1seccomp_merge(3)           libseccomp Documentation           seccomp_merge(3)
2
3
4

NAME

6       seccomp_merge - Merge two seccomp filters
7

SYNOPSIS

9       #include <seccomp.h>
10
11       typedef void * scmp_filter_ctx;
12
13       int seccomp_merge(scmp_filter_ctx dst, scmp_filter_ctx src);
14
15       Link with -lseccomp.
16

DESCRIPTION

18       The  seccomp_merge() function merges the seccomp filter in src with the
19       filter in dst and stores the resulting in the dst filter.  If  success‐
20       full,  the src seccomp filter is released and all internal memory asso‐
21       cated with the  filter  is  freed;  there  is  no  need  to  call  sec‐
22       comp_release(3)  on src and the caller should discard any references to
23       the filter.
24
25       In order to merge two seccomp filters, both filters must have the  same
26       attribute values and no overlapping architectures.
27

RETURN VALUE

29       Returns zero on success and negative values on failure.
30

EXAMPLES

32       #include <seccomp.h>
33
34       int main(int argc, char *argv[])
35       {
36            int rc = -1;
37            scmp_filter_ctx ctx_32, ctx_64;
38
39            ctx_32 = seccomp_init(SCMP_ACT_KILL);
40            if (ctx_32 == NULL)
41                 goto out_all;
42            ctx_64 = seccomp_init(SCMP_ACT_KILL);
43            if (ctx_64 == NULL)
44                 goto out_all;
45
46            if (seccomp_arch_exist(ctx_32, SCMP_ARCH_X86) == -EEXIST) {
47                 rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86);
48                 if (rc != 0)
49                      goto out_all;
50                 rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE);
51                 if (rc != 0)
52                      goto out_all;
53            }
54            if (seccomp_arch_exist(ctx_64, SCMP_ARCH_X86_64) == -EEXIST) {
55                 rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64);
56                 if (rc != 0)
57                      goto out_all;
58                 rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE);
59                 if (rc != 0)
60                      goto out_all;
61            }
62
63            /* ... */
64
65            rc = seccomp_merge(ctx_64, ctx_32);
66            if (rc != 0)
67                 goto out_all;
68
69            /* NOTE: the 'ctx_32' filter is no longer valid at this point */
70
71            /* ... */
72
73       out:
74            seccomp_release(ctx_64);
75            return -rc;
76       out_all:
77            seccomp_release(ctx_32);
78            goto out;
79       }
80

NOTES

82       While  the  seccomp  filter can be generated independent of the kernel,
83       kernel support is required to load and enforce the seccomp filter  gen‐
84       erated by libseccomp.
85
86       The  libseccomp project site, with more information and the source code
87       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
88       This tool, as well as the libseccomp library, is currently under devel‐
89       opment, please report any bugs at the project site or directly  to  the
90       author.
91

AUTHOR

93       Paul Moore <paul@paul-moore.com>
94

SEE ALSO

96       seccomp_init(3),     seccomp_reset(3),     seccomp_arch_add(3),    sec‐
97       comp_arch_remove(3), seccomp_attr_get(3), seccomp_attr_set(3)
98
99
100
101paul@paul-moore.com            28 September 2012              seccomp_merge(3)
Impressum