1seccomp_export_bpf(3)      libseccomp Documentation      seccomp_export_bpf(3)
2
3
4

NAME

6       seccomp_export_bpf, seccomp_export_pfc - Export the seccomp filter
7

SYNOPSIS

9       #include <seccomp.h>
10
11       typedef void * scmp_filter_ctx;
12
13       int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
14       int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);
15
16       Link with -lseccomp.
17

DESCRIPTION

19       The  seccomp_export_bpf()  and  seccomp_export_pfc() functions generate
20       and output the current seccomp filter in  either  BPF  (Berkley  Packet
21       Filter)   or   PFC   (Pseudo   Filter   Code).    The  output  of  sec‐
22       comp_export_bpf() is suitable for loading into the  kernel,  while  the
23       output  of  seccomp_export_pfc() is human readable and is intended pri‐
24       marily as a debugging tool for developers using libseccomp.  Both func‐
25       tions write the filter to the fd file descriptor.
26
27       The  filter  context  ctx  is  the  value  returned by the call to sec‐
28       comp_init(3).
29
30       While the two output formats are guaranteed to be functionally  equiva‐
31       lent  for  the  given seccomp filter configuration, the filter instruc‐
32       tions, and their ordering, are not guaranteed to be the  same  in  both
33       the BPF and PFC formats.
34

RETURN VALUE

36       Return zero on success or one of the following error codes on failure:
37
38       -ECANCELED
39              There was a system failure beyond the control of the library.
40
41       -EFAULT
42              Internal libseccomp failure.
43
44       -EINVAL
45              Invalid  input,  either  the  context  or  architecture token is
46              invalid.
47
48       -ENOMEM
49              The library was unable to allocate enough memory.
50
51       If the SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then addi‐
52       tional  error  codes  may  be  returned to the caller; these additional
53       error codes are the negative  errno  values  returned  by  the  system.
54       Unfortunately libseccomp can make no guarantees about these return val‐
55       ues.
56

EXAMPLES

58       #include <seccomp.h>
59
60       int main(int argc, char *argv[])
61       {
62            int rc = -1;
63            scmp_filter_ctx ctx;
64            int filter_fd;
65
66            ctx = seccomp_init(SCMP_ACT_KILL);
67            if (ctx == NULL)
68                 goto out;
69
70            /* ... */
71
72            filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
73            if (filter_fd == -1) {
74                 rc = -errno;
75                 goto out;
76            }
77
78            rc = seccomp_export_bpf(ctx, filter_fd);
79            if (rc < 0) {
80                 close(filter_fd);
81                 goto out;
82            }
83            close(filter_fd);
84
85            /* ... */
86
87       out:
88            seccomp_release(ctx);
89            return -rc;
90       }
91

NOTES

93       While the seccomp filter can be generated independent  of  the  kernel,
94       kernel  support is required to load and enforce the seccomp filter gen‐
95       erated by libseccomp.
96
97       The libseccomp project site, with more information and the source  code
98       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
99       This tool, as well as the libseccomp library, is currently under devel‐
100       opment,  please  report any bugs at the project site or directly to the
101       author.
102

AUTHOR

104       Paul Moore <paul@paul-moore.com>
105

SEE ALSO

107       seccomp_init(3), seccomp_release(3)
108
109
110
111
112paul@paul-moore.com               30 May 2020            seccomp_export_bpf(3)
Impressum