+++ /dev/null
-.TH "seccomp_init" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
-.\" //////////////////////////////////////////////////////////////////////////
-.SH NAME
-.\" //////////////////////////////////////////////////////////////////////////
-seccomp_init, seccomp_reset \- Initialize the seccomp filter state
-.\" //////////////////////////////////////////////////////////////////////////
-.SH SYNOPSIS
-.\" //////////////////////////////////////////////////////////////////////////
-.nf
-.B #include <seccomp.h>
-.sp
-.B typedef void * scmp_filter_ctx;
-.sp
-.BI "scmp_filter_ctx seccomp_init(uint32_t " def_action ");"
-.BI "int seccomp_reset(scmp_filter_ctx " ctx ", uint32_t " def_action ");"
-.sp
-Link with \fI\-lseccomp\fP.
-.fi
-.\" //////////////////////////////////////////////////////////////////////////
-.SH DESCRIPTION
-.\" //////////////////////////////////////////////////////////////////////////
-.P
-The
-.BR seccomp_init ()
-and
-.BR seccomp_reset ()
-functions (re)initialize the internal seccomp filter state, prepares it for
-use, and sets the default action based on the
-.I def_action
-parameter. The
-.BR seccomp_init ()
-function must be called before any other libseccomp functions as the rest
-of the library API will fail if the filter context is not initialized properly.
-The
-.BR seccomp_reset ()
-function releases the existing filter context state before reinitializing it
-and can only be called after a call to
-.BR seccomp_init ()
-has succeeded.
-.P
-When the caller is finished configuring the seccomp filter and has loaded it
-into the kernel, the caller should call
-.BR seccomp_release (3)
-to release all of the filter context state.
-.P
-Valid
-.I def_action
-values are as follows:
-.TP
-.B SCMP_ACT_KILL
-The thread will be terminated by the kernel with SIGSYS when it calls a syscall
-that does not match any of the configured seccomp filter rules. The thread
-will not be able to catch the signal.
-.TP
-.B SCMP_ACT_TRAP
-The thread will be sent a SIGSYS signal when it calls a syscall that does not
-match any of the configured seccomp filter rules. It may catch this and change
-its behavior accordingly. When using SA_SIGINFO with
-.BR sigaction (2),
-si_code will be set to SYS_SECCOMP, si_syscall will be set to the syscall that
-failed the rules, and si_arch will be set to the AUDIT_ARCH for the active ABI.
-.TP
-.B SCMP_ACT_ERRNO(uint16_t errno)
-The thread will receive a return value of
-.I errno
-when it calls a syscall that does not match any of the configured seccomp filter
-rules.
-.TP
-.B SCMP_ACT_TRACE(uint16_t msg_num)
-If the thread is being traced and the tracing process specified the
-.B PTRACE_O_TRACESECCOMP
-option in the call to
-.BR ptrace (2),
-the tracing process will be notified, via
-.BR PTRACE_EVENT_SECCOMP ,
-and the value provided in
-.I msg_num
-can be retrieved using the
-.B PTRACE_GETEVENTMSG
-option.
-.TP
-.B SCMP_ACT_ALLOW
-The seccomp filter will have no effect on the thread calling the syscall if it
-does not match any of the configured seccomp filter rules.
-.\" //////////////////////////////////////////////////////////////////////////
-.SH RETURN VALUE
-.\" //////////////////////////////////////////////////////////////////////////
-The
-.BR seccomp_init ()
-function returns a filter context on success, NULL on failure. The
-.BR seccomp_reset ()
-function returns zero on success, negative errno values on failure.
-.\" //////////////////////////////////////////////////////////////////////////
-.SH EXAMPLES
-.\" //////////////////////////////////////////////////////////////////////////
-.nf
-#include <seccomp.h>
-
-int main(int argc, char *argv[])
-{
- int rc = \-1;
- scmp_filter_ctx ctx;
-
- ctx = seccomp_init(SCMP_ACT_KILL);
- if (ctx == NULL)
- goto out;
-
- /* ... */
-
- rc = seccomp_reset(ctx, SCMP_ACT_KILL);
- if (rc < 0)
- goto out;
-
- /* ... */
-
-out:
- seccomp_release(ctx);
- return \-rc;
-}
-.fi
-.\" //////////////////////////////////////////////////////////////////////////
-.SH NOTES
-.\" //////////////////////////////////////////////////////////////////////////
-.P
-While the seccomp filter can be generated independent of the kernel, kernel
-support is required to load and enforce the seccomp filter generated by
-libseccomp.
-.P
-The libseccomp project site, with more information and the source code
-repository, can be found at https://github.com/seccomp/libseccomp. This tool,
-as well as the libseccomp library, is currently under development, please
-report any bugs at the project site or directly to the author.
-.\" //////////////////////////////////////////////////////////////////////////
-.SH AUTHOR
-.\" //////////////////////////////////////////////////////////////////////////
-Paul Moore <paul@paul-moore.com>
-.\" //////////////////////////////////////////////////////////////////////////
-.SH SEE ALSO
-.\" //////////////////////////////////////////////////////////////////////////
-.BR seccomp_release (3)
-
projects / linux-seccomp.git / blobdiff