1seccomp_export_bpf(3)      libseccomp Documentation      seccomp_export_bpf(3)
2
3
4

NAME

6       seccomp_export_bpf, seccomp_export_pfc - Export the seccomp filter
7

SYNOPSIS

9       #include <seccomp.h>
10
11       typedef void * scmp_filter_ctx;
12
13       int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
14       int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);
15
16       Link with -lseccomp.
17

DESCRIPTION

19       The  seccomp_export_bpf()  and  seccomp_export_pfc() functions generate
20       and output the current seccomp filter in either  BPF  (Berkeley  Packet
21       Filter)  or  PFC  (Pseudo  Filter  Code).   The  output  of seccomp_ex‐
22       port_bpf() is suitable for loading into the kernel, while the output of
23       seccomp_export_pfc()  is  human readable and is intended primarily as a
24       debugging tool for developers using libseccomp.  Both  functions  write
25       the filter to the fd file descriptor.
26
27       The  filter  context  ctx  is  the  value  returned by the call to sec‐
28       comp_init(3).
29
30       While the two output formats are guaranteed to be functionally  equiva‐
31       lent  for  the  given seccomp filter configuration, the filter instruc‐
32       tions, and their ordering, are not guaranteed to be the  same  in  both
33       the BPF and PFC formats.
34

RETURN VALUE

36       Return zero on success or one of the following error codes on failure:
37
38       -ECANCELED
39              There was a system failure beyond the control of the library.
40
41       -EFAULT
42              Internal libseccomp failure.
43
44       -EINVAL
45              Invalid  input,  either the context or architecture token is in‐
46              valid.
47
48       -ENOMEM
49              The library was unable to allocate enough memory.
50
51       If the SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then addi‐
52       tional  error codes may be returned to the caller; these additional er‐
53       ror codes are the negative errno values returned by the system.  Unfor‐
54       tunately libseccomp can make no guarantees about these return values.
55

EXAMPLES

57       #include <seccomp.h>
58
59       int main(int argc, char *argv[])
60       {
61            int rc = -1;
62            scmp_filter_ctx ctx;
63            int filter_fd;
64
65            ctx = seccomp_init(SCMP_ACT_KILL);
66            if (ctx == NULL)
67                 goto out;
68
69            /* ... */
70
71            filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
72            if (filter_fd == -1) {
73                 rc = -errno;
74                 goto out;
75            }
76
77            rc = seccomp_export_bpf(ctx, filter_fd);
78            if (rc < 0) {
79                 close(filter_fd);
80                 goto out;
81            }
82            close(filter_fd);
83
84            /* ... */
85
86       out:
87            seccomp_release(ctx);
88            return -rc;
89       }
90

NOTES

92       While  the  seccomp  filter can be generated independent of the kernel,
93       kernel support is required to load and enforce the seccomp filter  gen‐
94       erated by libseccomp.
95
96       The  libseccomp project site, with more information and the source code
97       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
98       This tool, as well as the libseccomp library, is currently under devel‐
99       opment, please report any bugs at the project site or directly  to  the
100       author.
101

AUTHOR

103       Paul Moore <paul@paul-moore.com>
104

SEE ALSO

106       seccomp_init(3), seccomp_release(3)
107
108
109
110
111paul@paul-moore.com               30 May 2020            seccomp_export_bpf(3)
Impressum