Bundle libseccomp 2.3.1

[linux-seccomp.git] / libseccomp / doc / man / man3 / seccomp_arch_add.3

diff --git a/libseccomp/doc/man/man3/seccomp_arch_add.3 b/libseccomp/doc/man/man3/seccomp_arch_add.3
new file mode 100644 (file)
index 0000000..13d0dc3
--- /dev/null
+++ b/libseccomp/doc/man/man3/seccomp_arch_add.3
@@ -0,0 +1,131 @@
+.TH "seccomp_arch_add" 3 "7 May 2014" "paul@paul-moore.com" "libseccomp Documentation"
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NAME
+.\" //////////////////////////////////////////////////////////////////////////
+seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native \- Manage seccomp filter architectures
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SYNOPSIS
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+.B #include <seccomp.h>
+.sp
+.B typedef void * scmp_filter_ctx;
+.sp
+.B #define SCMP_ARCH_NATIVE
+.B #define SCMP_ARCH_X86
+.B #define SCMP_ARCH_X86_64
+.sp
+.BI "uint32_t seccomp_arch_resolve_name(const char *" arch_name ");"
+.BI "uint32_t seccomp_arch_native();"
+.BI "int seccomp_arch_exist(const scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
+.BI "int seccomp_arch_add(scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
+.BI "int seccomp_arch_remove(scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
+.sp
+Link with \fI\-lseccomp\fP.
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH DESCRIPTION
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+The
+.BR seccomp_arch_exist ()
+function tests to see if a given architecture has been added to the seccomp
+filter in
+.I ctx
+, where the
+.BR seccomp_arch_add ()
+and
+.BR seccomp_arch_remove ()
+add and remove, respectively, architectures from the seccomp filter.  In all
+three functions, the architecture values given in
+.I arch_token
+should be the
+.BR SCMP_ARCH_*
+defined constants; with the
+.BR SCMP_ARCH_NATIVE
+constant always referring to the native compiled architecture.  The
+.BR seccomp_arch_native ()
+function returns the system's architecture such that it will match one of the
+.BR SCMP_ARCH_*
+constants.  While the
+.BR seccomp_arch_resolve_name ()
+function also returns a
+.BR SCMP_ARCH_*
+constant, the returned token matches the name of the architecture
+passed as an argument to the function.
+.P
+When a seccomp filter is initialized with the call to
+.BR seccomp_init (3)
+the native architecture is automatically added to the filter.
+.P
+While it is possible to remove all architectures from a filter, most of the
+libseccomp APIs will fail if the filter does not contain at least one
+architecture.
+.P
+When adding a new architecture to an existing filter, the existing rules will
+not be added to the new architecture.  However, rules added after adding the
+new architecture will be added to all of the architectures in the filter.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH RETURN VALUE
+.\" //////////////////////////////////////////////////////////////////////////
+The
+.BR seccomp_arch_add ()
+and
+.BR seccomp_arch_remove ()
+functions return zero on success, negative errno values on failure.  The
+.BR seccomp_arch_exist ()
+function returns zero if the architecture exists, \-EEXIST if it does not, and
+other negative errno values on failure.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH EXAMPLES
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+       int rc = \-1;
+       scmp_filter_ctx ctx;
+
+       ctx = seccomp_init(SCMP_ACT_KILL);
+       if (ctx == NULL)
+               goto out;
+
+       if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == \-EEXIST) {
+               rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+               if (rc != 0)
+                       goto out_all;
+               rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+               if (rc != 0)
+                       goto out_all;
+       }
+
+       /* ... */
+
+out:
+       seccomp_release(ctx);
+       return \-rc;
+}
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NOTES
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+While the seccomp filter can be generated independent of the kernel, kernel
+support is required to load and enforce the seccomp filter generated by
+libseccomp.
+.P
+The libseccomp project site, with more information and the source code
+repository, can be found at https://github.com/seccomp/libseccomp.  This tool,
+as well as the libseccomp library, is currently under development, please
+report any bugs at the project site or directly to the author.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH AUTHOR
+.\" //////////////////////////////////////////////////////////////////////////
+Paul Moore <paul@paul-moore.com>
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SEE ALSO
+.\" //////////////////////////////////////////////////////////////////////////
+.BR seccomp_init (3),
+.BR seccomp_reset (3),
+.BR seccom_merge (3)