bionic (3) seccomp_merge.3.gz

Provided by: libseccomp-dev_2.5.1-1ubuntu1~18.04.2_amd64 bug

NAME
       seccomp_merge - Merge two seccomp filters


SYNOPSIS
       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       int seccomp_merge(scmp_filter_ctx dst, scmp_filter_ctx src);

       Link with -lseccomp.


DESCRIPTION
       The  seccomp_merge()  function  merges  the  seccomp  filter in src with the filter in dst and stores the
       resulting in the dst filter.  If successful, the src seccomp filter is released and all  internal  memory
       associated  with  the  filter is freed; there is no need to call seccomp_release(3) on src and the caller
       should discard any references to the filter.

       In order to merge two seccomp  filters,  both  filters  must  have  the  same  attribute  values  and  no
       overlapping architectures.


RETURN VALUE
       Returns zero on success or one of the following error codes on failure:

       -EDOM  Unable to merge the filters due to architecture issues, e.g. byte endian mismatches.

       -EEXIST
              The architecture already exists in the filter.

       -EINVAL
              One of the filters is invalid.

       -ENOMEM
              The library was unable to allocate enough memory.


EXAMPLES
       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx_32, ctx_64;

            ctx_32 = seccomp_init(SCMP_ACT_KILL);
            if (ctx_32 == NULL)
                 goto out_all;
            ctx_64 = seccomp_init(SCMP_ACT_KILL);
            if (ctx_64 == NULL)
                 goto out_all;

            if (seccomp_arch_exist(ctx_32, SCMP_ARCH_X86) == -EEXIST) {
                 rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86);
                 if (rc != 0)
                      goto out_all;
                 rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE);
                 if (rc != 0)
                      goto out_all;
            }
            if (seccomp_arch_exist(ctx_64, SCMP_ARCH_X86_64) == -EEXIST) {
                 rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64);
                 if (rc != 0)
                      goto out_all;
                 rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE);
                 if (rc != 0)
                      goto out_all;
            }

            /* ... */

            rc = seccomp_merge(ctx_64, ctx_32);
            if (rc != 0)
                 goto out_all;

            /* NOTE: the 'ctx_32' filter is no longer valid at this point */

            /* ... */

       out:
            seccomp_release(ctx_64);
            return -rc;
       out_all:
            seccomp_release(ctx_32);
            goto out;
       }


NOTES
       While  the  seccomp filter can be generated independent of the kernel, kernel support is required to load
       and enforce the seccomp filter generated by libseccomp.

       The libseccomp project site, with more information and the  source  code  repository,  can  be  found  at
       https://github.com/seccomp/libseccomp.   This tool, as well as the libseccomp library, is currently under
       development, please report any bugs at the project site or directly to the author.


AUTHOR
       Paul Moore <paul@paul-moore.com>


SEE ALSO
       seccomp_init(3),  seccomp_reset(3),  seccomp_arch_add(3),  seccomp_arch_remove(3),   seccomp_attr_get(3),
       seccomp_attr_set(3)