1seccomp_merge(3)           libseccomp Documentation           seccomp_merge(3)
2
3
4

NAME

6       seccomp_merge - Merge two seccomp filters
7

SYNOPSIS

9       #include <seccomp.h>
10
11       typedef void * scmp_filter_ctx;
12
13       int seccomp_merge(scmp_filter_ctx dst, scmp_filter_ctx src);
14
15       Link with -lseccomp.
16

DESCRIPTION

18       The  seccomp_merge() function merges the seccomp filter in src with the
19       filter in dst and stores the resulting in the dst filter.  If  success‐
20       ful, the src seccomp filter is released and all internal memory associ‐
21       ated with  the  filter  is  freed;  there  is  no  need  to  call  sec‐
22       comp_release(3)  on src and the caller should discard any references to
23       the filter.
24
25       In order to merge two seccomp filters, both filters must have the  same
26       attribute values and no overlapping architectures.
27

RETURN VALUE

29       Returns zero on success or one of the following error codes on failure:
30
31       -EDOM  Unable  to  merge  the  filters due to architecture issues, e.g.
32              byte endian mismatches.
33
34       -EEXIST
35              The architecture already exists in the filter.
36
37       -EINVAL
38              One of the filters is invalid.
39
40       -ENOMEM
41              The library was unable to allocate enough memory.
42

EXAMPLES

44       #include <seccomp.h>
45
46       int main(int argc, char *argv[])
47       {
48            int rc = -1;
49            scmp_filter_ctx ctx_32, ctx_64;
50
51            ctx_32 = seccomp_init(SCMP_ACT_KILL);
52            if (ctx_32 == NULL)
53                 goto out_all;
54            ctx_64 = seccomp_init(SCMP_ACT_KILL);
55            if (ctx_64 == NULL)
56                 goto out_all;
57
58            if (seccomp_arch_exist(ctx_32, SCMP_ARCH_X86) == -EEXIST) {
59                 rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86);
60                 if (rc != 0)
61                      goto out_all;
62                 rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE);
63                 if (rc != 0)
64                      goto out_all;
65            }
66            if (seccomp_arch_exist(ctx_64, SCMP_ARCH_X86_64) == -EEXIST) {
67                 rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64);
68                 if (rc != 0)
69                      goto out_all;
70                 rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE);
71                 if (rc != 0)
72                      goto out_all;
73            }
74
75            /* ... */
76
77            rc = seccomp_merge(ctx_64, ctx_32);
78            if (rc != 0)
79                 goto out_all;
80
81            /* NOTE: the 'ctx_32' filter is no longer valid at this point */
82
83            /* ... */
84
85       out:
86            seccomp_release(ctx_64);
87            return -rc;
88       out_all:
89            seccomp_release(ctx_32);
90            goto out;
91       }
92

NOTES

94       While the seccomp filter can be generated independent  of  the  kernel,
95       kernel  support is required to load and enforce the seccomp filter gen‐
96       erated by libseccomp.
97
98       The libseccomp project site, with more information and the source  code
99       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
100       This tool, as well as the libseccomp library, is currently under devel‐
101       opment,  please  report any bugs at the project site or directly to the
102       author.
103

AUTHOR

105       Paul Moore <paul@paul-moore.com>
106

SEE ALSO

108       seccomp_init(3),    seccomp_reset(3),     seccomp_arch_add(3),     sec‐
109       comp_arch_remove(3), seccomp_attr_get(3), seccomp_attr_set(3)
110
111
112
113paul@paul-moore.com               30 May 2020                 seccomp_merge(3)
Impressum