NAME

       seccomp_arch_add,  seccomp_arch_remove,  seccomp_arch_exist,  seccomp_arch_native - Manage
       seccomp filter architectures

SYNOPSIS

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       #define SCMP_ARCH_NATIVE
       #define SCMP_ARCH_X86
       #define SCMP_ARCH_X86_64

       uint32_t seccomp_arch_native();
       int seccomp_arch_exist(const scmp_filter_ctx ctx, uint32_t arch_token);
       int seccomp_arch_add(scmp_filter_ctx ctx, uint32_t arch_token);
       int seccomp_arch_remove(scmp_filter_ctx ctx, uint32_t arch_token);

       Link with -lseccomp.

DESCRIPTION

       The seccomp_arch_exist() function tests to see if a given architecture has been  added  to
       the seccomp filter in ctx , where the seccomp_arch_add() and seccomp_arch_remove() add and
       remove, respectively, architectures from the seccomp filter.  In all three functions,  the
       architecture  values given in arch_token should be the SCMP_ARCH_* defined constants; with
       the SCMP_ARCH_NATIVE constant always referring to the native compiled  architecture.   The
       seccomp_arch_native()  function  returns the system's architecture such that it will match
       one of the SCMP_ARCH_* constants.

       When a seccomp  filter  is  initialized  with  the  call  to  seccomp_init(3)  the  native
       architecture  is  automatically  added  to  the  filter.  If you want to remove the native
       architecture from the filter, you first need to add another architecture to the filter  as
       a  seccomp  filter  must  contain  at least one architecture at all times.  After you have
       added a second architecture to the seccomp filter, you can remove the native architecture.

       When adding a new architecture to an existing filter, the existing rules will not be added
       to  the  new architecture.  However, rules added after adding the new architecture will be
       added to all of the architectures in the filter.

RETURN VALUE

       The  seccomp_arch_add()  and  seccomp_arch_remove()  functions  return  zero  on  success,
       negative  errno  values on failure.  The seccomp_arch_exist() function returns zero if the
       architecture exists, -EEXIST if it does not, and other negative errno values on failure.

EXAMPLES

       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == -EEXIST) {
                 rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
                 if (rc != 0)
                      goto out_all;
                 rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
                 if (rc != 0)
                      goto out_all;
            }

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES

       While the seccomp filter can be generated independent of the  kernel,  kernel  support  is
       required to load and enforce the seccomp filter generated by libseccomp.

       The  libseccomp project site, with more information and the source code repository, can be
       found at http://libseccomp.sf.net.  This library is currently  under  development,  please
       report any bugs at the project site or directly to the author.

AUTHOR

       Paul Moore <paul@paul-moore.com>

SEE ALSO

       seccomp_init(3), seccomp_reset(3), seccom_merge(3)