Provided by: libseccomp-dev_2.2.3-3ubuntu3_i386 bug

NAME

       seccomp_export_bpf, seccomp_export_pfc - Export the seccomp filter

SYNOPSIS

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
       int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);

       Link with -lseccomp.

DESCRIPTION

       The  seccomp_export_bpf()  and  seccomp_export_pfc() functions generate
       and output the current seccomp filter in  either  BPF  (Berkley  Packet
       Filter)    or    PFC    (Pseudo    Filter   Code).    The   output   of
       seccomp_export_bpf() is suitable for loading into the kernel, while the
       output  of  seccomp_export_pfc()  is  human  readable  and  is intended
       primarily as a debugging tool for developers  using  libseccomp.   Both
       functions write the filter to the fd file descriptor.

       The   filter  context  ctx  is  the  value  returned  by  the  call  to
       seccomp_init(3).

       While  the  two  output  formats  are  guaranteed  to  be  functionally
       equivalent  for  the  given  seccomp  filter  configuration, the filter
       instructions, and their ordering, are not guaranteed to be the same  in
       both the BPF and PFC formats.

RETURN VALUE

       Returns zero on success, negative errno values on failure.

EXAMPLES

       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;
            int filter_fd;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
            if (filter_fd == -1) {
                 rc = -errno;
                 goto out;
            }

            rc = seccomp_export_bpf(ctx, filter_fd);
            if (rc < 0) {
                 close(filter_fd);
                 goto out;
            }
            close(filter_fd);

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES

       While  the  seccomp  filter can be generated independent of the kernel,
       kernel support is required to  load  and  enforce  the  seccomp  filter
       generated by libseccomp.

       The  libseccomp project site, with more information and the source code
       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
       This  tool,  as  well  as  the  libseccomp  library, is currently under
       development, please report any bugs at the project site or directly  to
       the author.

AUTHOR

       Paul Moore <paul@paul-moore.com>

SEE ALSO

       seccomp_init(3), seccomp_release(3)