Provided by: libseccomp-dev_2.5.5-1ubuntu3.1_amd64 
NAME
seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native - Manage seccomp filter
architectures
SYNOPSIS
#include <seccomp.h>
typedef void * scmp_filter_ctx;
#define SCMP_ARCH_NATIVE
#define SCMP_ARCH_X86
#define SCMP_ARCH_X86_64
#define SCMP_ARCH_X32
#define SCMP_ARCH_ARM
#define SCMP_ARCH_AARCH64
#define SCMP_ARCH_MIPS
#define SCMP_ARCH_MIPS64
#define SCMP_ARCH_MIPS64N32
#define SCMP_ARCH_MIPSEL
#define SCMP_ARCH_MIPSEL64
#define SCMP_ARCH_MIPSEL64N32
#define SCMP_ARCH_PPC
#define SCMP_ARCH_PPC64
#define SCMP_ARCH_PPC64LE
#define SCMP_ARCH_S390
#define SCMP_ARCH_S390X
#define SCMP_ARCH_PARISC
#define SCMP_ARCH_PARISC64
#define SCMP_ARCH_RISCV64
uint32_t seccomp_arch_resolve_name(const char *arch_name);
uint32_t seccomp_arch_native();
int seccomp_arch_exist(const scmp_filter_ctx ctx, uint32_t arch_token);
int seccomp_arch_add(scmp_filter_ctx ctx, uint32_t arch_token);
int seccomp_arch_remove(scmp_filter_ctx ctx, uint32_t arch_token);
Link with -lseccomp.
DESCRIPTION
The seccomp_arch_exist() function tests to see if a given architecture has been added to the seccomp
filter in ctx, where the seccomp_arch_add() and seccomp_arch_remove() add and remove, respectively,
architectures from the seccomp filter. In all three functions, the architecture values given in
arch_token should be the SCMP_ARCH_* defined constants; with the SCMP_ARCH_NATIVE constant always
referring to the native compiled architecture. The seccomp_arch_native() function returns the system's
architecture such that it will match one of the SCMP_ARCH_* constants. While the
seccomp_arch_resolve_name() function also returns a SCMP_ARCH_* constant, the returned token matches the
name of the architecture passed as an argument to the function.
When a seccomp filter is initialized with the call to seccomp_init(3) the native architecture is
automatically added to the filter.
While it is possible to remove all architectures from a filter, most of the libseccomp APIs will fail if
the filter does not contain at least one architecture.
When adding a new architecture to an existing filter, the existing rules will not be added to the new
architecture. However, rules added after adding the new architecture will be added to all of the
architectures in the filter.
RETURN VALUE
The seccomp_arch_add(), seccomp_arch_remove(), and seccomp_arch_exist() functions return zero on success
or one of the following error codes on failure:
-EDOM Architecture specific failure.
-EEXIST
In the case of seccomp_arch_add() the architecture already exists and in the case of
seccomp_arch_remove() the architecture does not exist.
-EINVAL
Invalid input, either the context or architecture token is invalid.
-ENOMEM
The library was unable to allocate enough memory.
EXAMPLES
#include <seccomp.h>
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == -EEXIST) {
rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
if (rc != 0)
goto out_all;
rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
if (rc != 0)
goto out_all;
}
/* ... */
out:
seccomp_release(ctx);
return -rc;
}
NOTES
While the seccomp filter can be generated independent of the kernel, kernel support is required to load
and enforce the seccomp filter generated by libseccomp.
The libseccomp project site, with more information and the source code repository, can be found at
https://github.com/seccomp/libseccomp. This tool, as well as the libseccomp library, is currently under
development, please report any bugs at the project site or directly to the author.
AUTHOR
Paul Moore <paul@paul-moore.com>
SEE ALSO
seccomp_init(3), seccomp_reset(3), seccomp_merge(3)