seccomp_export_bpf
Section: libseccomp Documentation (3)
Updated: 30 May 2020
Index
Return to Main Contents
NAME
seccomp_export_bpf, seccomp_export_pfc - Export the seccomp filter
SYNOPSIS
#include <seccomp.h>
typedef void * scmp_filter_ctx;
int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);
int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf, size_t *len);
Link with -lseccomp.
DESCRIPTION
The
seccomp_export_bpf()
and
seccomp_export_pfc()
functions generate and output the current seccomp filter in either BPF (Berkeley
Packet Filter) or PFC (Pseudo Filter Code). The output of
seccomp_export_bpf()
is suitable for loading into the kernel, while the output of
seccomp_export_pfc()
is human readable and is intended primarily as a debugging tool for developers
using libseccomp. Both functions write the filter to the
fd
file descriptor.
The filter context
ctx
is the value returned by the call to
seccomp_init(3).
While the two output formats are guaranteed to be functionally equivalent for
the given seccomp filter configuration, the filter instructions, and their
ordering, are not guaranteed to be the same in both the BPF and PFC formats.
The
seccomp_export_bpf_mem()
function is largely the same as
seccomp_export_bpf(),
but instead of writing to a file descriptor, the program will be written to the
buf
pointer provided by the caller. The
len
argument must be initialized with the size of the
buf
buffer. If the program was valid,
len
will be updated with its size in bytes. If
buf
was too small to hold the program,
len
can be consulted to determine the required size. Passing a NULL
buf
may also be used to query the required size ahead of time.
RETURN VALUE
Return zero on success or one of the following error codes on
failure:
- -ECANCELED
-
There was a system failure beyond the control of the library.
- -EFAULT
-
Internal libseccomp failure.
- -EINVAL
-
Invalid input, either the context or architecture token is invalid.
- -ENOMEM
-
The library was unable to allocate enough memory.
- -ERANGE
-
The provided buffer was too small.
If the SCMP_FLTATR_API_SYSRAWRC filter attribute is no-zero then
additional error codes may be returned to the caller; these additional error
codes are the negative errno values returned by the system. Unfortunately
libseccomp can make no guarantees about these return values.
EXAMPLES
#include <seccomp.h>
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
int filter_fd;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
/* ... */
filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
if (filter_fd == -1) {
rc = -errno;
goto out;
}
rc = seccomp_export_bpf(ctx, filter_fd);
if (rc < 0) {
close(filter_fd);
goto out;
}
close(filter_fd);
/* ... */
out:
seccomp_release(ctx);
return -rc;
}
NOTES
While the seccomp filter can be generated independent of the kernel, kernel
support is required to load and enforce the seccomp filter generated by
libseccomp.
The libseccomp project site, with more information and the source code
repository, can be found at
https://github.com/seccomp/libseccomp. This tool,
as well as the libseccomp library, is currently under development, please
report any bugs at the project site or directly to the author.
AUTHOR
Paul Moore <
paul@pau-moore.com>
SEE ALSO
seccomp_init(3),
seccomp_release(3)
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- RETURN VALUE
-
- EXAMPLES
-
- NOTES
-
- AUTHOR
-
- SEE ALSO
-
|
|
- Running on 
-
:
