x SuSE Linux 13.1-RELEASE x
x SuSE Linux 13.1-RELEASEx
seccomp_export_bpf(3) libseccomp Documentation seccomp_export_bpf(3)
NAME
seccomp_export_bpf, seccomp_export_pfc - Export the seccomp filter
SYNOPSIS
#include <seccomp.h>
typedef void * scmp_filter_ctx;
int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);
Link with -lseccomp.
DESCRIPTION
The seccomp_export_bpf() and seccomp_export_pfc() functions generate
and output the current seccomp filter in either BPF (Berkeley Packet
Filter) or PFC (Pseudo Filter Code). The output of seccomp_ex-
port_bpf() is suitable for loading into the kernel, while the output of
seccomp_export_pfc() is human readable and is intended primarily as a
debugging tool for developers using libseccomp. Both functions write
the filter to the fd file descriptor.
The filter context ctx is the value returned by the call to sec-
comp_init(3).
While the two output formats are guaranteed to be functionally equiva-
lent for the given seccomp filter configuration, the filter instruc-
tions, and their ordering, are not guaranteed to be the same in both
the BPF and PFC formats.
RETURN VALUE
Return zero on success or one of the following error codes on failure:
-ECANCELED
There was a system failure beyond the control of the library.
-EFAULT
Internal libseccomp failure.
-EINVAL
Invalid input, either the context or architecture token is in-
valid.
-ENOMEM
The library was unable to allocate enough memory.
If the SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then addi-
tional error codes may be returned to the caller; these additional er-
ror codes are the negative errno values returned by the system. Unfor-
tunately libseccomp can make no guarantees about these return values.
EXAMPLES
#include <seccomp.h>
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
int filter_fd;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
/* ... */
filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
if (filter_fd == -1) {
rc = -errno;
goto out;
}
rc = seccomp_export_bpf(ctx, filter_fd);
if (rc < 0) {
close(filter_fd);
goto out;
}
close(filter_fd);
/* ... */
out:
seccomp_release(ctx);
return -rc;
}
NOTES
While the seccomp filter can be generated independent of the kernel,
kernel support is required to load and enforce the seccomp filter gen-
erated by libseccomp.
The libseccomp project site, with more information and the source code
repository, can be found at https://github.com/seccomp/libseccomp.
This tool, as well as the libseccomp library, is currently under devel-
opment, please report any bugs at the project site or directly to the
author.
AUTHOR
Paul Moore <paul@paul-moore.com>
SEE ALSO
seccomp_init(3), seccomp_release(3)
paul@paul-moore.com 30 May 2020 seccomp_export_bpf(3)
Want to link to this manual page? Use this URL:
<http://star2.abcm.com/cgi-bin/bsdi-man?query=seccomp_export_bpf&sektion=3&manpath=>