diff options
Diffstat (limited to 'doc/man/man3/seccomp_merge.3')
| -rw-r--r-- | doc/man/man3/seccomp_merge.3 | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/doc/man/man3/seccomp_merge.3 b/doc/man/man3/seccomp_merge.3 new file mode 100644 index 0000000..10b3c3f --- /dev/null +++ b/doc/man/man3/seccomp_merge.3 @@ -0,0 +1,136 @@ +.TH "seccomp_merge" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation" +.\" ////////////////////////////////////////////////////////////////////////// +.SH NAME +.\" ////////////////////////////////////////////////////////////////////////// +seccomp_merge \- Merge two seccomp filters +.\" ////////////////////////////////////////////////////////////////////////// +.SH SYNOPSIS +.\" ////////////////////////////////////////////////////////////////////////// +.nf +.B #include <seccomp.h> +.sp +.B typedef void * scmp_filter_ctx; +.sp +.BI "int seccomp_merge(scmp_filter_ctx " dst ", scmp_filter_ctx " src ");" +.sp +Link with \fI\-lseccomp\fP. +.fi +.\" ////////////////////////////////////////////////////////////////////////// +.SH DESCRIPTION +.\" ////////////////////////////////////////////////////////////////////////// +.P +The +.BR seccomp_merge () +function merges the seccomp filter in +.I src +with the filter in +.I dst +and stores the resulting in the +.I dst +filter. If successful, the +.I src +seccomp filter is released and all internal memory associated with the filter +is freed; there is no need to call +.BR seccomp_release (3) +on +.I src +and the caller should discard any references to the filter. +.P +In order to merge two seccomp filters, both filters must have the same +attribute values and no overlapping architectures. +.\" ////////////////////////////////////////////////////////////////////////// +.SH RETURN VALUE +.\" ////////////////////////////////////////////////////////////////////////// +Returns zero on success or one of the following error codes on +failure: +.TP +.B -EDOM +Unable to merge the filters due to architecture issues, e.g. byte endian +mismatches. +.TP +.B -EEXIST +The architecture already exists in the filter. +.TP +.B -EINVAL +One of the filters is invalid. +.TP +.B -ENOMEM +The library was unable to allocate enough memory. +.\" ////////////////////////////////////////////////////////////////////////// +.SH EXAMPLES +.\" ////////////////////////////////////////////////////////////////////////// +.nf +#include <seccomp.h> + +int main(int argc, char *argv[]) +{ + int rc = \-1; + scmp_filter_ctx ctx_32, ctx_64; + + ctx_32 = seccomp_init(SCMP_ACT_KILL); + if (ctx_32 == NULL) + goto out_all; + ctx_64 = seccomp_init(SCMP_ACT_KILL); + if (ctx_64 == NULL) + goto out_all; + + if (seccomp_arch_exist(ctx_32, SCMP_ARCH_X86) == \-EEXIST) { + rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86); + if (rc != 0) + goto out_all; + rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out_all; + } + if (seccomp_arch_exist(ctx_64, SCMP_ARCH_X86_64) == \-EEXIST) { + rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64); + if (rc != 0) + goto out_all; + rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out_all; + } + + /* ... */ + + rc = seccomp_merge(ctx_64, ctx_32); + if (rc != 0) + goto out_all; + + /* NOTE: the 'ctx_32' filter is no longer valid at this point */ + + /* ... */ + +out: + seccomp_release(ctx_64); + return \-rc; +out_all: + seccomp_release(ctx_32); + goto out; +} +.fi +.\" ////////////////////////////////////////////////////////////////////////// +.SH NOTES +.\" ////////////////////////////////////////////////////////////////////////// +.P +While the seccomp filter can be generated independent of the kernel, kernel +support is required to load and enforce the seccomp filter generated by +libseccomp. +.P +The libseccomp project site, with more information and the source code +repository, can be found at https://github.com/seccomp/libseccomp. This tool, +as well as the libseccomp library, is currently under development, please +report any bugs at the project site or directly to the author. +.\" ////////////////////////////////////////////////////////////////////////// +.SH AUTHOR +.\" ////////////////////////////////////////////////////////////////////////// +Paul Moore <paul@paul-moore.com> +.\" ////////////////////////////////////////////////////////////////////////// +.SH SEE ALSO +.\" ////////////////////////////////////////////////////////////////////////// +.BR seccomp_init (3), +.BR seccomp_reset (3), +.BR seccomp_arch_add (3), +.BR seccomp_arch_remove (3), +.BR seccomp_attr_get (3), +.BR seccomp_attr_set (3) |