|
NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | EXAMPLES | NOTES | AUTHOR | SEE ALSO | COLOPHON |
seccomp_export_bpf(3) libseccomp Documentation seccomp_export_bpf(3)
seccomp_export_bpf, seccomp_export_pfc - Export the seccomp filter
#include <seccomp.h>
typedef void * scmp_filter_ctx;
int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);
Link with -lseccomp.
The seccomp_export_bpf() and seccomp_export_pfc() functions generate
and output the current seccomp filter in either BPF (Berkley Packet
Filter) or PFC (Pseudo Filter Code). The output of
seccomp_export_bpf() is suitable for loading into the kernel, while
the output of seccomp_export_pfc() is human readable and is intended
primarily as a debugging tool for developers using libseccomp. Both
functions write the filter to the fd file descriptor.
The filter context ctx is the value returned by the call to
seccomp_init(3).
While the two output formats are guaranteed to be functionally
equivalent for the given seccomp filter configuration, the filter
instructions, and their ordering, are not guaranteed to be the same
in both the BPF and PFC formats.
Return zero on success or one of the following error codes on
failure:
-ECANCELED
There was a system failure beyond the control of the library.
-EFAULT
Internal libseccomp failure.
-EINVAL
Invalid input, either the context or architecture token is
invalid.
-ENOMEM
The library was unable to allocate enough memory.
If the SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then
additional error codes may be returned to the caller; these
additional error codes are the negative errno values returned by the
system. Unfortunately libseccomp can make no guarantees about these
return values.
#include <seccomp.h>
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
int filter_fd;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
/* ... */
filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
if (filter_fd == -1) {
rc = -errno;
goto out;
}
rc = seccomp_export_bpf(ctx, filter_fd);
if (rc < 0) {
close(filter_fd);
goto out;
}
close(filter_fd);
/* ... */
out:
seccomp_release(ctx);
return -rc;
}
While the seccomp filter can be generated independent of the kernel,
kernel support is required to load and enforce the seccomp filter
generated by libseccomp.
The libseccomp project site, with more information and the source
code repository, can be found at
https://github.com/seccomp/libseccomp. This tool, as well as the
libseccomp library, is currently under development, please report any
bugs at the project site or directly to the author.
Paul Moore <paul@paul-moore.com>
seccomp_init(3), seccomp_release(3)
This page is part of the libseccomp (high-level API to the Linux
Kernel's seccomp filter) project. Information about the project can
be found at ⟨https://github.com/seccomp/libseccomp⟩. If you have a
bug report for this manual page, see
⟨https://groups.google.com/d/forum/libseccomp⟩. This page was
obtained from the project's upstream Git repository
⟨https://github.com/seccomp/libseccomp⟩ on 2020-08-13. (At that
time, the date of the most recent commit that was found in the repos‐
itory was 2020-08-04.) If you discover any rendering problems in
this HTML version of the page, or you believe there is a better or
more up-to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not part
of the original manual page), send a mail to man-pages@man7.org
paul@paul-moore.com 30 May 2020 seccomp_export_bpf(3)