[linux-seccomp.git] / libseccomp / doc / man / man3 / seccomp_arch_add.3

.TH "seccomp_arch_add" 3 "7 May 2014" "paul@paul-moore.com" "libseccomp Documentation"
.\" //////////////////////////////////////////////////////////////////////////
.SH NAME
.\" //////////////////////////////////////////////////////////////////////////
seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native \- Manage seccomp filter architectures
.\" //////////////////////////////////////////////////////////////////////////
.SH SYNOPSIS
.\" //////////////////////////////////////////////////////////////////////////
.nf
.B #include <seccomp.h>
.sp
.B typedef void * scmp_filter_ctx;
.sp
.B #define SCMP_ARCH_NATIVE
.B #define SCMP_ARCH_X86
.B #define SCMP_ARCH_X86_64
.sp
.BI "uint32_t seccomp_arch_resolve_name(const char *" arch_name ");"
.BI "uint32_t seccomp_arch_native();"
.BI "int seccomp_arch_exist(const scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
.BI "int seccomp_arch_add(scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
.BI "int seccomp_arch_remove(scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
.sp
Link with \fI\-lseccomp\fP.
.fi
.\" //////////////////////////////////////////////////////////////////////////
.SH DESCRIPTION
.\" //////////////////////////////////////////////////////////////////////////
.P
The
.BR seccomp_arch_exist ()
function tests to see if a given architecture has been added to the seccomp
filter in
.I ctx
, where the
.BR seccomp_arch_add ()
and
.BR seccomp_arch_remove ()
add and remove, respectively, architectures from the seccomp filter.  In all
three functions, the architecture values given in
.I arch_token
should be the
.BR SCMP_ARCH_*
defined constants; with the
.BR SCMP_ARCH_NATIVE
constant always referring to the native compiled architecture.  The
.BR seccomp_arch_native ()
function returns the system's architecture such that it will match one of the
.BR SCMP_ARCH_*
constants.  While the
.BR seccomp_arch_resolve_name ()
function also returns a
.BR SCMP_ARCH_*
constant, the returned token matches the name of the architecture
passed as an argument to the function.
.P
When a seccomp filter is initialized with the call to
.BR seccomp_init (3)
the native architecture is automatically added to the filter.
.P
While it is possible to remove all architectures from a filter, most of the
libseccomp APIs will fail if the filter does not contain at least one
architecture.
.P
When adding a new architecture to an existing filter, the existing rules will
not be added to the new architecture.  However, rules added after adding the
new architecture will be added to all of the architectures in the filter.
.\" //////////////////////////////////////////////////////////////////////////
.SH RETURN VALUE
.\" //////////////////////////////////////////////////////////////////////////
The
.BR seccomp_arch_add ()
and
.BR seccomp_arch_remove ()
functions return zero on success, negative errno values on failure.  The
.BR seccomp_arch_exist ()
function returns zero if the architecture exists, \-EEXIST if it does not, and
other negative errno values on failure.
.\" //////////////////////////////////////////////////////////////////////////
.SH EXAMPLES
.\" //////////////////////////////////////////////////////////////////////////
.nf
#include <seccomp.h>

int main(int argc, char *argv[])
{
	int rc = \-1;
	scmp_filter_ctx ctx;

	ctx = seccomp_init(SCMP_ACT_KILL);
	if (ctx == NULL)
		goto out;

	if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == \-EEXIST) {
		rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
		if (rc != 0)
			goto out_all;
		rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
		if (rc != 0)
			goto out_all;
	}

	/* ... */

out:
	seccomp_release(ctx);
	return \-rc;
}
.fi
.\" //////////////////////////////////////////////////////////////////////////
.SH NOTES
.\" //////////////////////////////////////////////////////////////////////////
.P
While the seccomp filter can be generated independent of the kernel, kernel
support is required to load and enforce the seccomp filter generated by
libseccomp.
.P
The libseccomp project site, with more information and the source code
repository, can be found at https://github.com/seccomp/libseccomp.  This tool,
as well as the libseccomp library, is currently under development, please
report any bugs at the project site or directly to the author.
.\" //////////////////////////////////////////////////////////////////////////
.SH AUTHOR
.\" //////////////////////////////////////////////////////////////////////////
Paul Moore <paul@paul-moore.com>
.\" //////////////////////////////////////////////////////////////////////////
.SH SEE ALSO
.\" //////////////////////////////////////////////////////////////////////////
.BR seccomp_init (3),
.BR seccomp_reset (3),
.BR seccom_merge (3)
Commit	Line	Data
8befd5cc MG	1	.TH "seccomp_arch_add" 3 "7 May 2014" "paul@paul-moore.com" "libseccomp Documentation"
	2	.\" //////////////////////////////////////////////////////////////////////////
	3	.SH NAME
	4	.\" //////////////////////////////////////////////////////////////////////////
	5	seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native \- Manage seccomp filter architectures
	6	.\" //////////////////////////////////////////////////////////////////////////
	7	.SH SYNOPSIS
	8	.\" //////////////////////////////////////////////////////////////////////////
	9	.nf
	10	.B #include <seccomp.h>
	11	.sp
	12	.B typedef void * scmp_filter_ctx;
	13	.sp
	14	.B #define SCMP_ARCH_NATIVE
	15	.B #define SCMP_ARCH_X86
	16	.B #define SCMP_ARCH_X86_64
	17	.sp
	18	.BI "uint32_t seccomp_arch_resolve_name(const char *" arch_name ");"
	19	.BI "uint32_t seccomp_arch_native();"
	20	.BI "int seccomp_arch_exist(const scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
	21	.BI "int seccomp_arch_add(scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
	22	.BI "int seccomp_arch_remove(scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
	23	.sp
	24	Link with \fI\-lseccomp\fP.
	25	.fi
	26	.\" //////////////////////////////////////////////////////////////////////////
	27	.SH DESCRIPTION
	28	.\" //////////////////////////////////////////////////////////////////////////
	29	.P
	30	The
	31	.BR seccomp_arch_exist ()
	32	function tests to see if a given architecture has been added to the seccomp
	33	filter in
	34	.I ctx
	35	, where the
	36	.BR seccomp_arch_add ()
	37	and
	38	.BR seccomp_arch_remove ()
	39	add and remove, respectively, architectures from the seccomp filter. In all
	40	three functions, the architecture values given in
	41	.I arch_token
	42	should be the
	43	.BR SCMP_ARCH_*
	44	defined constants; with the
	45	.BR SCMP_ARCH_NATIVE
	46	constant always referring to the native compiled architecture. The
	47	.BR seccomp_arch_native ()
	48	function returns the system's architecture such that it will match one of the
	49	.BR SCMP_ARCH_*
	50	constants. While the
	51	.BR seccomp_arch_resolve_name ()
	52	function also returns a
	53	.BR SCMP_ARCH_*
	54	constant, the returned token matches the name of the architecture
	55	passed as an argument to the function.
	56	.P
	57	When a seccomp filter is initialized with the call to
	58	.BR seccomp_init (3)
	59	the native architecture is automatically added to the filter.
	60	.P
	61	While it is possible to remove all architectures from a filter, most of the
	62	libseccomp APIs will fail if the filter does not contain at least one
	63	architecture.
	64	.P
65	When adding a new architecture to an existing filter, the existing rules will
66	not be added to the new architecture. However, rules added after adding the
67	new architecture will be added to all of the architectures in the filter.
68	.\" //////////////////////////////////////////////////////////////////////////
69	.SH RETURN VALUE
70	.\" //////////////////////////////////////////////////////////////////////////
71	The
72	.BR seccomp_arch_add ()
73	and
74	.BR seccomp_arch_remove ()
75	functions return zero on success, negative errno values on failure. The
76	.BR seccomp_arch_exist ()
77	function returns zero if the architecture exists, \-EEXIST if it does not, and
78	other negative errno values on failure.
79	.\" //////////////////////////////////////////////////////////////////////////
80	.SH EXAMPLES
81	.\" //////////////////////////////////////////////////////////////////////////
82	.nf
83	#include <seccomp.h>
84
85	int main(int argc, char *argv[])
86	{
87	int rc = \-1;
88	scmp_filter_ctx ctx;
89
90	ctx = seccomp_init(SCMP_ACT_KILL);
91	if (ctx == NULL)
92	goto out;
93
94	if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == \-EEXIST) {
95	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
96	if (rc != 0)
97	goto out_all;
98	rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
99	if (rc != 0)
100	goto out_all;
101	}
102
103	/* ... */
104
105	out:
106	seccomp_release(ctx);
107	return \-rc;
108	}
109	.fi
110	.\" //////////////////////////////////////////////////////////////////////////
111	.SH NOTES
112	.\" //////////////////////////////////////////////////////////////////////////
113	.P
114	While the seccomp filter can be generated independent of the kernel, kernel
115	support is required to load and enforce the seccomp filter generated by
116	libseccomp.
117	.P
118	The libseccomp project site, with more information and the source code
119	repository, can be found at https://github.com/seccomp/libseccomp. This tool,
120	as well as the libseccomp library, is currently under development, please
121	report any bugs at the project site or directly to the author.
122	.\" //////////////////////////////////////////////////////////////////////////
123	.SH AUTHOR
124	.\" //////////////////////////////////////////////////////////////////////////
125	Paul Moore <paul@paul-moore.com>
126	.\" //////////////////////////////////////////////////////////////////////////
127	.SH SEE ALSO
128	.\" //////////////////////////////////////////////////////////////////////////
129	.BR seccomp_init (3),
130	.BR seccomp_reset (3),
131	.BR seccom_merge (3)