|
Packit |
56e23f |
.TH "seccomp_export_bpf" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH NAME
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
seccomp_export_bpf, seccomp_export_pfc \- Export the seccomp filter
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH SYNOPSIS
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.nf
|
|
Packit |
56e23f |
.B #include <seccomp.h>
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
.B typedef void * scmp_filter_ctx;
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
.BI "int seccomp_export_bpf(const scmp_filter_ctx " ctx ", int " fd ");"
|
|
Packit |
56e23f |
.BI "int seccomp_export_pfc(const scmp_filter_ctx " ctx ", int " fd ");"
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
Link with \fI\-lseccomp\fP.
|
|
Packit |
56e23f |
.fi
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH DESCRIPTION
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The
|
|
Packit |
56e23f |
.BR seccomp_export_bpf ()
|
|
Packit |
56e23f |
and
|
|
Packit |
56e23f |
.BR seccomp_export_pfc ()
|
|
Packit |
56e23f |
functions generate and output the current seccomp filter in either BPF (Berkley
|
|
Packit |
56e23f |
Packet Filter) or PFC (Pseudo Filter Code). The output of
|
|
Packit |
56e23f |
.BR seccomp_export_bpf ()
|
|
Packit |
56e23f |
is suitable for loading into the kernel, while the output of
|
|
Packit |
56e23f |
.BR seccomp_export_pfc ()
|
|
Packit |
56e23f |
is human readable and is intended primarily as a debugging tool for developers
|
|
Packit |
56e23f |
using libseccomp. Both functions write the filter to the
|
|
Packit |
56e23f |
.I fd
|
|
Packit |
56e23f |
file descriptor.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The filter context
|
|
Packit |
56e23f |
.I ctx
|
|
Packit |
56e23f |
is the value returned by the call to
|
|
Packit |
56e23f |
.BR seccomp_init (3).
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
While the two output formats are guaranteed to be functionally equivalent for
|
|
Packit |
56e23f |
the given seccomp filter configuration, the filter instructions, and their
|
|
Packit |
56e23f |
ordering, are not guaranteed to be the same in both the BPF and PFC formats.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH RETURN VALUE
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
Returns zero on success, negative errno values on failure.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH EXAMPLES
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.nf
|
|
Packit |
56e23f |
#include <seccomp.h>
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
int main(int argc, char *argv[])
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
int rc = \-1;
|
|
Packit |
56e23f |
scmp_filter_ctx ctx;
|
|
Packit |
56e23f |
int filter_fd;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
ctx = seccomp_init(SCMP_ACT_KILL);
|
|
Packit |
56e23f |
if (ctx == NULL)
|
|
Packit |
56e23f |
goto out;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* ... */
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
|
|
Packit |
56e23f |
if (filter_fd == \-1) {
|
|
Packit |
56e23f |
rc = \-errno;
|
|
Packit |
56e23f |
goto out;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
rc = seccomp_export_bpf(ctx, filter_fd);
|
|
Packit |
56e23f |
if (rc < 0) {
|
|
Packit |
56e23f |
close(filter_fd);
|
|
Packit |
56e23f |
goto out;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
close(filter_fd);
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* ... */
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
out:
|
|
Packit |
56e23f |
seccomp_release(ctx);
|
|
Packit |
56e23f |
return \-rc;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
.fi
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH NOTES
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
While the seccomp filter can be generated independent of the kernel, kernel
|
|
Packit |
56e23f |
support is required to load and enforce the seccomp filter generated by
|
|
Packit |
56e23f |
libseccomp.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The libseccomp project site, with more information and the source code
|
|
Packit |
56e23f |
repository, can be found at https://github.com/seccomp/libseccomp. This tool,
|
|
Packit |
56e23f |
as well as the libseccomp library, is currently under development, please
|
|
Packit |
56e23f |
report any bugs at the project site or directly to the author.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH AUTHOR
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
Paul Moore <paul@paul-moore.com>
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH SEE ALSO
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.BR seccomp_init (3),
|
|
Packit |
56e23f |
.BR seccomp_release (3)
|
|
Packit |
56e23f |
|