Signed-off-by: Paul Moore <[email protected]>
---
doc/Makefile | 5 +
doc/man/man3/seccomp_arch_add.3 | 120 +++++++++++++++++++++++++++++++++++
doc/man/man3/seccomp_arch_exist.3 | 1
doc/man/man3/seccomp_arch_remove.3 | 1
doc/man/man3/seccomp_merge.3 | 122 ++++++++++++++++++++++++++++++++++++
5 files changed, 248 insertions(+), 1 deletion(-)
create mode 100644 doc/man/man3/seccomp_arch_add.3
create mode 100644 doc/man/man3/seccomp_arch_exist.3
create mode 100644 doc/man/man3/seccomp_arch_remove.3
create mode 100644 doc/man/man3/seccomp_merge.3
diff --git a/doc/Makefile b/doc/Makefile
index 0869c8e..348a04b 100644
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -45,7 +45,10 @@ MAN3 = \
man/man3/seccomp_export_bpf.3 \
man/man3/seccomp_export_pfc.3 \
man/man3/seccomp_attr_set.3 \
- man/man3/seccomp_attr_get.3
+ man/man3/seccomp_attr_get.3 \
+ man/man3/seccomp_arch_add.3 \
+ man/man3/seccomp_arch_remove.3 \
+ man/man3/seccomp_merge.3
#
# targets
diff --git a/doc/man/man3/seccomp_arch_add.3 b/doc/man/man3/seccomp_arch_add.3
new file mode 100644
index 0000000..7315e9c
--- /dev/null
+++ b/doc/man/man3/seccomp_arch_add.3
@@ -0,0 +1,120 @@
+.TH "seccomp_arch_add" 3 "28 September 2012" "[email protected]" "libseccomp
Documentation"
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NAME
+.\" //////////////////////////////////////////////////////////////////////////
+seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist \- Manage seccomp
filter architectures
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SYNOPSIS
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+.B #include <seccomp.h>
+.sp
+.B typedef void * scmp_filter_ctx;
+.sp
+.B #define SCMP_ARCH_NATIVE
+.B #define SCMP_ARCH_X86
+.B #define SCMP_ARCH_X86_64
+.sp
+.BI "int seccomp_arch_exist(const scmp_filter_ctx " ctx ", uint32_t "
arch_token ");"
+.BI "int seccomp_arch_add(scmp_filter_ctx " ctx ", uint32_t " arch_token ");"
+.BI "int seccomp_arch_remove(scmp_filter_ctx " ctx ", uint32_t " arch_token
");"
+.sp
+Link with \fI\-lseccomp\fP.
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH DESCRIPTION
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+The
+.BR seccomp_arch_exist ()
+function tests to see if a given architecture has been added to the seccomp
+filter in
+.I ctx
+, where the
+.BR seccomp_arch_add ()
+and
+.BR seccomp_arch_remove ()
+add and remove, respectively, architectures from the seccomp filter. In all
+three functions, the architecture values given in
+.I arch_token
+should be the
+.BR SCMP_ARCH_*
+defined constants; with the
+.BR SCMP_ARCH_NATIVE
+constant always referring to the native compiled architecture.
+.P
+When a seccomp filter is initialized with the call to
+.BR seccomp_init (3)
+the native architecture is automatically added to the filter. If you want to
+remove the native architecture from the filter, you first need to add another
+architecture to the filter as a seccomp filter must contain at least one
+architecture at all times. After you have added a second architecture to the
+seccomp filter, you can remove the native architecture.
+.P
+When adding a new architecture to an existing filter, the existing rules will
+not be added to the new architecture. However, rules added after adding the
+new architecture will be added to all of the architectures in the filter.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH RETURN VALUE
+.\" //////////////////////////////////////////////////////////////////////////
+The
+.BR seccomp_arch_add ()
+and
+.BR seccomp_arch_remove ()
+functions return zero on success, negative errno values on failure. The
+.BR seccomp_arch_exist ()
+function returns zero if the architecture exists, -EEXIST if it does not, and
+other negative errno values on failure.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH EXAMPLES
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+ int rc = -1;
+ scmp_filter_ctx ctx;
+
+ ctx = seccomp_init(SCMP_ACT_KILL);
+ if (ctx == NULL)
+ goto out;
+
+ if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == -EEXIST) {
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out_all;
+ rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out_all;
+ }
+
+ /* ... */
+
+out:
+ seccomp_release(ctx);
+ return -rc;
+}
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NOTES
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+While the seccomp filter can be generated independent of the kernel, kernel
+support is required to load and enforce the seccomp filter generated by
+libseccomp.
+.P
+The libseccomp project site, with more information and the source code
+repository, can be found at http://libseccomp.sf.net. This library is
currently
+under development, please report any bugs at the project site or directly to
+the author.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH AUTHOR
+.\" //////////////////////////////////////////////////////////////////////////
+Paul Moore <[email protected]>
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SEE ALSO
+.\" //////////////////////////////////////////////////////////////////////////
+.BR seccomp_init (3),
+.BR seccomp_reset (3),
+.BR seccom_merge (3)
diff --git a/doc/man/man3/seccomp_arch_exist.3
b/doc/man/man3/seccomp_arch_exist.3
new file mode 100644
index 0000000..f72602b
--- /dev/null
+++ b/doc/man/man3/seccomp_arch_exist.3
@@ -0,0 +1 @@
+.so man3/seccomp_arch_add.3
diff --git a/doc/man/man3/seccomp_arch_remove.3
b/doc/man/man3/seccomp_arch_remove.3
new file mode 100644
index 0000000..f72602b
--- /dev/null
+++ b/doc/man/man3/seccomp_arch_remove.3
@@ -0,0 +1 @@
+.so man3/seccomp_arch_add.3
diff --git a/doc/man/man3/seccomp_merge.3 b/doc/man/man3/seccomp_merge.3
new file mode 100644
index 0000000..b84d9ad
--- /dev/null
+++ b/doc/man/man3/seccomp_merge.3
@@ -0,0 +1,122 @@
+.TH "seccomp_merge" 3 "28 September 2012" "[email protected]" "libseccomp
Documentation"
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NAME
+.\" //////////////////////////////////////////////////////////////////////////
+seccomp_merge \- Merge two seccomp filters
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SYNOPSIS
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+.B #include <seccomp.h>
+.sp
+.B typedef void * scmp_filter_ctx;
+.sp
+.BI "int seccomp_merge(scmp_filter_ctx " dst ", scmp_filter_ctx " src ");"
+.sp
+Link with \fI\-lseccomp\fP.
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH DESCRIPTION
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+The
+.BR seccomp_merge ()
+function merges the seccomp filter in
+.I src
+with the filter in
+.I dst
+and stores the resulting in the
+.I dst
+filter. If successfull, the
+.I src
+seccomp filter is released and all internal memory assocated with the filter
+is freed; there is no need to call
+.BR seccomp_release (3)
+on
+.I src
+and the caller should discard any references to the filter.
+.P
+In order to merge two seccomp filters, both filters must have the same
+attribute values and no overlapping architectures.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH RETURN VALUE
+.\" //////////////////////////////////////////////////////////////////////////
+Returns zero on success and negative values on failure.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH EXAMPLES
+.\" //////////////////////////////////////////////////////////////////////////
+.nf
+#include <seccomp.h>
+
+int main(int argc, char *argv[])
+{
+ int rc = -1;
+ scmp_filter_ctx ctx_32, ctx_64;
+
+ ctx_32 = seccomp_init(SCMP_ACT_KILL);
+ if (ctx_32 == NULL)
+ goto out_all;
+ ctx_64 = seccomp_init(SCMP_ACT_KILL);
+ if (ctx_64 == NULL)
+ goto out_all;
+
+ if (seccomp_arch_exist(ctx_32, SCMP_ARCH_X86) == -EEXIST) {
+ rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86);
+ if (rc != 0)
+ goto out_all;
+ rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out_all;
+ }
+ if (seccomp_arch_exist(ctx_64, SCMP_ARCH_X86_64) == -EEXIST) {
+ rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64);
+ if (rc != 0)
+ goto out_all;
+ rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE);
+ if (rc != 0)
+ goto out_all;
+ }
+
+ /* ... */
+
+ rc = seccomp_merge(ctx_64, ctx_32);
+ if (rc != 0)
+ goto out_all;
+
+ /* NOTE: the 'ctx_32' filter is no longer valid at this point */
+
+ /* ... */
+
+out:
+ seccomp_release(ctx_64);
+ return -rc;
+out_all:
+ seccomp_release(ctx_32);
+ goto out;
+}
+.fi
+.\" //////////////////////////////////////////////////////////////////////////
+.SH NOTES
+.\" //////////////////////////////////////////////////////////////////////////
+.P
+While the seccomp filter can be generated independent of the kernel, kernel
+support is required to load and enforce the seccomp filter generated by
+libseccomp.
+.P
+The libseccomp project site, with more information and the source code
+repository, can be found at http://libseccomp.sf.net. This library is
currently
+under development, please report any bugs at the project site or directly to
+the author.
+.\" //////////////////////////////////////////////////////////////////////////
+.SH AUTHOR
+.\" //////////////////////////////////////////////////////////////////////////
+Paul Moore <[email protected]>
+.\" //////////////////////////////////////////////////////////////////////////
+.SH SEE ALSO
+.\" //////////////////////////////////////////////////////////////////////////
+.BR seccomp_init (3),
+.BR seccomp_reset (3),
+.BR seccomp_arch_add (3),
+.BR seccomp_arch_remove (3),
+.BR seccomp_attr_get (3),
+.BR seccomp_attr_set (3)
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
