Provided by: libseccomp-dev_2.5.1-1ubuntu1~20.04.2_amd64 bug

NAME

       seccomp_export_bpf, seccomp_export_pfc - Export the seccomp filter

SYNOPSIS

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
       int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd);

       Link with -lseccomp.

DESCRIPTION

       The  seccomp_export_bpf()  and  seccomp_export_pfc()  functions  generate  and  output the
       current seccomp filter in either BPF (Berkeley Packet Filter) or PFC (Pseudo Filter Code).
       The  output  of  seccomp_export_bpf()  is  suitable for loading into the kernel, while the
       output of seccomp_export_pfc() is human readable and is intended primarily as a  debugging
       tool  for  developers  using  libseccomp.   Both functions write the filter to the fd file
       descriptor.

       The filter context ctx is the value returned by the call to seccomp_init(3).

       While the two output formats are guaranteed to be functionally equivalent  for  the  given
       seccomp  filter  configuration,  the  filter  instructions,  and  their  ordering, are not
       guaranteed to be the same in both the BPF and PFC formats.

RETURN VALUE

       Return zero on success or one of the following error codes on failure:

       -ECANCELED
              There was a system failure beyond the control of the library.

       -EFAULT
              Internal libseccomp failure.

       -EINVAL
              Invalid input, either the context or architecture token is invalid.

       -ENOMEM
              The library was unable to allocate enough memory.

       If the SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then additional  error  codes
       may  be returned to the caller; these additional error codes are the negative errno values
       returned by the system.  Unfortunately libseccomp  can  make  no  guarantees  about  these
       return values.

EXAMPLES

       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;
            int filter_fd;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            filter_fd = open("/tmp/seccomp_filter.bpf", O_WRONLY);
            if (filter_fd == -1) {
                 rc = -errno;
                 goto out;
            }

            rc = seccomp_export_bpf(ctx, filter_fd);
            if (rc < 0) {
                 close(filter_fd);
                 goto out;
            }
            close(filter_fd);

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES

       While  the  seccomp  filter  can be generated independent of the kernel, kernel support is
       required to load and enforce the seccomp filter generated by libseccomp.

       The libseccomp project site, with more information and the source code repository, can  be
       found  at  https://github.com/seccomp/libseccomp.   This  tool,  as well as the libseccomp
       library, is currently under development, please report any bugs at  the  project  site  or
       directly to the author.

AUTHOR

       Paul Moore <paul@paul-moore.com>

SEE ALSO

       seccomp_init(3), seccomp_release(3)