#include E<lt>sys/ptrace.hE<gt>>\n"
+msgstr ""
+"#define _GNU_SOURCE\n"
+"#define _FILE_OFFSET_BITS 64\n"
+"#include E<lt>stdio.hE<gt>\n"
+"#include E<lt>time.hE<gt>\n"
+"#include E<lt>stdlib.hE<gt>\n"
+"#include E<lt>unistd.hE<gt>\n"
+"#include E<lt>sys/resource.hE<gt>\n"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:42
+#, fuzzy, no-wrap
+#| msgid "B<int setresuid(uid_t >I<ruid>B<, uid_t >I<euid>B<, uid_t >I<suid>B<);>"
+msgid "B<int seccomp(unsigned int >I<operation>B<, unsigned int >I<flags>B<, void *>I<args>B<);>\n"
+msgstr "B<int setresuid(uid_t >I<ruid>B<, uid_t >I<euid>B<, uid_t >I<suid>B<);>"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:48
+#, fuzzy
+#| msgid ""
+#| "B<setreuid>()  sets real and effective user IDs of the calling process."
+msgid ""
+"The B<seccomp>()  system call operates on the Secure Computing (seccomp) "
+"state of the calling process."
+msgstr ""
+"B<setreuid>()  は呼び出し元のプロセスの実 (real) ユーザー ID と 実効 "
+"(effective) ユーザー ID を設定する。"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:52
+msgid "Currently, Linux supports the following I<operation> values:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:52
+#, no-wrap
+msgid "B<SECCOMP_SET_MODE_STRICT>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:66
+msgid ""
+"The only system calls that the calling thread is permitted to make are "
+"B<read>(2), B<write>(2), B<_exit>(2), and B<sigreturn>(2).  Other system "
+"calls result in the delivery of a B<SIGKILL> signal.  Strict secure "
+"computing mode is useful for number-crunching applications that may need to "
+"execute untrusted byte code, perhaps obtained by reading from a pipe or "
+"socket."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:70
+msgid ""
+"This operation is available only if the kernel is configured with "
+"B<CONFIG_SECCOMP> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:76
+msgid "The value of I<flags> must be 0, and I<args> must be NULL."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:78
+msgid "This operation is functionally identical to the call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:80
+#, no-wrap
+msgid "    prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);\n"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:80
+#, fuzzy, no-wrap
+#| msgid "B<CAP_SYS_MODULE>"
+msgid "B<SECCOMP_SET_MODE_FILTER>"
+msgstr "B<CAP_SYS_MODULE>"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:95
+msgid ""
+"The system calls allowed are defined by a pointer to a Berkeley Packet "
+"Filter (BPF) passed via I<args>.  This argument is a pointer to a I<struct\\ "
+"sock_fprog>; it can be designed to filter arbitrary system calls and system "
+"call arguments.  If the filter is invalid, B<seccomp>()  fails, returning "
+"B<EINVAL> in I<errno>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:107
+msgid ""
+"If B<fork>(2)  or B<clone>(2)  is allowed by the filter, any child processes "
+"will be constrained to the same system call filters as the parent.  If "
+"B<execve>(2)  is allowed, the existing filters will be preserved across a "
+"call to B<execve>(2)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:117
+msgid ""
+"In order to use the B<SECCOMP_SET_MODE_FILTER> operation, either the caller "
+"must have the B<CAP_SYS_ADMIN> capability, or the thread must already have "
+"the I<no_new_privs> bit set.  If that bit was not already set by an ancestor "
+"of this thread, the thread must make the following call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:119
+#, no-wrap
+msgid "    prctl(PR_SET_NO_NEW_PRIVS, 1);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:138
+msgid ""
+"Otherwise, the B<SECCOMP_SET_MODE_FILTER> operation will fail and return "
+"B<EACCES> in I<errno>.  This requirement ensures that an unprivileged "
+"process cannot apply a malicious filter and then invoke a set-user-ID or "
+"other privileged program using B<execve>(2), thus potentially compromising "
+"that program.  (Such a malicious filter might, for example, cause an attempt "
+"to use B<setuid>(2)  to set the caller's user IDs to non-zero values to "
+"instead return 0 without actually making the system call.  Thus, the program "
+"might be tricked into retaining superuser privileges in circumstances where "
+"it is possible to influence it to do dangerous things because it did not "
+"actually drop privileges.)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:146
+msgid ""
+"If B<prctl>(2)  or B<seccomp>(2)  is allowed by the attached filter, further "
+"filters may be added.  This will increase evaluation time, but allows for "
+"further reduction of the attack surface during execution of a thread."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:152
+msgid ""
+"The B<SECCOMP_SET_MODE_FILTER> operation is available only if the kernel is "
+"configured with B<CONFIG_SECCOMP_FILTER> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:156
+msgid ""
+"When I<flags> is 0, this operation is functionally identical to the call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:158
+#, no-wrap
+msgid "    prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:162
+msgid "The recognized I<flags> are:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:163
+#, no-wrap
+msgid "B<SECCOMP_FILTER_FLAG_TSYNC>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:171
+msgid ""
+"When adding a new filter, synchronize all other threads of the calling "
+"process to the same seccomp filter tree.  A \"filter tree\" is the ordered "
+"list of filters attached to a thread.  (Attaching identical filters in "
+"separate B<seccomp>()  calls results in different filters from this "
+"perspective.)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:179
+msgid ""
+"If any thread cannot synchronize to the same filter tree, the call will not "
+"attach the new seccomp filter, and will fail, returning the first thread ID "
+"found that cannot synchronize.  Synchronization will fail if another thread "
+"in the same process is in B<SECCOMP_MODE_STRICT> or if it has attached new "
+"seccomp filters to itself, diverging from the calling thread's filter tree."
+msgstr ""
+
+#. type: SS
+#: build/C/man2/seccomp.2:180
+#, no-wrap
+msgid "Filters"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:185
+msgid ""
+"When adding filters via B<SECCOMP_SET_MODE_FILTER>, I<args> points to a "
+"filter program:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:193
+#, no-wrap
+msgid ""
+"struct sock_fprog {\n"
+"    unsigned short      len;    /* Number of BPF instructions */\n"
+"    struct sock_filter *filter; /* Pointer to array of\n"
+"                                   BPF instructions */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:197
+msgid "Each program must contain one or more BPF instructions:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:206
+#, no-wrap
+msgid ""
+"struct sock_filter {            /* Filter block */\n"
+"    __u16 code;                 /* Actual filter code */\n"
+"    __u8  jt;                   /* Jump true */\n"
+"    __u8  jf;                   /* Jump false */\n"
+"    __u32 k;                    /* Generic multiuse field */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:213
+msgid ""
+"When executing the instructions, the BPF program operates on the system call "
+"information made available (i.e., use the B<BPF_ABS> addressing mode) as a "
+"buffer of the following form:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:223
+#, no-wrap
+msgid ""
+"struct seccomp_data {\n"
+"    int   nr;                   /* System call number */\n"
+"    __u32 arch;                 /* AUDIT_ARCH_* value\n"
+"                                   (see E<lt>linux/audit.hE<gt>) */\n"
+"    __u64 instruction_pointer;  /* CPU instruction pointer */\n"
+"    __u64 args[6];              /* Up to 6 system call arguments */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:234
+msgid ""
+"A seccomp filter returns a 32-bit value consisting of two parts: the most "
+"significant 16 bits (corresponding to the mask defined by the constant "
+"B<SECCOMP_RET_ACTION>)  contain one of the \"action\" values listed below; "
+"the least significant 16-bits (defined by the constant B<SECCOMP_RET_DATA>)  "
+"are \"data\" to be associated with this return value."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:242
+msgid ""
+"If multiple filters exist, they are all executed, in reverse order of their "
+"addition to the filter tree (i.e., the most recently installed filter is "
+"executed first).  The return value for the evaluation of a given system call "
+"is the first-seen B<SECCOMP_RET_ACTION> value of highest precedence (along "
+"with its accompanying data)  returned by execution of all of the filters."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:245
+msgid ""
+"In decreasing order of precedence, the values that may be returned by a "
+"seccomp filter are:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:245
+#, fuzzy, no-wrap
+#| msgid "B<CAP_KILL>"
+msgid "B<SECCOMP_RET_KILL>"
+msgstr "B<CAP_KILL>"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:254
+msgid ""
+"This value results in the process exiting immediately without executing the "
+"system call.  The process terminates as though killed by a B<SIGSYS> signal "
+"(I<not> B<SIGKILL>)."
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:254
+#, no-wrap
+msgid "B<SECCOMP_RET_TRAP>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:264
+msgid ""
+"This value results in the kernel sending a B<SIGSYS> signal to the "
+"triggering process without executing the system call.  Various fields will "
+"be set in the I<siginfo_t> structure (see B<sigaction>(2))  associated with "
+"signal:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:269
+msgid "I<si_signo> will contain B<SIGSYS>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:272
+msgid "I<si_call_addr> will show the address of the system call instruction."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:277
+msgid ""
+"I<si_syscall> and I<si_arch> will indicate which system call was attempted."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:281
+msgid "I<si_code> will contain B<SYS_SECCOMP>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:286
+msgid ""
+"I<si_errno> will contain the B<SECCOMP_RET_DATA> portion of the filter "
+"return value."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:295
+msgid ""
+"The program counter will be as though the system call happened (i.e., it "
+"will not point to the system call instruction).  The return value register "
+"will contain an architecture-dependent value; if resuming execution, set it "
+"to something appropriate for the system call.  (The architecture dependency "
+"is because replacing it with B<ENOSYS> could overwrite some useful "
+"information.)"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:295
+#, no-wrap
+msgid "B<SECCOMP_RET_ERRNO>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:302
+msgid ""
+"This value results in the B<SECCOMP_RET_DATA> portion of the filter's return "
+"value being passed to user space as the I<errno> value without executing the "
+"system call."
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:302
+#, fuzzy, no-wrap
+#| msgid "B<CAP_SYS_PTRACE>"
+msgid "B<SECCOMP_RET_TRACE>"
+msgstr "B<CAP_SYS_PTRACE>"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:312
+msgid ""
+"When returned, this value will cause the kernel to attempt to notify a "
+"B<ptrace>(2)-based tracer prior to executing the system call.  If there is "
+"no tracer present, the system call is not executed and returns a failure "
+"status with I<errno> set to B<ENOSYS>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:323
+msgid ""
+"A tracer will be notified if it requests B<PTRACE_O_TRACESECCOMP> using "
+"I<ptrace(PTRACE_SETOPTIONS)>.  The tracer will be notified of a "
+"B<PTRACE_EVENT_SECCOMP> and the B<SECCOMP_RET_DATA> portion of the filter's "
+"return value will be available to the tracer via B<PTRACE_GETEVENTMSG>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:330
+msgid ""
+"The tracer can skip the system call by changing the system call number to "
+"-1.  Alternatively, the tracer can change the system call requested by "
+"changing the system call to a valid system call number.  If the tracer asks "
+"to skip the system call, then the system call will appear to return the "
+"value that the tracer puts in the return value register."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:339
+msgid ""
+"The seccomp check will not be run again after the tracer is notified.  (This "
+"means that seccomp-based sandboxes B<must not> allow use of "
+"B<ptrace>(2)\\(emeven of other sandboxed processes\\(emwithout extreme care; "
+"ptracers can use this mechanism to escape from the seccomp sandbox.)"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:339
+#, no-wrap
+msgid "B<SECCOMP_RET_ALLOW>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:342
+msgid "This value results in the system call being executed."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:358
+msgid ""
+"On success, B<seccomp>()  returns 0.  On error, if "
+"B<SECCOMP_FILTER_FLAG_TSYNC> was used, the return value is the ID of the "
+"thread that caused the synchronization failure.  (This ID is a kernel thread "
+"ID of the type returned by B<clone>(2)  and B<gettid>(2).)  On other errors, "
+"-1 is returned, and I<errno> is set to indicate the cause of the error."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:361
+#, fuzzy
+#| msgid "B<setgroups>()  can additionally fail with the following errors:"
+msgid "B<seccomp>()  can fail for the following reasons:"
+msgstr "B<setgroups>()  は、上記に加えて以下のエラーで失敗する可能性がある。"
+
+#. type: TP
+#: build/C/man2/seccomp.2:361
+#, fuzzy, no-wrap
+#| msgid "B<EACCES>"
+msgid "B<EACCESS>"
+msgstr "B<EACCES>"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:369
+msgid ""
+"The caller did not have the B<CAP_SYS_ADMIN> capability, or had not set "
+"I<no_new_privs> before using B<SECCOMP_SET_MODE_FILTER>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:373
+#, fuzzy
+#| msgid "I<list> has an invalid address."
+msgid "I<args> was not a valid address."
+msgstr "I<list> が不正なアドレスである。"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:380
+msgid ""
+"I<operation> is unknown; or I<flags> are invalid for the given I<operation>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:387
+msgid ""
+"I<operation> included B<BPF_ABS>, but the specified offset was not aligned "
+"to a 32-bit boundary or exceeded I<sizeof(struct\\ seccomp_data)>."
+msgstr ""
+
+#.  See kernel/seccomp.c::seccomp_may_assign_mode() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:393
+msgid ""
+"A secure computing mode has already been set, and I<operation> differs from "
+"the existing setting."
+msgstr ""
+
+#.  See stub kernel/seccomp.c::seccomp_set_mode_filter() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:402
+msgid ""
+"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the kernel was not "
+"built with B<CONFIG_SECCOMP_FILTER> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:413
+msgid ""
+"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the filter program "
+"pointed to by I<args> was not valid or the length of the filter program was "
+"zero or exceeded B<BPF_MAXINSNS> (4096) instructions.  B<EINVAL>"
+msgstr ""
+
+#.  ENOMEM in kernel/seccomp.c::seccomp_attach_filter() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:426
+msgid ""
+"The total length of all filter programs attached to the calling thread would "
+"exceed B<MAX_INSNS_PER_PATH> (32768) instructions.  Note that for the "
+"purposes of calculating this limit, each already existing filter program "
+"incurs an overhead penalty of 4 instructions."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:430
+msgid ""
+"Another thread caused a failure during thread sync, but its ID could not be "
+"determined."
+msgstr ""
+
+#.  FIXME . Add glibc version
+#. type: Plain text
+#: build/C/man2/seccomp.2:435
+#, fuzzy
+#| msgid "These system calls appeared on Linux starting with kernel 2.1.44."
+msgid "The B<seccomp()> system call first appeared in Linux 3.17."
+msgstr "これらのシステムコールはカーネル 2.1.44 から Linux に登場した。"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:439
+#, fuzzy
+#| msgid "This function is a nonstandard GNU extension."
+msgid "The B<seccomp()> system call is a nonstandard Linux extension."
+msgstr "この関数は非標準の GNU 拡張である。"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:446
+msgid ""
+"The I<Seccomp> field of the I</proc/[pid]/status> file provides a method of "
+"viewing the seccomp mode of a process; see B<proc>(5)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:453
+msgid ""
+"B<seccomp>()  provides a superset of the functionality provided by the "
+"B<prctl>(2)  B<PR_SET_SECCOMP> operation (which does not support I<flags>)."
+msgstr ""
+
+#. type: SS
+#: build/C/man2/seccomp.2:453
+#, no-wrap
+msgid "Seccomp-specific BPF details"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:455
+msgid "Note the following BPF details specific to seccomp filters:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:463
+msgid ""
+"The B<BPF_H> and B<BPF_B> size modifiers are not supported: all operations "
+"must load and store (4-byte) words (B<BPF_W>)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:469
+msgid ""
+"To access the contents of the I<seccomp_data> buffer, use the B<BPF_ABS> "
+"addressing mode modifier."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:476
+msgid ""
+"The B<BPF_LEN> addressing mode modifier yields an immediate mode operand "
+"whose value is the size of the I<seccomp_data> buffer."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:482
+msgid ""
+"The program below accepts four or more arguments.  The first three arguments "
+"are a system call number, a numeric architecture identifier, and an error "
+"number.  The program uses these values to construct a BPF filter that is "
+"used at run time to perform the following checks:"
+msgstr ""
+
+#. type: IP
+#: build/C/man2/seccomp.2:482
+#, no-wrap
+msgid "[1]"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:486
+msgid ""
+"If the program is not running on the specified architecture, the BPF filter "
+"causes system calls to fail with the error B<ENOSYS>."
+msgstr ""
+
+#. type: IP
+#: build/C/man2/seccomp.2:486
+#, no-wrap
+msgid "[2]"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:491
+msgid ""
+"If the program attempts to execute the system call with the specified "
+"number, the BPF filter causes the system call to fail, with I<errno> being "
+"set to the specified error number."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:500
+msgid ""
+"The remaining command-line arguments specify the pathname and additional "
+"arguments of a program that the example program should attempt to execute "
+"using B<execve>(3)  (a library function that employs the B<execve>(2)  "
+"system call).  Some example runs of the program are shown below."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:504
+msgid ""
+"First, we display the architecture that we are running on (x86-64)  and then "
+"construct a shell function that looks up system call numbers on this "
+"architecture:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:513
+#, no-wrap
+msgid ""
+"$ B<uname -m>\n"
+"x86_64\n"
+"$ B<syscall_nr() {\n"
+"    cat /usr/src/linux/arch/x86/syscalls/syscall_64.tbl | \\e\n"
+"    awk '$2 != \"x32\" && $3 == \"'$1'\" { print $1 }'\n"
+"}>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:520
+msgid ""
+"When the BPF filter rejects a system call (case [2] above), it causes the "
+"system call to fail with the error number specified on the command line.  In "
+"the experiments shown here, we'll use error number 99:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:525
+#, no-wrap
+msgid ""
+"$ B<errno 99>\n"
+"EADDRNOTAVAIL 99 Cannot assign requested address\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:533
+msgid ""
+"In the following example, we attempt to run the command B<whoami>(1), but "
+"the BPF filter rejects the B<execve>(2)  system call, so that the command is "
+"not even executed:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:544
+#, no-wrap
+msgid ""
+"$ B<syscall_nr execve>\n"
+"59\n"
+"$ B<./a.out>\n"
+"Usage: ./a.out E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> E<lt>progE<gt> [E<lt>argsE<gt>]\n"
+"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x40000003\n"
+"                 AUDIT_ARCH_X86_64: 0xC000003E\n"
+"$ B<./a.out 59 0xC000003E 99 /bin/whoami>\n"
+"execv: Cannot assign requested address\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:552
+msgid ""
+"In the next example, the BPF filter rejects the B<write>(2)  system call, so "
+"that, although it is successfully started, the B<whoami>(1)  command is not "
+"able to write output:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:558
+#, no-wrap
+msgid ""
+"$ B<syscall_nr write>\n"
+"1\n"
+"$ B<./a.out 1 0xC000003E 99 /bin/whoami>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:565
+msgid ""
+"In the final example, the BPF filter rejects a system call that is not used "
+"by the B<whoami>(1)  command, so it is able to successfully execute and "
+"produce output:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:572
+#, no-wrap
+msgid ""
+"$ B<syscall_nr preadv>\n"
+"295\n"
+"$ B<./a.out 295 0xC000003E 99 /bin/whoami>\n"
+"cecilia\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:586
+#, fuzzy, no-wrap
+#| msgid ""
+#| "#define _GNU_SOURCE\n"
+#| "#define _FILE_OFFSET_BITS 64\n"
+#| "#include E<lt>stdio.hE<gt>\n"
+#| "#include E<lt>time.hE<gt>\n"
+#| "#include E<lt>stdlib.hE<gt>\n"
+#| "#include E<lt>unistd.hE<gt>\n"
+#| "#include E<lt>sys/resource.hE<gt>\n"
+msgid ""
+"#include E<lt>errno.hE<gt>\n"
+"#include E<lt>stddef.hE<gt>\n"
+"#include E<lt>stdio.hE<gt>\n"
+"#include E<lt>stdlib.hE<gt>\n"
+"#include E<lt>unistd.hE<gt>\n"
+"#include E<lt>linux/audit.hE<gt>\n"
+"#include E<lt>linux/filter.hE<gt>\n"
+"#include E<lt>linux/seccomp.hE<gt>\n"
+"#include E<lt>sys/prctl.hE<gt>\n"
+msgstr ""
+"#define _GNU_SOURCE\n"
+"#define _FILE_OFFSET_BITS 64\n"
+"#include E<lt>stdio.hE<gt>\n"
+"#include E<lt>time.hE<gt>\n"
+"#include E<lt>stdlib.hE<gt>\n"
+"#include E<lt>unistd.hE<gt>\n"
+"#include E<lt>sys/resource.hE<gt>\n"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:595
+#, no-wrap
+msgid ""
+"static int\n"
+"install_filter(int syscall_nr, int t_arch, int f_errno)\n"
+"{\n"
+"    struct sock_filter filter[] = {\n"
+"        /* [0] Load architecture from 'seccomp_data' buffer into\n"
+"               accumulator */\n"
+"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
+"                 (offsetof(struct seccomp_data, arch))),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:599
+#, no-wrap
+msgid ""
+"        /* [1] Jump forward 4 instructions if architecture does not\n"
+"               match 't_arch' */\n"
+"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 4),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:604
+#, no-wrap
+msgid ""
+"        /* [2] Load system call number from 'seccomp_data' buffer into\n"
+"               accumulator */\n"
+"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
+"                 (offsetof(struct seccomp_data, nr))),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:608
+#, no-wrap
+msgid ""
+"        /* [3] Jump forward 1 instruction if system call number\n"
+"               does not match 'syscall_nr' */\n"
+"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:613
+#, no-wrap
+msgid ""
+"        /* [4] Matching architecture and system call: don't execute\n"
+"\t       the system call, and return 'f_errno' in 'errno' */\n"
+"        BPF_STMT(BPF_RET | BPF_K,\n"
+"                 SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:617
+#, no-wrap
+msgid ""
+"        /* [5] Destination of system call number mismatch: allow other\n"
+"               system calls */\n"
+"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:621
+#, no-wrap
+msgid ""
+"        /* [6] Destination of architecture mismatch: kill process */\n"
+"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),\n"
+"    };\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:626
+#, no-wrap
+msgid ""
+"    struct sock_fprog prog = {\n"
+"        .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),\n"
+"        .filter = filter,\n"
+"    };\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:631
+#, no-wrap
+msgid ""
+"    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {\n"
+"        perror(\"seccomp\");\n"
+"        return 1;\n"
+"    }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:634
+#, no-wrap
+msgid ""
+"    return 0;\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:646
+#, no-wrap
+msgid ""
+"int\n"
+"main(int argc, char **argv)\n"
+"{\n"
+"    if (argc E<lt> 5) {\n"
+"        fprintf(stderr, \"Usage: \"\n"
+"                \"%s E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> E<lt>progE<gt> [E<lt>argsE<gt>]\\en\"\n"
+"                \"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x%X\\en\"\n"
+"                \"                 AUDIT_ARCH_X86_64: 0x%X\\en\"\n"
+"                \"\\en\", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);\n"
+"        exit(EXIT_FAILURE);\n"
+"    }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:651
+#, no-wrap
+msgid ""
+"    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {\n"
+"        perror(\"prctl\");\n"
+"        exit(EXIT_FAILURE);\n"
+"    }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:656
+#, no-wrap
+msgid ""
+"    if (install_filter(strtol(argv[1], NULL, 0),\n"
+"                       strtol(argv[2], NULL, 0),\n"
+"                       strtol(argv[3], NULL, 0)))\n"
+"        exit(EXIT_FAILURE);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:661
+#, no-wrap
+msgid ""
+"    execv(argv[4], &argv[4]);\n"
+"    perror(\"execv\");\n"
+"    exit(EXIT_FAILURE);\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:667
+#, fuzzy
+#| msgid "B<getresuid>(2), B<setreuid>(2), B<setuid>(2), B<credentials>(7)"
+msgid "B<prctl>(2), B<ptrace>(2), B<signal>(7), B<socket>(7)"
+msgstr "B<getresuid>(2), B<setreuid>(2), B<setuid>(2), B<credentials>(7)"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:672
+#, fuzzy
+#| msgid ""
+#| "The kernel source file I<Documentation/namespaces/resource-control.txt>."
+msgid ""
+"The kernel source files I<Documentation/networking/filter.txt> and "
+"I<Documentation/prctl/seccomp_filter.txt>."
+msgstr ""
+"カーネルのソーフファイル I<Documentation/namespaces/resource-control.txt>"
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:678
+msgid ""
+"McCanne, S. and Jacobson, V. (1992)  I<The BSD Packet Filter: A New "
+"Architecture for User-level Packet Capture>, Proceedings of the USENIX "
+"Winter 1993 Conference E<.UR http://www.tcpdump.org/papers/bpf-usenix93.pdf> "
+"E<.UE>"
+msgstr ""
+
 #~ msgid ""
 #~ "A process group leader is a process with process group ID equal to its "
 #~ "PID.  In order to be sure that B<setsid>()  will succeed, B<fork>(2)  and "
diff --git a/po4a/process/po/process.pot b/po4a/process/po/process.pot
index 2d327b08..e86f9e5b 100644
--- a/po4a/process/po/process.pot
+++ b/po4a/process/po/process.pot
@@ -7,7 +7,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2015-01-11 03:53+0900\n"
+"POT-Creation-Date: 2015-01-11 04:00+0900\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -29,19 +29,19 @@ msgid "2008-06-16"
 msgstr ""
 
 #. type: TH
-#: build/C/man2/acct.2:31 build/C/man5/acct.5:25 build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:25 build/C/man2/getpriority.2:45 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 build/C/man7/namespaces.7:27 build/C/man7/pid_namespaces.7:27 build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31 build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27 build/C/man7/user_namespaces.7:27
+#: build/C/man2/acct.2:31 build/C/man5/acct.5:25 build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:25 build/C/man2/getpriority.2:45 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 build/C/man7/namespaces.7:27 build/C/man7/pid_namespaces.7:27 build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31 build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27 build/C/man7/user_namespaces.7:27 build/C/man2/seccomp.2:27
 #, no-wrap
 msgid "Linux"
 msgstr ""
 
 #. type: TH
-#: build/C/man2/acct.2:31 build/C/man5/acct.5:25 build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:25 build/C/man2/getpriority.2:45 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 build/C/man2/getuid.2:26 build/C/man3/group_member.3:25 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 build/C/man7/namespaces.7:27 build/C/man7/pid_namespaces.7:27 build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31 build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27 build/C/man7/user_namespaces.7:27
+#: build/C/man2/acct.2:31 build/C/man5/acct.5:25 build/C/man7/capabilities.7:48 build/C/man2/capget.2:15 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:27 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:25 build/C/man2/getpriority.2:45 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:26 build/C/man2/getuid.2:26 build/C/man3/group_member.3:25 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:24 build/C/man2/ipc.2:25 build/C/man7/namespaces.7:27 build/C/man7/pid_namespaces.7:27 build/C/man2/seteuid.2:29 build/C/man2/setfsgid.2:31 build/C/man2/setfsuid.2:31 build/C/man2/setgid.2:29 build/C/man2/setpgid.2:48 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:45 build/C/man2/setsid.2:31 build/C/man2/setuid.2:30 build/C/man7/svipc.7:40 build/C/man3/ulimit.3:27 build/C/man7/user_namespaces.7:27 build/C/man2/seccomp.2:27
 #, no-wrap
 msgid "Linux Programmer's Manual"
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:32 build/C/man5/acct.5:26 build/C/man7/capabilities.7:49 build/C/man2/capget.2:16 build/C/man7/cpuset.7:26 build/C/man7/credentials.7:28 build/C/man2/getgid.2:26 build/C/man2/getgroups.2:32 build/C/man2/getpid.2:26 build/C/man2/getpriority.2:46 build/C/man2/getresuid.2:29 build/C/man2/getrlimit.2:65 build/C/man2/getrusage.2:40 build/C/man2/getsid.2:27 build/C/man2/getuid.2:27 build/C/man3/group_member.3:26 build/C/man2/iopl.2:34 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 build/C/man7/namespaces.7:28 build/C/man7/pid_namespaces.7:28 build/C/man2/seteuid.2:30 build/C/man2/setfsgid.2:32 build/C/man2/setfsuid.2:32 build/C/man2/setgid.2:30 build/C/man2/setpgid.2:49 build/C/man2/setresuid.2:27 build/C/man2/setreuid.2:46 build/C/man2/setsid.2:32 build/C/man2/setuid.2:31 build/C/man7/svipc.7:41 build/C/man3/ulimit.3:28 build/C/man7/user_namespaces.7:28
+#: build/C/man2/acct.2:32 build/C/man5/acct.5:26 build/C/man7/capabilities.7:49 build/C/man2/capget.2:16 build/C/man7/cpuset.7:26 build/C/man7/credentials.7:28 build/C/man2/getgid.2:26 build/C/man2/getgroups.2:32 build/C/man2/getpid.2:26 build/C/man2/getpriority.2:46 build/C/man2/getresuid.2:29 build/C/man2/getrlimit.2:65 build/C/man2/getrusage.2:40 build/C/man2/getsid.2:27 build/C/man2/getuid.2:27 build/C/man3/group_member.3:26 build/C/man2/iopl.2:34 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 build/C/man7/namespaces.7:28 build/C/man7/pid_namespaces.7:28 build/C/man2/seteuid.2:30 build/C/man2/setfsgid.2:32 build/C/man2/setfsuid.2:32 build/C/man2/setgid.2:30 build/C/man2/setpgid.2:49 build/C/man2/setresuid.2:27 build/C/man2/setreuid.2:46 build/C/man2/setsid.2:32 build/C/man2/setuid.2:31 build/C/man7/svipc.7:41 build/C/man3/ulimit.3:28 build/C/man7/user_namespaces.7:28 build/C/man2/seccomp.2:28
 #, no-wrap
 msgid "NAME"
 msgstr ""
@@ -52,7 +52,7 @@ msgid "acct - switch process accounting on or off"
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:34 build/C/man5/acct.5:28 build/C/man2/capget.2:18 build/C/man2/getgid.2:28 build/C/man2/getgroups.2:34 build/C/man2/getpid.2:28 build/C/man2/getpriority.2:48 build/C/man2/getresuid.2:31 build/C/man2/getrlimit.2:67 build/C/man2/getrusage.2:42 build/C/man2/getsid.2:29 build/C/man2/getuid.2:29 build/C/man3/group_member.3:28 build/C/man2/iopl.2:36 build/C/man2/ioprio_set.2:27 build/C/man2/ipc.2:28 build/C/man2/seteuid.2:32 build/C/man2/setfsgid.2:34 build/C/man2/setfsuid.2:34 build/C/man2/setgid.2:32 build/C/man2/setpgid.2:51 build/C/man2/setresuid.2:29 build/C/man2/setreuid.2:48 build/C/man2/setsid.2:34 build/C/man2/setuid.2:33 build/C/man7/svipc.7:43 build/C/man3/ulimit.3:30
+#: build/C/man2/acct.2:34 build/C/man5/acct.5:28 build/C/man2/capget.2:18 build/C/man2/getgid.2:28 build/C/man2/getgroups.2:34 build/C/man2/getpid.2:28 build/C/man2/getpriority.2:48 build/C/man2/getresuid.2:31 build/C/man2/getrlimit.2:67 build/C/man2/getrusage.2:42 build/C/man2/getsid.2:29 build/C/man2/getuid.2:29 build/C/man3/group_member.3:28 build/C/man2/iopl.2:36 build/C/man2/ioprio_set.2:27 build/C/man2/ipc.2:28 build/C/man2/seteuid.2:32 build/C/man2/setfsgid.2:34 build/C/man2/setfsuid.2:34 build/C/man2/setgid.2:32 build/C/man2/setpgid.2:51 build/C/man2/setresuid.2:29 build/C/man2/setreuid.2:48 build/C/man2/setsid.2:34 build/C/man2/setuid.2:33 build/C/man7/svipc.7:43 build/C/man3/ulimit.3:30 build/C/man2/seccomp.2:30
 #, no-wrap
 msgid "SYNOPSIS"
 msgstr ""
@@ -80,7 +80,7 @@ msgid "B<acct>(): _BSD_SOURCE || (_XOPEN_SOURCE && _XOPEN_SOURCE\\ E<lt>\\ 500)"
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:50 build/C/man5/acct.5:30 build/C/man7/capabilities.7:51 build/C/man2/capget.2:24 build/C/man7/cpuset.7:28 build/C/man7/credentials.7:30 build/C/man2/getgid.2:36 build/C/man2/getgroups.2:52 build/C/man2/getpid.2:36 build/C/man2/getpriority.2:56 build/C/man2/getresuid.2:39 build/C/man2/getrlimit.2:88 build/C/man2/getrusage.2:48 build/C/man2/getsid.2:50 build/C/man2/getuid.2:37 build/C/man3/group_member.3:40 build/C/man2/iopl.2:40 build/C/man2/ioprio_set.2:35 build/C/man2/ipc.2:34 build/C/man7/namespaces.7:30 build/C/man7/pid_namespaces.7:30 build/C/man2/seteuid.2:53 build/C/man2/setfsgid.2:38 build/C/man2/setfsuid.2:38 build/C/man2/setgid.2:38 build/C/man2/setpgid.2:100 build/C/man2/setresuid.2:37 build/C/man2/setreuid.2:70 build/C/man2/setsid.2:41 build/C/man2/setuid.2:39 build/C/man7/svipc.7:49 build/C/man3/ulimit.3:34 build/C/man7/user_namespaces.7:30
+#: build/C/man2/acct.2:50 build/C/man5/acct.5:30 build/C/man7/capabilities.7:51 build/C/man2/capget.2:24 build/C/man7/cpuset.7:28 build/C/man7/credentials.7:30 build/C/man2/getgid.2:36 build/C/man2/getgroups.2:52 build/C/man2/getpid.2:36 build/C/man2/getpriority.2:56 build/C/man2/getresuid.2:39 build/C/man2/getrlimit.2:88 build/C/man2/getrusage.2:48 build/C/man2/getsid.2:50 build/C/man2/getuid.2:37 build/C/man3/group_member.3:40 build/C/man2/iopl.2:40 build/C/man2/ioprio_set.2:35 build/C/man2/ipc.2:34 build/C/man7/namespaces.7:30 build/C/man7/pid_namespaces.7:30 build/C/man2/seteuid.2:53 build/C/man2/setfsgid.2:38 build/C/man2/setfsuid.2:38 build/C/man2/setgid.2:38 build/C/man2/setpgid.2:100 build/C/man2/setresuid.2:37 build/C/man2/setreuid.2:70 build/C/man2/setsid.2:41 build/C/man2/setuid.2:39 build/C/man7/svipc.7:49 build/C/man3/ulimit.3:34 build/C/man7/user_namespaces.7:30 build/C/man2/seccomp.2:43
 #, no-wrap
 msgid "DESCRIPTION"
 msgstr ""
@@ -96,7 +96,7 @@ msgid ""
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:60 build/C/man2/capget.2:160 build/C/man2/getgroups.2:92 build/C/man2/getpriority.2:104 build/C/man2/getresuid.2:50 build/C/man2/getrlimit.2:461 build/C/man2/getrusage.2:188 build/C/man2/getsid.2:58 build/C/man3/group_member.3:48 build/C/man2/iopl.2:66 build/C/man2/ioprio_set.2:149 build/C/man2/seteuid.2:67 build/C/man2/setfsgid.2:68 build/C/man2/setfsuid.2:68 build/C/man2/setgid.2:53 build/C/man2/setpgid.2:195 build/C/man2/setresuid.2:64 build/C/man2/setreuid.2:93 build/C/man2/setsid.2:54 build/C/man2/setuid.2:70 build/C/man3/ulimit.3:67
+#: build/C/man2/acct.2:60 build/C/man2/capget.2:160 build/C/man2/getgroups.2:92 build/C/man2/getpriority.2:104 build/C/man2/getresuid.2:50 build/C/man2/getrlimit.2:461 build/C/man2/getrusage.2:188 build/C/man2/getsid.2:58 build/C/man3/group_member.3:48 build/C/man2/iopl.2:66 build/C/man2/ioprio_set.2:149 build/C/man2/seteuid.2:67 build/C/man2/setfsgid.2:68 build/C/man2/setfsuid.2:68 build/C/man2/setgid.2:53 build/C/man2/setpgid.2:195 build/C/man2/setresuid.2:64 build/C/man2/setreuid.2:93 build/C/man2/setsid.2:54 build/C/man2/setuid.2:70 build/C/man3/ulimit.3:67 build/C/man2/seccomp.2:342
 #, no-wrap
 msgid "RETURN VALUE"
 msgstr ""
@@ -109,7 +109,7 @@ msgid ""
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:65 build/C/man2/capget.2:179 build/C/man7/cpuset.7:1100 build/C/man2/getgid.2:42 build/C/man2/getgroups.2:106 build/C/man2/getpid.2:44 build/C/man2/getpriority.2:117 build/C/man2/getresuid.2:55 build/C/man2/getrlimit.2:466 build/C/man2/getrusage.2:193 build/C/man2/getsid.2:63 build/C/man2/getuid.2:43 build/C/man2/iopl.2:71 build/C/man2/ioprio_set.2:169 build/C/man2/seteuid.2:79 build/C/man2/setgid.2:58 build/C/man2/setpgid.2:216 build/C/man2/setresuid.2:76 build/C/man2/setreuid.2:105 build/C/man2/setsid.2:61 build/C/man2/setuid.2:82 build/C/man3/ulimit.3:74
+#: build/C/man2/acct.2:65 build/C/man2/capget.2:179 build/C/man7/cpuset.7:1100 build/C/man2/getgid.2:42 build/C/man2/getgroups.2:106 build/C/man2/getpid.2:44 build/C/man2/getpriority.2:117 build/C/man2/getresuid.2:55 build/C/man2/getrlimit.2:466 build/C/man2/getrusage.2:193 build/C/man2/getsid.2:63 build/C/man2/getuid.2:43 build/C/man2/iopl.2:71 build/C/man2/ioprio_set.2:169 build/C/man2/seteuid.2:79 build/C/man2/setgid.2:58 build/C/man2/setpgid.2:216 build/C/man2/setresuid.2:76 build/C/man2/setreuid.2:105 build/C/man2/setsid.2:61 build/C/man2/setuid.2:82 build/C/man3/ulimit.3:74 build/C/man2/seccomp.2:358
 #, no-wrap
 msgid "ERRORS"
 msgstr ""
@@ -129,7 +129,7 @@ msgid ""
 msgstr ""
 
 #. type: TP
-#: build/C/man2/acct.2:77 build/C/man2/capget.2:180 build/C/man7/cpuset.7:1172 build/C/man2/getgroups.2:107 build/C/man2/getresuid.2:56 build/C/man2/getrlimit.2:467 build/C/man2/getrusage.2:194
+#: build/C/man2/acct.2:77 build/C/man2/capget.2:180 build/C/man7/cpuset.7:1172 build/C/man2/getgroups.2:107 build/C/man2/getresuid.2:56 build/C/man2/getrlimit.2:467 build/C/man2/getrusage.2:194 build/C/man2/seccomp.2:369
 #, no-wrap
 msgid "B<EFAULT>"
 msgstr ""
@@ -206,13 +206,13 @@ msgid "The specified filename does not exist."
 msgstr ""
 
 #. type: TP
-#: build/C/man2/acct.2:103 build/C/man7/cpuset.7:1287 build/C/man2/getgroups.2:127
+#: build/C/man2/acct.2:103 build/C/man7/cpuset.7:1287 build/C/man2/getgroups.2:127 build/C/man2/seccomp.2:413 build/C/man2/seccomp.2:416
 #, no-wrap
 msgid "B<ENOMEM>"
 msgstr ""
 
 #. type: Plain text
-#: build/C/man2/acct.2:106 build/C/man2/getgroups.2:130
+#: build/C/man2/acct.2:106 build/C/man2/getgroups.2:130 build/C/man2/seccomp.2:416
 msgid "Out of memory."
 msgstr ""
 
@@ -277,7 +277,7 @@ msgid "There are no more free file structures or we ran out of memory."
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:130 build/C/man5/acct.5:153 build/C/man7/capabilities.7:1120 build/C/man2/capget.2:218 build/C/man7/credentials.7:287 build/C/man2/getgid.2:44 build/C/man2/getgroups.2:133 build/C/man2/getpid.2:46 build/C/man2/getpriority.2:157 build/C/man2/getresuid.2:67 build/C/man2/getrlimit.2:504 build/C/man2/getrusage.2:202 build/C/man2/getsid.2:79 build/C/man2/getuid.2:45 build/C/man3/group_member.3:55 build/C/man2/iopl.2:87 build/C/man2/ioprio_set.2:196 build/C/man2/ipc.2:45 build/C/man7/namespaces.7:359 build/C/man7/pid_namespaces.7:351 build/C/man2/seteuid.2:99 build/C/man2/setfsgid.2:75 build/C/man2/setfsuid.2:75 build/C/man2/setgid.2:71 build/C/man2/setpgid.2:250 build/C/man2/setresuid.2:109 build/C/man2/setreuid.2:148 build/C/man2/setsid.2:68 build/C/man2/setuid.2:117 build/C/man3/ulimit.3:78 build/C/man7/user_namespaces.7:645
+#: build/C/man2/acct.2:130 build/C/man5/acct.5:153 build/C/man7/capabilities.7:1120 build/C/man2/capget.2:218 build/C/man7/credentials.7:287 build/C/man2/getgid.2:44 build/C/man2/getgroups.2:133 build/C/man2/getpid.2:46 build/C/man2/getpriority.2:157 build/C/man2/getresuid.2:67 build/C/man2/getrlimit.2:504 build/C/man2/getrusage.2:202 build/C/man2/getsid.2:79 build/C/man2/getuid.2:45 build/C/man3/group_member.3:55 build/C/man2/iopl.2:87 build/C/man2/ioprio_set.2:196 build/C/man2/ipc.2:45 build/C/man7/namespaces.7:359 build/C/man7/pid_namespaces.7:351 build/C/man2/seteuid.2:99 build/C/man2/setfsgid.2:75 build/C/man2/setfsuid.2:75 build/C/man2/setgid.2:71 build/C/man2/setpgid.2:250 build/C/man2/setresuid.2:109 build/C/man2/setreuid.2:148 build/C/man2/setsid.2:68 build/C/man2/setuid.2:117 build/C/man3/ulimit.3:78 build/C/man7/user_namespaces.7:645 build/C/man2/seccomp.2:435
 #, no-wrap
 msgid "CONFORMING TO"
 msgstr ""
@@ -293,7 +293,7 @@ msgid "SVr4, 4.3BSD (but not POSIX)."
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:137 build/C/man5/acct.5:157 build/C/man7/capabilities.7:1126 build/C/man2/capget.2:220 build/C/man7/cpuset.7:1341 build/C/man7/credentials.7:293 build/C/man2/getgid.2:46 build/C/man2/getgroups.2:141 build/C/man2/getpid.2:48 build/C/man2/getpriority.2:160 build/C/man2/getresuid.2:70 build/C/man2/getrlimit.2:527 build/C/man2/getrusage.2:213 build/C/man2/getsid.2:81 build/C/man2/getuid.2:47 build/C/man2/iopl.2:91 build/C/man2/ioprio_set.2:198 build/C/man2/ipc.2:49 build/C/man2/seteuid.2:101 build/C/man2/setfsgid.2:79 build/C/man2/setfsuid.2:79 build/C/man2/setgid.2:73 build/C/man2/setpgid.2:272 build/C/man2/setresuid.2:112 build/C/man2/setreuid.2:154 build/C/man2/setsid.2:70 build/C/man2/setuid.2:122 build/C/man7/user_namespaces.7:648
+#: build/C/man2/acct.2:137 build/C/man5/acct.5:157 build/C/man7/capabilities.7:1126 build/C/man2/capget.2:220 build/C/man7/cpuset.7:1341 build/C/man7/credentials.7:293 build/C/man2/getgid.2:46 build/C/man2/getgroups.2:141 build/C/man2/getpid.2:48 build/C/man2/getpriority.2:160 build/C/man2/getresuid.2:70 build/C/man2/getrlimit.2:527 build/C/man2/getrusage.2:213 build/C/man2/getsid.2:81 build/C/man2/getuid.2:47 build/C/man2/iopl.2:91 build/C/man2/ioprio_set.2:198 build/C/man2/ipc.2:49 build/C/man2/seteuid.2:101 build/C/man2/setfsgid.2:79 build/C/man2/setfsuid.2:79 build/C/man2/setgid.2:73 build/C/man2/setpgid.2:272 build/C/man2/setresuid.2:112 build/C/man2/setreuid.2:154 build/C/man2/setsid.2:70 build/C/man2/setuid.2:122 build/C/man7/user_namespaces.7:648 build/C/man2/seccomp.2:439
 #, no-wrap
 msgid "NOTES"
 msgstr ""
@@ -313,7 +313,7 @@ msgid ""
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:143 build/C/man5/acct.5:174 build/C/man7/capabilities.7:1183 build/C/man2/capget.2:228 build/C/man7/cpuset.7:1488 build/C/man7/credentials.7:304 build/C/man2/getgid.2:62 build/C/man2/getgroups.2:178 build/C/man2/getpid.2:100 build/C/man2/getpriority.2:232 build/C/man2/getresuid.2:86 build/C/man2/getrlimit.2:759 build/C/man2/getrusage.2:253 build/C/man2/getsid.2:84 build/C/man2/getuid.2:73 build/C/man3/group_member.3:57 build/C/man2/iopl.2:100 build/C/man2/ioprio_set.2:346 build/C/man2/ipc.2:57 build/C/man7/namespaces.7:364 build/C/man7/pid_namespaces.7:356 build/C/man2/seteuid.2:141 build/C/man2/setfsgid.2:123 build/C/man2/setfsuid.2:131 build/C/man2/setgid.2:83 build/C/man2/setpgid.2:340 build/C/man2/setresuid.2:132 build/C/man2/setreuid.2:194 build/C/man2/setsid.2:93 build/C/man2/setuid.2:145 build/C/man7/svipc.7:335 build/C/man3/ulimit.3:83 build/C/man7/user_namespaces.7:1011
+#: build/C/man2/acct.2:143 build/C/man5/acct.5:174 build/C/man7/capabilities.7:1183 build/C/man2/capget.2:228 build/C/man7/cpuset.7:1488 build/C/man7/credentials.7:304 build/C/man2/getgid.2:62 build/C/man2/getgroups.2:178 build/C/man2/getpid.2:100 build/C/man2/getpriority.2:232 build/C/man2/getresuid.2:86 build/C/man2/getrlimit.2:759 build/C/man2/getrusage.2:253 build/C/man2/getsid.2:84 build/C/man2/getuid.2:73 build/C/man3/group_member.3:57 build/C/man2/iopl.2:100 build/C/man2/ioprio_set.2:346 build/C/man2/ipc.2:57 build/C/man7/namespaces.7:364 build/C/man7/pid_namespaces.7:356 build/C/man2/seteuid.2:141 build/C/man2/setfsgid.2:123 build/C/man2/setfsuid.2:131 build/C/man2/setgid.2:83 build/C/man2/setpgid.2:340 build/C/man2/setresuid.2:132 build/C/man2/setreuid.2:194 build/C/man2/setsid.2:93 build/C/man2/setuid.2:145 build/C/man7/svipc.7:335 build/C/man3/ulimit.3:83 build/C/man7/user_namespaces.7:1011 build/C/man2/seccomp.2:662
 #, no-wrap
 msgid "SEE ALSO"
 msgstr ""
@@ -324,13 +324,13 @@ msgid "B<acct>(5)"
 msgstr ""
 
 #. type: SH
-#: build/C/man2/acct.2:145 build/C/man5/acct.5:179 build/C/man7/capabilities.7:1205 build/C/man2/capget.2:232 build/C/man7/cpuset.7:1506 build/C/man7/credentials.7:340 build/C/man2/getgid.2:67 build/C/man2/getgroups.2:186 build/C/man2/getpid.2:111 build/C/man2/getpriority.2:241 build/C/man2/getresuid.2:92 build/C/man2/getrlimit.2:777 build/C/man2/getrusage.2:260 build/C/man2/getsid.2:88 build/C/man2/getuid.2:78 build/C/man3/group_member.3:62 build/C/man2/iopl.2:104 build/C/man2/ioprio_set.2:354 build/C/man2/ipc.2:70 build/C/man7/namespaces.7:377 build/C/man7/pid_namespaces.7:365 build/C/man2/seteuid.2:149 build/C/man2/setfsgid.2:128 build/C/man2/setfsuid.2:136 build/C/man2/setgid.2:90 build/C/man2/setpgid.2:347 build/C/man2/setresuid.2:142 build/C/man2/setreuid.2:203 build/C/man2/setsid.2:100 build/C/man2/setuid.2:153 build/C/man7/svipc.7:353 build/C/man3/ulimit.3:88 build/C/man7/user_namespaces.7:1027
+#: build/C/man2/acct.2:145 build/C/man5/acct.5:179 build/C/man7/capabilities.7:1205 build/C/man2/capget.2:232 build/C/man7/cpuset.7:1506 build/C/man7/credentials.7:340 build/C/man2/getgid.2:67 build/C/man2/getgroups.2:186 build/C/man2/getpid.2:111 build/C/man2/getpriority.2:241 build/C/man2/getresuid.2:92 build/C/man2/getrlimit.2:777 build/C/man2/getrusage.2:260 build/C/man2/getsid.2:88 build/C/man2/getuid.2:78 build/C/man3/group_member.3:62 build/C/man2/iopl.2:104 build/C/man2/ioprio_set.2:354 build/C/man2/ipc.2:70 build/C/man7/namespaces.7:377 build/C/man7/pid_namespaces.7:365 build/C/man2/seteuid.2:149 build/C/man2/setfsgid.2:128 build/C/man2/setfsuid.2:136 build/C/man2/setgid.2:90 build/C/man2/setpgid.2:347 build/C/man2/setresuid.2:142 build/C/man2/setreuid.2:203 build/C/man2/setsid.2:100 build/C/man2/setuid.2:153 build/C/man7/svipc.7:353 build/C/man3/ulimit.3:88 build/C/man7/user_namespaces.7:1027 build/C/man2/seccomp.2:678
 #, no-wrap
 msgid "COLOPHON"
 msgstr ""
 
 #. type: Plain text
-#: build/C/man2/acct.2:153 build/C/man5/acct.5:187 build/C/man7/capabilities.7:1213 build/C/man2/capget.2:240 build/C/man7/cpuset.7:1514 build/C/man7/credentials.7:348 build/C/man2/getgid.2:75 build/C/man2/getgroups.2:194 build/C/man2/getpid.2:119 build/C/man2/getpriority.2:249 build/C/man2/getresuid.2:100 build/C/man2/getrlimit.2:785 build/C/man2/getrusage.2:268 build/C/man2/getsid.2:96 build/C/man2/getuid.2:86 build/C/man3/group_member.3:70 build/C/man2/iopl.2:112 build/C/man2/ioprio_set.2:362 build/C/man2/ipc.2:78 build/C/man7/namespaces.7:385 build/C/man7/pid_namespaces.7:373 build/C/man2/seteuid.2:157 build/C/man2/setfsgid.2:136 build/C/man2/setfsuid.2:144 build/C/man2/setgid.2:98 build/C/man2/setpgid.2:355 build/C/man2/setresuid.2:150 build/C/man2/setreuid.2:211 build/C/man2/setsid.2:108 build/C/man2/setuid.2:161 build/C/man7/svipc.7:361 build/C/man3/ulimit.3:96 build/C/man7/user_namespaces.7:1035
+#: build/C/man2/acct.2:153 build/C/man5/acct.5:187 build/C/man7/capabilities.7:1213 build/C/man2/capget.2:240 build/C/man7/cpuset.7:1514 build/C/man7/credentials.7:348 build/C/man2/getgid.2:75 build/C/man2/getgroups.2:194 build/C/man2/getpid.2:119 build/C/man2/getpriority.2:249 build/C/man2/getresuid.2:100 build/C/man2/getrlimit.2:785 build/C/man2/getrusage.2:268 build/C/man2/getsid.2:96 build/C/man2/getuid.2:86 build/C/man3/group_member.3:70 build/C/man2/iopl.2:112 build/C/man2/ioprio_set.2:362 build/C/man2/ipc.2:78 build/C/man7/namespaces.7:385 build/C/man7/pid_namespaces.7:373 build/C/man2/seteuid.2:157 build/C/man2/setfsgid.2:136 build/C/man2/setfsuid.2:144 build/C/man2/setgid.2:98 build/C/man2/setpgid.2:355 build/C/man2/setresuid.2:150 build/C/man2/setreuid.2:211 build/C/man2/setsid.2:108 build/C/man2/setuid.2:161 build/C/man7/svipc.7:361 build/C/man3/ulimit.3:96 build/C/man7/user_namespaces.7:1035 build/C/man2/seccomp.2:686
 msgid ""
 "This page is part of release 3.77 of the Linux I<man-pages> project.  A "
 "description of the project, information about reporting bugs, and the latest "
@@ -498,7 +498,7 @@ msgid ""
 msgstr ""
 
 #. type: SH
-#: build/C/man5/acct.5:149 build/C/man7/cpuset.7:1338 build/C/man2/getresuid.2:60 build/C/man2/getrlimit.2:499 build/C/man2/getsid.2:75 build/C/man2/ioprio_set.2:193 build/C/man2/setfsgid.2:71 build/C/man2/setfsuid.2:71 build/C/man2/setresuid.2:107
+#: build/C/man5/acct.5:149 build/C/man7/cpuset.7:1338 build/C/man2/getresuid.2:60 build/C/man2/getrlimit.2:499 build/C/man2/getsid.2:75 build/C/man2/ioprio_set.2:193 build/C/man2/setfsgid.2:71 build/C/man2/setfsuid.2:71 build/C/man2/setresuid.2:107 build/C/man2/seccomp.2:430
 #, no-wrap
 msgid "VERSIONS"
 msgstr ""
@@ -676,7 +676,7 @@ msgid "B<CAP_DAC_READ_SEARCH>"
 msgstr ""
 
 #. type: IP
-#: build/C/man7/capabilities.7:103 build/C/man7/capabilities.7:106 build/C/man7/capabilities.7:116 build/C/man7/capabilities.7:126 build/C/man7/capabilities.7:130 build/C/man7/capabilities.7:132 build/C/man7/capabilities.7:134 build/C/man7/capabilities.7:204 build/C/man7/capabilities.7:206 build/C/man7/capabilities.7:208 build/C/man7/capabilities.7:210 build/C/man7/capabilities.7:212 build/C/man7/capabilities.7:214 build/C/man7/capabilities.7:216 build/C/man7/capabilities.7:218 build/C/man7/capabilities.7:220 build/C/man7/capabilities.7:244 build/C/man7/capabilities.7:246 build/C/man7/capabilities.7:296 build/C/man7/capabilities.7:306 build/C/man7/capabilities.7:312 build/C/man7/capabilities.7:317 build/C/man7/capabilities.7:323 build/C/man7/capabilities.7:327 build/C/man7/capabilities.7:334 build/C/man7/capabilities.7:337 build/C/man7/capabilities.7:345 build/C/man7/capabilities.7:347 build/C/man7/capabilities.7:356 build/C/man7/capabilities.7:365 build/C/man7/capabilities.7:368 build/C/man7/capabilities.7:372 build/C/man7/capabilities.7:380 build/C/man7/capabilities.7:383 build/C/man7/capabilities.7:390 build/C/man7/capabilities.7:395 build/C/man7/capabilities.7:401 build/C/man7/capabilities.7:405 build/C/man7/capabilities.7:409 build/C/man7/capabilities.7:413 build/C/man7/capabilities.7:417 build/C/man7/capabilities.7:444 build/C/man7/capabilities.7:449 build/C/man7/capabilities.7:455 build/C/man7/capabilities.7:458 build/C/man7/capabilities.7:461 build/C/man7/capabilities.7:471 build/C/man7/capabilities.7:475 build/C/man7/capabilities.7:492 build/C/man7/capabilities.7:495 build/C/man7/capabilities.7:499 build/C/man7/capabilities.7:504 build/C/man7/capabilities.7:513 build/C/man7/capabilities.7:518 build/C/man7/capabilities.7:521 build/C/man7/capabilities.7:526 build/C/man7/capabilities.7:529 build/C/man7/capabilities.7:532 build/C/man7/capabilities.7:535 build/C/man7/capabilities.7:538 build/C/man7/capabilities.7:543 build/C/man7/capabilities.7:545 build/C/man7/capabilities.7:551 build/C/man7/capabilities.7:559 build/C/man7/capabilities.7:561 build/C/man7/capabilities.7:565 build/C/man7/capabilities.7:567 build/C/man7/capabilities.7:570 build/C/man7/capabilities.7:574 build/C/man7/capabilities.7:576 build/C/man7/capabilities.7:578 build/C/man7/capabilities.7:580 build/C/man7/capabilities.7:589 build/C/man7/capabilities.7:596 build/C/man7/capabilities.7:601 build/C/man7/capabilities.7:606 build/C/man7/capabilities.7:611 build/C/man7/capabilities.7:636 build/C/man7/capabilities.7:643 build/C/man7/capabilities.7:844 build/C/man7/capabilities.7:852 build/C/man7/capabilities.7:1172 build/C/man7/capabilities.7:1177 build/C/man7/cpuset.7:540 build/C/man7/cpuset.7:545 build/C/man7/cpuset.7:550 build/C/man7/cpuset.7:726 build/C/man7/cpuset.7:730 build/C/man7/cpuset.7:927 build/C/man7/cpuset.7:930 build/C/man7/cpuset.7:934 build/C/man7/cpuset.7:938 build/C/man7/cpuset.7:942 build/C/man7/credentials.7:177 build/C/man7/credentials.7:183 build/C/man7/credentials.7:195 build/C/man7/credentials.7:217 build/C/man7/credentials.7:234 build/C/man7/credentials.7:266 build/C/man7/credentials.7:269 build/C/man7/credentials.7:280 build/C/man7/credentials.7:283 build/C/man2/getrlimit.2:683 build/C/man2/getrlimit.2:686 build/C/man7/namespaces.7:212 build/C/man7/namespaces.7:215 build/C/man7/namespaces.7:228 build/C/man7/pid_namespaces.7:233 build/C/man7/pid_namespaces.7:241 build/C/man7/pid_namespaces.7:252 build/C/man7/user_namespaces.7:261 build/C/man7/user_namespaces.7:266 build/C/man7/user_namespaces.7:272 build/C/man7/user_namespaces.7:285 build/C/man7/user_namespaces.7:306 build/C/man7/user_namespaces.7:474 build/C/man7/user_namespaces.7:477 build/C/man7/user_namespaces.7:479 build/C/man7/user_namespaces.7:492 build/C/man7/user_namespaces.7:505 build/C/man7/user_namespaces.7:532 build/C/man7/user_namespaces.7:541
+#: build/C/man7/capabilities.7:103 build/C/man7/capabilities.7:106 build/C/man7/capabilities.7:116 build/C/man7/capabilities.7:126 build/C/man7/capabilities.7:130 build/C/man7/capabilities.7:132 build/C/man7/capabilities.7:134 build/C/man7/capabilities.7:204 build/C/man7/capabilities.7:206 build/C/man7/capabilities.7:208 build/C/man7/capabilities.7:210 build/C/man7/capabilities.7:212 build/C/man7/capabilities.7:214 build/C/man7/capabilities.7:216 build/C/man7/capabilities.7:218 build/C/man7/capabilities.7:220 build/C/man7/capabilities.7:244 build/C/man7/capabilities.7:246 build/C/man7/capabilities.7:296 build/C/man7/capabilities.7:306 build/C/man7/capabilities.7:312 build/C/man7/capabilities.7:317 build/C/man7/capabilities.7:323 build/C/man7/capabilities.7:327 build/C/man7/capabilities.7:334 build/C/man7/capabilities.7:337 build/C/man7/capabilities.7:345 build/C/man7/capabilities.7:347 build/C/man7/capabilities.7:356 build/C/man7/capabilities.7:365 build/C/man7/capabilities.7:368 build/C/man7/capabilities.7:372 build/C/man7/capabilities.7:380 build/C/man7/capabilities.7:383 build/C/man7/capabilities.7:390 build/C/man7/capabilities.7:395 build/C/man7/capabilities.7:401 build/C/man7/capabilities.7:405 build/C/man7/capabilities.7:409 build/C/man7/capabilities.7:413 build/C/man7/capabilities.7:417 build/C/man7/capabilities.7:444 build/C/man7/capabilities.7:449 build/C/man7/capabilities.7:455 build/C/man7/capabilities.7:458 build/C/man7/capabilities.7:461 build/C/man7/capabilities.7:471 build/C/man7/capabilities.7:475 build/C/man7/capabilities.7:492 build/C/man7/capabilities.7:495 build/C/man7/capabilities.7:499 build/C/man7/capabilities.7:504 build/C/man7/capabilities.7:513 build/C/man7/capabilities.7:518 build/C/man7/capabilities.7:521 build/C/man7/capabilities.7:526 build/C/man7/capabilities.7:529 build/C/man7/capabilities.7:532 build/C/man7/capabilities.7:535 build/C/man7/capabilities.7:538 build/C/man7/capabilities.7:543 build/C/man7/capabilities.7:545 build/C/man7/capabilities.7:551 build/C/man7/capabilities.7:559 build/C/man7/capabilities.7:561 build/C/man7/capabilities.7:565 build/C/man7/capabilities.7:567 build/C/man7/capabilities.7:570 build/C/man7/capabilities.7:574 build/C/man7/capabilities.7:576 build/C/man7/capabilities.7:578 build/C/man7/capabilities.7:580 build/C/man7/capabilities.7:589 build/C/man7/capabilities.7:596 build/C/man7/capabilities.7:601 build/C/man7/capabilities.7:606 build/C/man7/capabilities.7:611 build/C/man7/capabilities.7:636 build/C/man7/capabilities.7:643 build/C/man7/capabilities.7:844 build/C/man7/capabilities.7:852 build/C/man7/capabilities.7:1172 build/C/man7/capabilities.7:1177 build/C/man7/cpuset.7:540 build/C/man7/cpuset.7:545 build/C/man7/cpuset.7:550 build/C/man7/cpuset.7:726 build/C/man7/cpuset.7:730 build/C/man7/cpuset.7:927 build/C/man7/cpuset.7:930 build/C/man7/cpuset.7:934 build/C/man7/cpuset.7:938 build/C/man7/cpuset.7:942 build/C/man7/credentials.7:177 build/C/man7/credentials.7:183 build/C/man7/credentials.7:195 build/C/man7/credentials.7:217 build/C/man7/credentials.7:234 build/C/man7/credentials.7:266 build/C/man7/credentials.7:269 build/C/man7/credentials.7:280 build/C/man7/credentials.7:283 build/C/man2/getrlimit.2:683 build/C/man2/getrlimit.2:686 build/C/man7/namespaces.7:212 build/C/man7/namespaces.7:215 build/C/man7/namespaces.7:228 build/C/man7/pid_namespaces.7:233 build/C/man7/pid_namespaces.7:241 build/C/man7/pid_namespaces.7:252 build/C/man7/user_namespaces.7:261 build/C/man7/user_namespaces.7:266 build/C/man7/user_namespaces.7:272 build/C/man7/user_namespaces.7:285 build/C/man7/user_namespaces.7:306 build/C/man7/user_namespaces.7:474 build/C/man7/user_namespaces.7:477 build/C/man7/user_namespaces.7:479 build/C/man7/user_namespaces.7:492 build/C/man7/user_namespaces.7:505 build/C/man7/user_namespaces.7:532 build/C/man7/user_namespaces.7:541 build/C/man2/seccomp.2:265 build/C/man2/seccomp.2:269 build/C/man2/seccomp.2:272 build/C/man2/seccomp.2:277 build/C/man2/seccomp.2:281 build/C/man2/seccomp.2:455 build/C/man2/seccomp.2:463 build/C/man2/seccomp.2:469
 #, no-wrap
 msgid "*"
 msgstr ""
@@ -2504,7 +2504,7 @@ msgid ""
 msgstr ""
 
 #. type: TP
-#: build/C/man2/capget.2:188 build/C/man7/cpuset.7:1180 build/C/man7/cpuset.7:1189 build/C/man7/cpuset.7:1198 build/C/man7/cpuset.7:1208 build/C/man7/cpuset.7:1217 build/C/man7/cpuset.7:1224 build/C/man7/cpuset.7:1231 build/C/man2/getgroups.2:114 build/C/man2/getgroups.2:121 build/C/man2/getpriority.2:118 build/C/man2/getrlimit.2:471 build/C/man2/getrusage.2:198 build/C/man2/iopl.2:72 build/C/man2/ioprio_set.2:170 build/C/man2/seteuid.2:80 build/C/man2/setgid.2:59 build/C/man2/setpgid.2:225 build/C/man2/setresuid.2:99 build/C/man2/setreuid.2:128 build/C/man2/setuid.2:105
+#: build/C/man2/capget.2:188 build/C/man7/cpuset.7:1180 build/C/man7/cpuset.7:1189 build/C/man7/cpuset.7:1198 build/C/man7/cpuset.7:1208 build/C/man7/cpuset.7:1217 build/C/man7/cpuset.7:1224 build/C/man7/cpuset.7:1231 build/C/man2/getgroups.2:114 build/C/man2/getgroups.2:121 build/C/man2/getpriority.2:118 build/C/man2/getrlimit.2:471 build/C/man2/getrusage.2:198 build/C/man2/iopl.2:72 build/C/man2/ioprio_set.2:170 build/C/man2/seteuid.2:80 build/C/man2/setgid.2:59 build/C/man2/setpgid.2:225 build/C/man2/setresuid.2:99 build/C/man2/setreuid.2:128 build/C/man2/setuid.2:105 build/C/man2/seccomp.2:373 build/C/man2/seccomp.2:380 build/C/man2/seccomp.2:387 build/C/man2/seccomp.2:393 build/C/man2/seccomp.2:402
 #, no-wrap
 msgid "B<EINVAL>"
 msgstr ""
@@ -2536,7 +2536,7 @@ msgid ""
 msgstr ""
 
 #. type: TP
-#: build/C/man2/capget.2:215 build/C/man7/cpuset.7:1330 build/C/man2/getpriority.2:126 build/C/man2/getrlimit.2:495 build/C/man2/getsid.2:70 build/C/man2/ioprio_set.2:187 build/C/man2/setpgid.2:240
+#: build/C/man2/capget.2:215 build/C/man7/cpuset.7:1330 build/C/man2/getpriority.2:126 build/C/man2/getrlimit.2:495 build/C/man2/getsid.2:70 build/C/man2/ioprio_set.2:187 build/C/man2/setpgid.2:240 build/C/man2/seccomp.2:426
 #, no-wrap
 msgid "B<ESRCH>"
 msgstr ""
@@ -4386,7 +4386,7 @@ msgid ""
 msgstr ""
 
 #. type: SH
-#: build/C/man7/cpuset.7:1365 build/C/man2/getrlimit.2:703 build/C/man7/namespaces.7:361 build/C/man7/pid_namespaces.7:353 build/C/man7/user_namespaces.7:677
+#: build/C/man7/cpuset.7:1365 build/C/man2/getrlimit.2:703 build/C/man7/namespaces.7:361 build/C/man7/pid_namespaces.7:353 build/C/man7/user_namespaces.7:677 build/C/man2/seccomp.2:476
 #, no-wrap
 msgid "EXAMPLE"
 msgstr ""
@@ -8083,7 +8083,7 @@ msgid "PID_NAMESPACES"
 msgstr ""
 
 #. type: TH
-#: build/C/man7/pid_namespaces.7:27
+#: build/C/man7/pid_namespaces.7:27 build/C/man2/seccomp.2:27
 #, no-wrap
 msgid "2015-01-10"
 msgstr ""
@@ -11151,7 +11151,7 @@ msgid ""
 msgstr ""
 
 #. type: SS
-#: build/C/man7/user_namespaces.7:758
+#: build/C/man7/user_namespaces.7:758 build/C/man2/seccomp.2:574
 #, no-wrap
 msgid "Program source"
 msgstr ""
@@ -11624,3 +11624,887 @@ msgstr ""
 #: build/C/man7/user_namespaces.7:1027
 msgid "The kernel source file I<Documentation/namespaces/resource-control.txt>."
 msgstr ""
+
+#. type: TH
+#: build/C/man2/seccomp.2:27
+#, no-wrap
+msgid "SECCOMP"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:30
+msgid "seccomp - operate on Secure Computing state of the process"
+msgstr ""
+
+#.  Kees Cook noted: Anything that uses SECCOMP_RET_TRACE returns will
+#.                   need <sys/ptrace.h>
+#. type: Plain text
+#: build/C/man2/seccomp.2:39
+#, no-wrap
+msgid ""
+"B<#include E<lt>linux/seccomp.hE<gt>>\n"
+"B<#include E<lt>linux/filter.hE<gt>>\n"
+"B<#include E<lt>linux/audit.hE<gt>>\n"
+"B<#include E<lt>linux/signal.hE<gt>>\n"
+"B<#include E<lt>sys/ptrace.hE<gt>>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:42
+#, no-wrap
+msgid ""
+"B<int seccomp(unsigned int >I<operation>B<, unsigned int >I<flags>B<, void "
+"*>I<args>B<);>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:48
+msgid ""
+"The B<seccomp>()  system call operates on the Secure Computing (seccomp) "
+"state of the calling process."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:52
+msgid "Currently, Linux supports the following I<operation> values:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:52
+#, no-wrap
+msgid "B<SECCOMP_SET_MODE_STRICT>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:66
+msgid ""
+"The only system calls that the calling thread is permitted to make are "
+"B<read>(2), B<write>(2), B<_exit>(2), and B<sigreturn>(2).  Other system "
+"calls result in the delivery of a B<SIGKILL> signal.  Strict secure "
+"computing mode is useful for number-crunching applications that may need to "
+"execute untrusted byte code, perhaps obtained by reading from a pipe or "
+"socket."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:70
+msgid ""
+"This operation is available only if the kernel is configured with "
+"B<CONFIG_SECCOMP> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:76
+msgid "The value of I<flags> must be 0, and I<args> must be NULL."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:78
+msgid "This operation is functionally identical to the call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:80
+#, no-wrap
+msgid "    prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);\n"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:80
+#, no-wrap
+msgid "B<SECCOMP_SET_MODE_FILTER>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:95
+msgid ""
+"The system calls allowed are defined by a pointer to a Berkeley Packet "
+"Filter (BPF) passed via I<args>.  This argument is a pointer to a I<struct\\ "
+"sock_fprog>; it can be designed to filter arbitrary system calls and system "
+"call arguments.  If the filter is invalid, B<seccomp>()  fails, returning "
+"B<EINVAL> in I<errno>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:107
+msgid ""
+"If B<fork>(2)  or B<clone>(2)  is allowed by the filter, any child processes "
+"will be constrained to the same system call filters as the parent.  If "
+"B<execve>(2)  is allowed, the existing filters will be preserved across a "
+"call to B<execve>(2)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:117
+msgid ""
+"In order to use the B<SECCOMP_SET_MODE_FILTER> operation, either the caller "
+"must have the B<CAP_SYS_ADMIN> capability, or the thread must already have "
+"the I<no_new_privs> bit set.  If that bit was not already set by an ancestor "
+"of this thread, the thread must make the following call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:119
+#, no-wrap
+msgid "    prctl(PR_SET_NO_NEW_PRIVS, 1);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:138
+msgid ""
+"Otherwise, the B<SECCOMP_SET_MODE_FILTER> operation will fail and return "
+"B<EACCES> in I<errno>.  This requirement ensures that an unprivileged "
+"process cannot apply a malicious filter and then invoke a set-user-ID or "
+"other privileged program using B<execve>(2), thus potentially compromising "
+"that program.  (Such a malicious filter might, for example, cause an attempt "
+"to use B<setuid>(2)  to set the caller's user IDs to non-zero values to "
+"instead return 0 without actually making the system call.  Thus, the program "
+"might be tricked into retaining superuser privileges in circumstances where "
+"it is possible to influence it to do dangerous things because it did not "
+"actually drop privileges.)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:146
+msgid ""
+"If B<prctl>(2)  or B<seccomp>(2)  is allowed by the attached filter, further "
+"filters may be added.  This will increase evaluation time, but allows for "
+"further reduction of the attack surface during execution of a thread."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:152
+msgid ""
+"The B<SECCOMP_SET_MODE_FILTER> operation is available only if the kernel is "
+"configured with B<CONFIG_SECCOMP_FILTER> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:156
+msgid "When I<flags> is 0, this operation is functionally identical to the call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:158
+#, no-wrap
+msgid "    prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:162
+msgid "The recognized I<flags> are:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:163
+#, no-wrap
+msgid "B<SECCOMP_FILTER_FLAG_TSYNC>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:171
+msgid ""
+"When adding a new filter, synchronize all other threads of the calling "
+"process to the same seccomp filter tree.  A \"filter tree\" is the ordered "
+"list of filters attached to a thread.  (Attaching identical filters in "
+"separate B<seccomp>()  calls results in different filters from this "
+"perspective.)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:179
+msgid ""
+"If any thread cannot synchronize to the same filter tree, the call will not "
+"attach the new seccomp filter, and will fail, returning the first thread ID "
+"found that cannot synchronize.  Synchronization will fail if another thread "
+"in the same process is in B<SECCOMP_MODE_STRICT> or if it has attached new "
+"seccomp filters to itself, diverging from the calling thread's filter tree."
+msgstr ""
+
+#. type: SS
+#: build/C/man2/seccomp.2:180
+#, no-wrap
+msgid "Filters"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:185
+msgid ""
+"When adding filters via B<SECCOMP_SET_MODE_FILTER>, I<args> points to a "
+"filter program:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:193
+#, no-wrap
+msgid ""
+"struct sock_fprog {\n"
+"    unsigned short      len;    /* Number of BPF instructions */\n"
+"    struct sock_filter *filter; /* Pointer to array of\n"
+"                                   BPF instructions */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:197
+msgid "Each program must contain one or more BPF instructions:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:206
+#, no-wrap
+msgid ""
+"struct sock_filter {            /* Filter block */\n"
+"    __u16 code;                 /* Actual filter code */\n"
+"    __u8  jt;                   /* Jump true */\n"
+"    __u8  jf;                   /* Jump false */\n"
+"    __u32 k;                    /* Generic multiuse field */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:213
+msgid ""
+"When executing the instructions, the BPF program operates on the system call "
+"information made available (i.e., use the B<BPF_ABS> addressing mode) as a "
+"buffer of the following form:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:223
+#, no-wrap
+msgid ""
+"struct seccomp_data {\n"
+"    int   nr;                   /* System call number */\n"
+"    __u32 arch;                 /* AUDIT_ARCH_* value\n"
+"                                   (see E<lt>linux/audit.hE<gt>) */\n"
+"    __u64 instruction_pointer;  /* CPU instruction pointer */\n"
+"    __u64 args[6];              /* Up to 6 system call arguments */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:234
+msgid ""
+"A seccomp filter returns a 32-bit value consisting of two parts: the most "
+"significant 16 bits (corresponding to the mask defined by the constant "
+"B<SECCOMP_RET_ACTION>)  contain one of the \"action\" values listed below; "
+"the least significant 16-bits (defined by the constant B<SECCOMP_RET_DATA>)  "
+"are \"data\" to be associated with this return value."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:242
+msgid ""
+"If multiple filters exist, they are all executed, in reverse order of their "
+"addition to the filter tree (i.e., the most recently installed filter is "
+"executed first).  The return value for the evaluation of a given system call "
+"is the first-seen B<SECCOMP_RET_ACTION> value of highest precedence (along "
+"with its accompanying data)  returned by execution of all of the filters."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:245
+msgid ""
+"In decreasing order of precedence, the values that may be returned by a "
+"seccomp filter are:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:245
+#, no-wrap
+msgid "B<SECCOMP_RET_KILL>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:254
+msgid ""
+"This value results in the process exiting immediately without executing the "
+"system call.  The process terminates as though killed by a B<SIGSYS> signal "
+"(I<not> B<SIGKILL>)."
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:254
+#, no-wrap
+msgid "B<SECCOMP_RET_TRAP>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:264
+msgid ""
+"This value results in the kernel sending a B<SIGSYS> signal to the "
+"triggering process without executing the system call.  Various fields will "
+"be set in the I<siginfo_t> structure (see B<sigaction>(2))  associated with "
+"signal:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:269
+msgid "I<si_signo> will contain B<SIGSYS>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:272
+msgid "I<si_call_addr> will show the address of the system call instruction."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:277
+msgid "I<si_syscall> and I<si_arch> will indicate which system call was attempted."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:281
+msgid "I<si_code> will contain B<SYS_SECCOMP>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:286
+msgid ""
+"I<si_errno> will contain the B<SECCOMP_RET_DATA> portion of the filter "
+"return value."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:295
+msgid ""
+"The program counter will be as though the system call happened (i.e., it "
+"will not point to the system call instruction).  The return value register "
+"will contain an architecture-dependent value; if resuming execution, set it "
+"to something appropriate for the system call.  (The architecture dependency "
+"is because replacing it with B<ENOSYS> could overwrite some useful "
+"information.)"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:295
+#, no-wrap
+msgid "B<SECCOMP_RET_ERRNO>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:302
+msgid ""
+"This value results in the B<SECCOMP_RET_DATA> portion of the filter's return "
+"value being passed to user space as the I<errno> value without executing the "
+"system call."
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:302
+#, no-wrap
+msgid "B<SECCOMP_RET_TRACE>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:312
+msgid ""
+"When returned, this value will cause the kernel to attempt to notify a "
+"B<ptrace>(2)-based tracer prior to executing the system call.  If there is "
+"no tracer present, the system call is not executed and returns a failure "
+"status with I<errno> set to B<ENOSYS>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:323
+msgid ""
+"A tracer will be notified if it requests B<PTRACE_O_TRACESECCOMP> using "
+"I<ptrace(PTRACE_SETOPTIONS)>.  The tracer will be notified of a "
+"B<PTRACE_EVENT_SECCOMP> and the B<SECCOMP_RET_DATA> portion of the filter's "
+"return value will be available to the tracer via B<PTRACE_GETEVENTMSG>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:330
+msgid ""
+"The tracer can skip the system call by changing the system call number to "
+"-1.  Alternatively, the tracer can change the system call requested by "
+"changing the system call to a valid system call number.  If the tracer asks "
+"to skip the system call, then the system call will appear to return the "
+"value that the tracer puts in the return value register."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:339
+msgid ""
+"The seccomp check will not be run again after the tracer is notified.  (This "
+"means that seccomp-based sandboxes B<must not> allow use of "
+"B<ptrace>(2)\\(emeven of other sandboxed processes\\(emwithout extreme care; "
+"ptracers can use this mechanism to escape from the seccomp sandbox.)"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:339
+#, no-wrap
+msgid "B<SECCOMP_RET_ALLOW>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:342
+msgid "This value results in the system call being executed."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:358
+msgid ""
+"On success, B<seccomp>()  returns 0.  On error, if "
+"B<SECCOMP_FILTER_FLAG_TSYNC> was used, the return value is the ID of the "
+"thread that caused the synchronization failure.  (This ID is a kernel thread "
+"ID of the type returned by B<clone>(2)  and B<gettid>(2).)  On other errors, "
+"-1 is returned, and I<errno> is set to indicate the cause of the error."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:361
+msgid "B<seccomp>()  can fail for the following reasons:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:361
+#, no-wrap
+msgid "B<EACCESS>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:369
+msgid ""
+"The caller did not have the B<CAP_SYS_ADMIN> capability, or had not set "
+"I<no_new_privs> before using B<SECCOMP_SET_MODE_FILTER>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:373
+msgid "I<args> was not a valid address."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:380
+msgid "I<operation> is unknown; or I<flags> are invalid for the given I<operation>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:387
+msgid ""
+"I<operation> included B<BPF_ABS>, but the specified offset was not aligned "
+"to a 32-bit boundary or exceeded I<sizeof(struct\\ seccomp_data)>."
+msgstr ""
+
+#.  See kernel/seccomp.c::seccomp_may_assign_mode() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:393
+msgid ""
+"A secure computing mode has already been set, and I<operation> differs from "
+"the existing setting."
+msgstr ""
+
+#.  See stub kernel/seccomp.c::seccomp_set_mode_filter() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:402
+msgid ""
+"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the kernel was not "
+"built with B<CONFIG_SECCOMP_FILTER> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:413
+msgid ""
+"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the filter program "
+"pointed to by I<args> was not valid or the length of the filter program was "
+"zero or exceeded B<BPF_MAXINSNS> (4096) instructions.  B<EINVAL>"
+msgstr ""
+
+#.  ENOMEM in kernel/seccomp.c::seccomp_attach_filter() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:426
+msgid ""
+"The total length of all filter programs attached to the calling thread would "
+"exceed B<MAX_INSNS_PER_PATH> (32768) instructions.  Note that for the "
+"purposes of calculating this limit, each already existing filter program "
+"incurs an overhead penalty of 4 instructions."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:430
+msgid ""
+"Another thread caused a failure during thread sync, but its ID could not be "
+"determined."
+msgstr ""
+
+#.  FIXME . Add glibc version
+#. type: Plain text
+#: build/C/man2/seccomp.2:435
+msgid "The B<seccomp()> system call first appeared in Linux 3.17."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:439
+msgid "The B<seccomp()> system call is a nonstandard Linux extension."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:446
+msgid ""
+"The I<Seccomp> field of the I</proc/[pid]/status> file provides a method of "
+"viewing the seccomp mode of a process; see B<proc>(5)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:453
+msgid ""
+"B<seccomp>()  provides a superset of the functionality provided by the "
+"B<prctl>(2)  B<PR_SET_SECCOMP> operation (which does not support I<flags>)."
+msgstr ""
+
+#. type: SS
+#: build/C/man2/seccomp.2:453
+#, no-wrap
+msgid "Seccomp-specific BPF details"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:455
+msgid "Note the following BPF details specific to seccomp filters:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:463
+msgid ""
+"The B<BPF_H> and B<BPF_B> size modifiers are not supported: all operations "
+"must load and store (4-byte) words (B<BPF_W>)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:469
+msgid ""
+"To access the contents of the I<seccomp_data> buffer, use the B<BPF_ABS> "
+"addressing mode modifier."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:476
+msgid ""
+"The B<BPF_LEN> addressing mode modifier yields an immediate mode operand "
+"whose value is the size of the I<seccomp_data> buffer."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:482
+msgid ""
+"The program below accepts four or more arguments.  The first three arguments "
+"are a system call number, a numeric architecture identifier, and an error "
+"number.  The program uses these values to construct a BPF filter that is "
+"used at run time to perform the following checks:"
+msgstr ""
+
+#. type: IP
+#: build/C/man2/seccomp.2:482
+#, no-wrap
+msgid "[1]"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:486
+msgid ""
+"If the program is not running on the specified architecture, the BPF filter "
+"causes system calls to fail with the error B<ENOSYS>."
+msgstr ""
+
+#. type: IP
+#: build/C/man2/seccomp.2:486
+#, no-wrap
+msgid "[2]"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:491
+msgid ""
+"If the program attempts to execute the system call with the specified "
+"number, the BPF filter causes the system call to fail, with I<errno> being "
+"set to the specified error number."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:500
+msgid ""
+"The remaining command-line arguments specify the pathname and additional "
+"arguments of a program that the example program should attempt to execute "
+"using B<execve>(3)  (a library function that employs the B<execve>(2)  "
+"system call).  Some example runs of the program are shown below."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:504
+msgid ""
+"First, we display the architecture that we are running on (x86-64)  and then "
+"construct a shell function that looks up system call numbers on this "
+"architecture:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:513
+#, no-wrap
+msgid ""
+"$ B<uname -m>\n"
+"x86_64\n"
+"$ B<syscall_nr() {\n"
+"    cat /usr/src/linux/arch/x86/syscalls/syscall_64.tbl | \\e\n"
+"    awk '$2 != \"x32\" && $3 == \"'$1'\" { print $1 }'\n"
+"}>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:520
+msgid ""
+"When the BPF filter rejects a system call (case [2] above), it causes the "
+"system call to fail with the error number specified on the command line.  In "
+"the experiments shown here, we'll use error number 99:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:525
+#, no-wrap
+msgid ""
+"$ B<errno 99>\n"
+"EADDRNOTAVAIL 99 Cannot assign requested address\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:533
+msgid ""
+"In the following example, we attempt to run the command B<whoami>(1), but "
+"the BPF filter rejects the B<execve>(2)  system call, so that the command is "
+"not even executed:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:544
+#, no-wrap
+msgid ""
+"$ B<syscall_nr execve>\n"
+"59\n"
+"$ B<./a.out>\n"
+"Usage: ./a.out E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> "
+"E<lt>progE<gt> [E<lt>argsE<gt>]\n"
+"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x40000003\n"
+"                 AUDIT_ARCH_X86_64: 0xC000003E\n"
+"$ B<./a.out 59 0xC000003E 99 /bin/whoami>\n"
+"execv: Cannot assign requested address\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:552
+msgid ""
+"In the next example, the BPF filter rejects the B<write>(2)  system call, so "
+"that, although it is successfully started, the B<whoami>(1)  command is not "
+"able to write output:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:558
+#, no-wrap
+msgid ""
+"$ B<syscall_nr write>\n"
+"1\n"
+"$ B<./a.out 1 0xC000003E 99 /bin/whoami>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:565
+msgid ""
+"In the final example, the BPF filter rejects a system call that is not used "
+"by the B<whoami>(1)  command, so it is able to successfully execute and "
+"produce output:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:572
+#, no-wrap
+msgid ""
+"$ B<syscall_nr preadv>\n"
+"295\n"
+"$ B<./a.out 295 0xC000003E 99 /bin/whoami>\n"
+"cecilia\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:586
+#, no-wrap
+msgid ""
+"#include E<lt>errno.hE<gt>\n"
+"#include E<lt>stddef.hE<gt>\n"
+"#include E<lt>stdio.hE<gt>\n"
+"#include E<lt>stdlib.hE<gt>\n"
+"#include E<lt>unistd.hE<gt>\n"
+"#include E<lt>linux/audit.hE<gt>\n"
+"#include E<lt>linux/filter.hE<gt>\n"
+"#include E<lt>linux/seccomp.hE<gt>\n"
+"#include E<lt>sys/prctl.hE<gt>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:595
+#, no-wrap
+msgid ""
+"static int\n"
+"install_filter(int syscall_nr, int t_arch, int f_errno)\n"
+"{\n"
+"    struct sock_filter filter[] = {\n"
+"        /* [0] Load architecture from 'seccomp_data' buffer into\n"
+"               accumulator */\n"
+"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
+"                 (offsetof(struct seccomp_data, arch))),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:599
+#, no-wrap
+msgid ""
+"        /* [1] Jump forward 4 instructions if architecture does not\n"
+"               match 't_arch' */\n"
+"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 4),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:604
+#, no-wrap
+msgid ""
+"        /* [2] Load system call number from 'seccomp_data' buffer into\n"
+"               accumulator */\n"
+"        BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
+"                 (offsetof(struct seccomp_data, nr))),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:608
+#, no-wrap
+msgid ""
+"        /* [3] Jump forward 1 instruction if system call number\n"
+"               does not match 'syscall_nr' */\n"
+"        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:613
+#, no-wrap
+msgid ""
+"        /* [4] Matching architecture and system call: don't execute\n"
+"\t       the system call, and return 'f_errno' in 'errno' */\n"
+"        BPF_STMT(BPF_RET | BPF_K,\n"
+"                 SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:617
+#, no-wrap
+msgid ""
+"        /* [5] Destination of system call number mismatch: allow other\n"
+"               system calls */\n"
+"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:621
+#, no-wrap
+msgid ""
+"        /* [6] Destination of architecture mismatch: kill process */\n"
+"        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),\n"
+"    };\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:626
+#, no-wrap
+msgid ""
+"    struct sock_fprog prog = {\n"
+"        .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),\n"
+"        .filter = filter,\n"
+"    };\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:631
+#, no-wrap
+msgid ""
+"    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {\n"
+"        perror(\"seccomp\");\n"
+"        return 1;\n"
+"    }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:634
+#, no-wrap
+msgid ""
+"    return 0;\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:646
+#, no-wrap
+msgid ""
+"int\n"
+"main(int argc, char **argv)\n"
+"{\n"
+"    if (argc E<lt> 5) {\n"
+"        fprintf(stderr, \"Usage: \"\n"
+"                \"%s E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> "
+"E<lt>progE<gt> [E<lt>argsE<gt>]\\en\"\n"
+"                \"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x%X\\en\"\n"
+"                \"                 AUDIT_ARCH_X86_64: 0x%X\\en\"\n"
+"                \"\\en\", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);\n"
+"        exit(EXIT_FAILURE);\n"
+"    }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:651
+#, no-wrap
+msgid ""
+"    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {\n"
+"        perror(\"prctl\");\n"
+"        exit(EXIT_FAILURE);\n"
+"    }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:656
+#, no-wrap
+msgid ""
+"    if (install_filter(strtol(argv[1], NULL, 0),\n"
+"                       strtol(argv[2], NULL, 0),\n"
+"                       strtol(argv[3], NULL, 0)))\n"
+"        exit(EXIT_FAILURE);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:661
+#, no-wrap
+msgid ""
+"    execv(argv[4], &argv[4]);\n"
+"    perror(\"execv\");\n"
+"    exit(EXIT_FAILURE);\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:667
+msgid "B<prctl>(2), B<ptrace>(2), B<signal>(7), B<socket>(7)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:672
+msgid ""
+"The kernel source files I<Documentation/networking/filter.txt> and "
+"I<Documentation/prctl/seccomp_filter.txt>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:678
+msgid ""
+"McCanne, S. and Jacobson, V. (1992)  I<The BSD Packet Filter: A New "
+"Architecture for User-level Packet Capture>, Proceedings of the USENIX "
+"Winter 1993 Conference E<.UR http://www.tcpdump.org/papers/bpf-usenix93.pdf> "
+"E<.UE>"
+msgstr ""
diff --git a/stats/process b/stats/process
index 4e029f43..54e0cd68 100644
--- a/stats/process
+++ b/stats/process
@@ -32,3 +32,4 @@ setuid.2,36,1,37
 svipc.7,94,1,95
 ulimit.3,30,1,31
 user_namespaces.7,92,76,168
+seccomp.2,32,112,144
diff --git a/untrans.html b/untrans.html
index e71900ff..c353d792 100644
--- a/untrans.html
+++ b/untrans.html
@@ -489,6 +489,7 @@
 <TR class="over80"><TD>svipc.7</TD><TD>1/95</TD><TD>98.95</TD></TR>
 <TR class="over80"><TD>ulimit.3</TD><TD>1/31</TD><TD>96.77</TD></TR>
 <TR><TD>user_namespaces.7</TD><TD>76/168</TD><TD>54.76</TD></TR>
+<TR><TD>seccomp.2</TD><TD>112/144</TD><TD>22.22</TD></TR>
 <TR><TD ALIGN="center" COLSPAN=3 BGCOLOR="Yellow"><B>pthread</B></TD></TR>
 <TR class="over80"><TD>getcontext.3</TD><TD>1/36</TD><TD>97.22</TD></TR>
 <TR class="over80"><TD>makecontext.3</TD><TD>1/49</TD><TD>97.96</TD></TR>
@@ -1032,6 +1033,6 @@
 <TR class="over80"><TD>towupper.3</TD><TD>1/37</TD><TD>97.30</TD></TR>
 <TR class="over80"><TD>wctrans.3</TD><TD>1/26</TD><TD>96.15</TD></TR>
 <TR class="over80"><TD>wctype.3</TD><TD>1/26</TD><TD>96.15</TD></TR>
-<TR><TD COLSPAN=3>Total 974 pages</TD></TR>
+<TR><TD COLSPAN=3>Total 975 pages</TD></TR>
 </TABLE>
 </BODY></HTML>
-- 
2.11.0