seccomp_export_bpf(3) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | EXAMPLES | NOTES | AUTHOR | SEE ALSO | COLOPHON

seccomp_export_bpf(3)   libseccomp Documentation   seccomp_export_bpf(3)

NAME         top

       seccomp_export_bpf, seccomp_export_pfc - Export the seccomp
       filter

SYNOPSIS         top

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
       int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);
       int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf, size_t *len);

       Link with -lseccomp.

DESCRIPTION         top

       The seccomp_export_bpf() and seccomp_export_pfc() functions
       generate and output the current seccomp filter in either BPF
       (Berkeley Packet Filter) or PFC (Pseudo Filter Code).  The output
       of seccomp_export_bpf() is suitable for loading into the kernel,
       while the output of seccomp_export_pfc() is human readable and is
       intended primarily as a debugging tool for developers using
       libseccomp.  Both functions write the filter to the fd file
       descriptor.

       The filter context ctx is the value returned by the call to
       seccomp_init(3).

       While the two output formats are guaranteed to be functionally
       equivalent for the given seccomp filter configuration, the filter
       instructions, and their ordering, are not guaranteed to be the
       same in both the BPF and PFC formats.

       The seccomp_export_bpf_mem() function is largely the same as
       seccomp_export_bpf(), but instead of writing to a file
       descriptor, the program will be written to the buf pointer
       provided by the caller.  The len argument must be initialized
       with the size of the buf buffer.  If the program was valid, len
       will be updated with its size in bytes.  If buf was too small to
       hold the program, len can be consulted to determine the required
       size.  Passing a NULL buf may also be used to query the required
       size ahead of time.

RETURN VALUE         top

       Return zero on success or one of the following error codes on
       failure:

       -ECANCELED
              There was a system failure beyond the control of the
              library.

       -EFAULT
              Internal libseccomp failure.

       -EINVAL
              Invalid input, either the context or architecture token is
              invalid.

       -ENOMEM
              The library was unable to allocate enough memory.

       -ERANGE
              The provided buffer was too small.

       If the SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then
       additional error codes may be returned to the caller; these
       additional error codes are the negative errno values returned by
       the system.  Unfortunately libseccomp can make no guarantees
       about these return values.

EXAMPLES         top

       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;
            int filter_fd;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
            if (filter_fd == -1) {
                 rc = -errno;
                 goto out;
            }

            rc = seccomp_export_bpf(ctx, filter_fd);
            if (rc < 0) {
                 close(filter_fd);
                 goto out;
            }
            close(filter_fd);

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES         top

       While the seccomp filter can be generated independent of the
       kernel, kernel support is required to load and enforce the
       seccomp filter generated by libseccomp.

       The libseccomp project site, with more information and the source
       code repository, can be found at
       https://github.com/seccomp/libseccomp.  This tool, as well as the
       libseccomp library, is currently under development, please report
       any bugs at the project site or directly to the author.

AUTHOR         top

       Paul Moore <[email protected]>

SEE ALSO         top

       seccomp_init(3), seccomp_release(3)

COLOPHON         top

       This page is part of the libseccomp (high-level API to the Linux
       Kernel's seccomp filter) project.  Information about the project
       can be found at ⟨https://github.com/seccomp/libseccomp⟩.  If you
       have a bug report for this manual page, see
       ⟨https://groups.google.com/d/forum/libseccomp⟩.  This page was
       obtained from the project's upstream Git repository
       ⟨https://github.com/seccomp/libseccomp⟩ on 2024-06-14.  (At that
       time, the date of the most recent commit that was found in the
       repository was 2024-04-18.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

[email protected]            30 May 2020         seccomp_export_bpf(3)

Pages that refer to this page: seccomp(2)