diff options
author | Vitaly Vi Shukela <vi0oss@gmail.com> | 2013-03-26 10:58:31 -0400 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2013-03-26 14:09:38 -0400 |
commit | ff207702dce7a3191e1509870f887bdd1f84b118 (patch) | |
tree | 679c29a5e3e98f7bf37a2f1171a92ca0925be3ff | |
parent | 10e75c277a14ce7ea4f03ba13042a915f1439060 (diff) | |
download | libseccomp-ff207702dce7a3191e1509870f887bdd1f84b118.tar.gz |
doc: document seccomp_rule_add_array*
Signed-off-by: Vitaly Vi Shukela <vi0oss@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
-rw-r--r-- | doc/man/man3/seccomp_rule_add.3 | 47 | ||||
-rw-r--r-- | doc/man/man3/seccomp_rule_add_array.3 | 1 | ||||
-rw-r--r-- | doc/man/man3/seccomp_rule_add_exact_array.3 | 1 |
3 files changed, 36 insertions, 13 deletions
diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3 index eeb61dc..98878fb 100644 --- a/doc/man/man3/seccomp_rule_add.3 +++ b/doc/man/man3/seccomp_rule_add.3 @@ -27,6 +27,15 @@ seccomp_rule_add, seccomp_rule_add_exact \- Add a seccomp filter rule .BI "int seccomp_rule_add_exact(scmp_filter_ctx " ctx ", uint32_t " action "," .BI " int " syscall ", unsigned int " arg_cnt ", " ... ");" .sp +.BI "int seccomp_rule_add_array(scmp_filter_ctx " ctx "," +.BI " uint32_t " action ", int " syscall "," +.BI " unsigned int " arg_cnt "," +.BI " const struct scmp_arg_cmp *"arg_array ");" +.BI "int seccomp_rule_add_exact_array(scmp_filter_ctx " ctx "," +.BI " uint32_t " action ", int " syscall "," +.BI " unsigned int " arg_cnt "," +.BI " const struct scmp_arg_cmp *"arg_array ");" +.sp Link with \fI\-lseccomp\fP. .fi .\" ////////////////////////////////////////////////////////////////////////// @@ -34,20 +43,28 @@ Link with \fI\-lseccomp\fP. .\" ////////////////////////////////////////////////////////////////////////// .P The -.BR seccomp_rule_add () +.BR seccomp_rule_add (), +.BR seccomp_rule_add_array (), +.BR seccomp_rule_add_exact (), and -.BR seccomp_rule_add_exact () -functions add a new filter rule to the current seccomp filter. The +.BR seccomp_rule_add_exact_array () +functions all add a new filter rule to the current seccomp filter. The .BR seccomp_rule_add () -function will make a "best effort" to add the rule as specified, but may alter +and +.BR seccomp_rule_add_array () +functions will make a "best effort" to add the rule as specified, but may alter the rule slightly due to architecture specifics, e.g. socket and ipc functions on x86. The .BR seccomp_rule_add_exact () -function will attempt to add the rule exactly as specified so it may behave +and +.BR seccomp_rule_add_exact_array () +functions will attempt to add the rule exactly as specified so it may behave differently on different architectures. While it does not guarantee a exact filter ruleset, .BR seccomp_rule_add () -does guarantee the same behavior regardless of the architecture. +and +.BR seccomp_rule_add_array () +do guarantee the same behavior regardless of the architecture. .P The newly added filter rule does not take effect until the entire filter is loaded into the kernel using @@ -57,11 +74,7 @@ The .BR SCMP_CMP () and .BR SCMP_A{0-5} () -macros generate a scmp_arg_cmp structure for use in -.BR seccomp_rule_add () -and -.BR seccomp_rule_add_exact (). -The +macros generate a scmp_arg_cmp structure for use with the above functions. The .BR SCMP_CMP () macro allows the caller to specify an arbitrary argument along with the comparison operator, mask, and datum values where the @@ -192,9 +205,11 @@ SCMP_CMP( .SH RETURN VALUE .\" ////////////////////////////////////////////////////////////////////////// The -.BR seccomp_rule_add () +.BR seccomp_rule_add (), +.BR seccomp_rule_add_array (), +.BR seccomp_rule_add_exact (), and -.BR seccomp_rule_add_exact () +.BR seccomp_rule_add_exact_array () functions return zero on success, negative errno values on failure. .\" ////////////////////////////////////////////////////////////////////////// .SH EXAMPLES @@ -211,6 +226,7 @@ int main(int argc, char *argv[]) { int rc = \-1; scmp_filter_ctx ctx; + struct scmp_arg_cmp arg_cmp[] = { SCMP_A0(SCMP_CMP_EQ, 2) }; int fd; unsigned char buf[BUF_SIZE]; @@ -240,6 +256,11 @@ int main(int argc, char *argv[]) if (rc < 0) goto out; + rc = seccomp_rule_add_array(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + arg_cmp); + if (rc < 0) + goto out; + rc = seccomp_load(ctx); if (rc < 0) goto out; diff --git a/doc/man/man3/seccomp_rule_add_array.3 b/doc/man/man3/seccomp_rule_add_array.3 new file mode 100644 index 0000000..53714e7 --- /dev/null +++ b/doc/man/man3/seccomp_rule_add_array.3 @@ -0,0 +1 @@ +.so man3/seccomp_rule_add.3 diff --git a/doc/man/man3/seccomp_rule_add_exact_array.3 b/doc/man/man3/seccomp_rule_add_exact_array.3 new file mode 100644 index 0000000..53714e7 --- /dev/null +++ b/doc/man/man3/seccomp_rule_add_exact_array.3 @@ -0,0 +1 @@ +.so man3/seccomp_rule_add.3 |