.TH "seccomp_export_bpf" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"

.\" //////////////////////////////////////////////////////////////////////////

.SH NAME

.\" //////////////////////////////////////////////////////////////////////////

seccomp_export_bpf, seccomp_export_pfc \- Export the seccomp filter

.\" //////////////////////////////////////////////////////////////////////////

.SH SYNOPSIS

.\" //////////////////////////////////////////////////////////////////////////

.nf

.B #include <seccomp.h>

.sp

.B typedef void * scmp_filter_ctx;

.sp

.BI "int seccomp_export_bpf(const scmp_filter_ctx " ctx ", int " fd ");"

.BI "int seccomp_export_pfc(const scmp_filter_ctx " ctx ", int " fd ");"

.sp

Link with \fI\-lseccomp\fP.

.fi

.\" //////////////////////////////////////////////////////////////////////////

.SH DESCRIPTION

.\" //////////////////////////////////////////////////////////////////////////

.P

The

.BR seccomp_export_bpf ()

and

.BR seccomp_export_pfc ()

functions generate and output the current seccomp filter in either BPF (Berkley

Packet Filter) or PFC (Pseudo Filter Code).  The output of

.BR seccomp_export_bpf ()

is suitable for loading into the kernel, while the output of

.BR seccomp_export_pfc ()

is human readable and is intended primarily as a debugging tool for developers

using libseccomp.  Both functions write the filter to the

.I fd

file descriptor.

.P

The filter context

.I ctx

is the value returned by the call to

.BR seccomp_init (3).

.P

While the two output formats are guaranteed to be functionally equivalent for

the given seccomp filter configuration, the filter instructions, and their

ordering, are not guaranteed to be the same in both the BPF and PFC formats.

.\" //////////////////////////////////////////////////////////////////////////

.SH RETURN VALUE

.\" //////////////////////////////////////////////////////////////////////////

Returns zero on success, negative errno values on failure.

.\" //////////////////////////////////////////////////////////////////////////

.SH EXAMPLES

.\" //////////////////////////////////////////////////////////////////////////

.nf

#include <seccomp.h>

int main(int argc, char *argv[])

{

	int rc = \-1;

	scmp_filter_ctx ctx;

	int filter_fd;

	ctx = seccomp_init(SCMP_ACT_KILL);

	if (ctx == NULL)

		goto out;

	/* ... */

	filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);

	if (filter_fd == \-1) {

		rc = \-errno;

		goto out;

	}

	rc = seccomp_export_bpf(ctx, filter_fd);

	if (rc < 0) {

		close(filter_fd);

		goto out;

	}

	close(filter_fd);

	/* ... */

out:

	seccomp_release(ctx);

	return \-rc;

}

.fi

.\" //////////////////////////////////////////////////////////////////////////

.SH NOTES

.\" //////////////////////////////////////////////////////////////////////////

.P

While the seccomp filter can be generated independent of the kernel, kernel

support is required to load and enforce the seccomp filter generated by

libseccomp.

.P

The libseccomp project site, with more information and the source code

repository, can be found at https://github.com/seccomp/libseccomp.  This tool,

as well as the libseccomp library, is currently under development, please

report any bugs at the project site or directly to the author.

.\" //////////////////////////////////////////////////////////////////////////

.SH AUTHOR

.\" //////////////////////////////////////////////////////////////////////////

Paul Moore <paul@paul-moore.com>

.\" //////////////////////////////////////////////////////////////////////////

.SH SEE ALSO

.\" //////////////////////////////////////////////////////////////////////////

.BR seccomp_init (3),

.BR seccomp_release (3)