From: Vitaly Vi Shukela <[email protected]>
Signed-off-by: Vitaly Vi Shukela <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
---
doc/man/man3/seccomp_rule_add.3 | 47 ++++++++++++++++++++-------
doc/man/man3/seccomp_rule_add_array.3 | 1 +
doc/man/man3/seccomp_rule_add_exact_array.3 | 1 +
3 files changed, 36 insertions(+), 13 deletions(-)
create mode 100644 doc/man/man3/seccomp_rule_add_array.3
create mode 100644 doc/man/man3/seccomp_rule_add_exact_array.3
diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
index eeb61dc..98878fb 100644
--- a/doc/man/man3/seccomp_rule_add.3
+++ b/doc/man/man3/seccomp_rule_add.3
@@ -27,6 +27,15 @@ seccomp_rule_add, seccomp_rule_add_exact \- Add a seccomp
filter rule
.BI "int seccomp_rule_add_exact(scmp_filter_ctx " ctx ", uint32_t " action ","
.BI " int " syscall ", unsigned int " arg_cnt ", "
... ");"
.sp
+.BI "int seccomp_rule_add_array(scmp_filter_ctx " ctx ","
+.BI " uint32_t " action ", int " syscall ","
+.BI " unsigned int " arg_cnt ","
+.BI " const struct scmp_arg_cmp *"arg_array ");"
+.BI "int seccomp_rule_add_exact_array(scmp_filter_ctx " ctx ","
+.BI " uint32_t " action ", int " syscall ","
+.BI " unsigned int " arg_cnt ","
+.BI " const struct scmp_arg_cmp *"arg_array
");"
+.sp
Link with \fI\-lseccomp\fP.
.fi
.\" //////////////////////////////////////////////////////////////////////////
@@ -34,20 +43,28 @@ Link with \fI\-lseccomp\fP.
.\" //////////////////////////////////////////////////////////////////////////
.P
The
-.BR seccomp_rule_add ()
+.BR seccomp_rule_add (),
+.BR seccomp_rule_add_array (),
+.BR seccomp_rule_add_exact (),
and
-.BR seccomp_rule_add_exact ()
-functions add a new filter rule to the current seccomp filter. The
+.BR seccomp_rule_add_exact_array ()
+functions all add a new filter rule to the current seccomp filter. The
.BR seccomp_rule_add ()
-function will make a "best effort" to add the rule as specified, but may alter
+and
+.BR seccomp_rule_add_array ()
+functions will make a "best effort" to add the rule as specified, but may alter
the rule slightly due to architecture specifics, e.g. socket and ipc functions
on x86. The
.BR seccomp_rule_add_exact ()
-function will attempt to add the rule exactly as specified so it may behave
+and
+.BR seccomp_rule_add_exact_array ()
+functions will attempt to add the rule exactly as specified so it may behave
differently on different architectures. While it does not guarantee a exact
filter ruleset,
.BR seccomp_rule_add ()
-does guarantee the same behavior regardless of the architecture.
+and
+.BR seccomp_rule_add_array ()
+do guarantee the same behavior regardless of the architecture.
.P
The newly added filter rule does not take effect until the entire filter is
loaded into the kernel using
@@ -57,11 +74,7 @@ The
.BR SCMP_CMP ()
and
.BR SCMP_A{0-5} ()
-macros generate a scmp_arg_cmp structure for use in
-.BR seccomp_rule_add ()
-and
-.BR seccomp_rule_add_exact ().
-The
+macros generate a scmp_arg_cmp structure for use with the above functions. The
.BR SCMP_CMP ()
macro allows the caller to specify an arbitrary argument along with the
comparison operator, mask, and datum values where the
@@ -192,9 +205,11 @@ SCMP_CMP(
.SH RETURN VALUE
.\" //////////////////////////////////////////////////////////////////////////
The
-.BR seccomp_rule_add ()
+.BR seccomp_rule_add (),
+.BR seccomp_rule_add_array (),
+.BR seccomp_rule_add_exact (),
and
-.BR seccomp_rule_add_exact ()
+.BR seccomp_rule_add_exact_array ()
functions return zero on success, negative errno values on failure.
.\" //////////////////////////////////////////////////////////////////////////
.SH EXAMPLES
@@ -211,6 +226,7 @@ int main(int argc, char *argv[])
{
int rc = \-1;
scmp_filter_ctx ctx;
+ struct scmp_arg_cmp arg_cmp[] = { SCMP_A0(SCMP_CMP_EQ, 2) };
int fd;
unsigned char buf[BUF_SIZE];
@@ -240,6 +256,11 @@ int main(int argc, char *argv[])
if (rc < 0)
goto out;
+ rc = seccomp_rule_add_array(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ arg_cmp);
+ if (rc < 0)
+ goto out;
+
rc = seccomp_load(ctx);
if (rc < 0)
goto out;
diff --git a/doc/man/man3/seccomp_rule_add_array.3
b/doc/man/man3/seccomp_rule_add_array.3
new file mode 100644
index 0000000..53714e7
--- /dev/null
+++ b/doc/man/man3/seccomp_rule_add_array.3
@@ -0,0 +1 @@
+.so man3/seccomp_rule_add.3
diff --git a/doc/man/man3/seccomp_rule_add_exact_array.3
b/doc/man/man3/seccomp_rule_add_exact_array.3
new file mode 100644
index 0000000..53714e7
--- /dev/null
+++ b/doc/man/man3/seccomp_rule_add_exact_array.3
@@ -0,0 +1 @@
+.so man3/seccomp_rule_add.3
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
