Commit | Line | Data |
---|---|---|
8befd5cc MG |
1 | .TH "seccomp_arch_add" 3 "7 May 2014" "paul@paul-moore.com" "libseccomp Documentation" |
2 | .\" ////////////////////////////////////////////////////////////////////////// | |
3 | .SH NAME | |
4 | .\" ////////////////////////////////////////////////////////////////////////// | |
5 | seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native \- Manage seccomp filter architectures | |
6 | .\" ////////////////////////////////////////////////////////////////////////// | |
7 | .SH SYNOPSIS | |
8 | .\" ////////////////////////////////////////////////////////////////////////// | |
9 | .nf | |
10 | .B #include <seccomp.h> | |
11 | .sp | |
12 | .B typedef void * scmp_filter_ctx; | |
13 | .sp | |
14 | .B #define SCMP_ARCH_NATIVE | |
15 | .B #define SCMP_ARCH_X86 | |
16 | .B #define SCMP_ARCH_X86_64 | |
17 | .sp | |
18 | .BI "uint32_t seccomp_arch_resolve_name(const char *" arch_name ");" | |
19 | .BI "uint32_t seccomp_arch_native();" | |
20 | .BI "int seccomp_arch_exist(const scmp_filter_ctx " ctx ", uint32_t " arch_token ");" | |
21 | .BI "int seccomp_arch_add(scmp_filter_ctx " ctx ", uint32_t " arch_token ");" | |
22 | .BI "int seccomp_arch_remove(scmp_filter_ctx " ctx ", uint32_t " arch_token ");" | |
23 | .sp | |
24 | Link with \fI\-lseccomp\fP. | |
25 | .fi | |
26 | .\" ////////////////////////////////////////////////////////////////////////// | |
27 | .SH DESCRIPTION | |
28 | .\" ////////////////////////////////////////////////////////////////////////// | |
29 | .P | |
30 | The | |
31 | .BR seccomp_arch_exist () | |
32 | function tests to see if a given architecture has been added to the seccomp | |
33 | filter in | |
34 | .I ctx | |
35 | , where the | |
36 | .BR seccomp_arch_add () | |
37 | and | |
38 | .BR seccomp_arch_remove () | |
39 | add and remove, respectively, architectures from the seccomp filter. In all | |
40 | three functions, the architecture values given in | |
41 | .I arch_token | |
42 | should be the | |
43 | .BR SCMP_ARCH_* | |
44 | defined constants; with the | |
45 | .BR SCMP_ARCH_NATIVE | |
46 | constant always referring to the native compiled architecture. The | |
47 | .BR seccomp_arch_native () | |
48 | function returns the system's architecture such that it will match one of the | |
49 | .BR SCMP_ARCH_* | |
50 | constants. While the | |
51 | .BR seccomp_arch_resolve_name () | |
52 | function also returns a | |
53 | .BR SCMP_ARCH_* | |
54 | constant, the returned token matches the name of the architecture | |
55 | passed as an argument to the function. | |
56 | .P | |
57 | When a seccomp filter is initialized with the call to | |
58 | .BR seccomp_init (3) | |
59 | the native architecture is automatically added to the filter. | |
60 | .P | |
61 | While it is possible to remove all architectures from a filter, most of the | |
62 | libseccomp APIs will fail if the filter does not contain at least one | |
63 | architecture. | |
64 | .P | |
65 | When adding a new architecture to an existing filter, the existing rules will | |
66 | not be added to the new architecture. However, rules added after adding the | |
67 | new architecture will be added to all of the architectures in the filter. | |
68 | .\" ////////////////////////////////////////////////////////////////////////// | |
69 | .SH RETURN VALUE | |
70 | .\" ////////////////////////////////////////////////////////////////////////// | |
71 | The | |
72 | .BR seccomp_arch_add () | |
73 | and | |
74 | .BR seccomp_arch_remove () | |
75 | functions return zero on success, negative errno values on failure. The | |
76 | .BR seccomp_arch_exist () | |
77 | function returns zero if the architecture exists, \-EEXIST if it does not, and | |
78 | other negative errno values on failure. | |
79 | .\" ////////////////////////////////////////////////////////////////////////// | |
80 | .SH EXAMPLES | |
81 | .\" ////////////////////////////////////////////////////////////////////////// | |
82 | .nf | |
83 | #include <seccomp.h> | |
84 | ||
85 | int main(int argc, char *argv[]) | |
86 | { | |
87 | int rc = \-1; | |
88 | scmp_filter_ctx ctx; | |
89 | ||
90 | ctx = seccomp_init(SCMP_ACT_KILL); | |
91 | if (ctx == NULL) | |
92 | goto out; | |
93 | ||
94 | if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == \-EEXIST) { | |
95 | rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); | |
96 | if (rc != 0) | |
97 | goto out_all; | |
98 | rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); | |
99 | if (rc != 0) | |
100 | goto out_all; | |
101 | } | |
102 | ||
103 | /* ... */ | |
104 | ||
105 | out: | |
106 | seccomp_release(ctx); | |
107 | return \-rc; | |
108 | } | |
109 | .fi | |
110 | .\" ////////////////////////////////////////////////////////////////////////// | |
111 | .SH NOTES | |
112 | .\" ////////////////////////////////////////////////////////////////////////// | |
113 | .P | |
114 | While the seccomp filter can be generated independent of the kernel, kernel | |
115 | support is required to load and enforce the seccomp filter generated by | |
116 | libseccomp. | |
117 | .P | |
118 | The libseccomp project site, with more information and the source code | |
119 | repository, can be found at https://github.com/seccomp/libseccomp. This tool, | |
120 | as well as the libseccomp library, is currently under development, please | |
121 | report any bugs at the project site or directly to the author. | |
122 | .\" ////////////////////////////////////////////////////////////////////////// | |
123 | .SH AUTHOR | |
124 | .\" ////////////////////////////////////////////////////////////////////////// | |
125 | Paul Moore <paul@paul-moore.com> | |
126 | .\" ////////////////////////////////////////////////////////////////////////// | |
127 | .SH SEE ALSO | |
128 | .\" ////////////////////////////////////////////////////////////////////////// | |
129 | .BR seccomp_init (3), | |
130 | .BR seccomp_reset (3), | |
131 | .BR seccom_merge (3) |