diff options
author | Paul Moore <pmoore@redhat.com> | 2012-04-16 10:44:11 -0400 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2012-04-16 10:44:11 -0400 |
commit | 68996ba6cc380f82bee4193b7995b797239b888e (patch) | |
tree | 73b52fb642b5ed8f6ef60ad98a6529da1a4be493 /doc | |
parent | b17c7c9315be376b3cbc8b5dc3e03e55249439e7 (diff) | |
download | libseccomp-68996ba6cc380f82bee4193b7995b797239b888e.tar.gz |
doc: manpages for seccomp_attr_{get,set}()
Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/Makefile | 4 | ||||
-rw-r--r-- | doc/man/man3/seccomp_attr_get.3 | 1 | ||||
-rw-r--r-- | doc/man/man3/seccomp_attr_set.3 | 110 |
3 files changed, 114 insertions, 1 deletions
diff --git a/doc/Makefile b/doc/Makefile index 468b971..e164d77 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -42,7 +42,9 @@ MAN3 = \ man/man3/seccomp_rule_add_exact.3 \ man/man3/seccomp_syscall_priority.3 \ man/man3/seccomp_gen_bpf.3 \ - man/man3/seccomp_gen_pfc.3 + man/man3/seccomp_gen_pfc.3 \ + man/man3/seccomp_attr_set.3 \ + man/man3/seccomp_attr_get.3 # # targets diff --git a/doc/man/man3/seccomp_attr_get.3 b/doc/man/man3/seccomp_attr_get.3 new file mode 100644 index 0000000..c1e85be --- /dev/null +++ b/doc/man/man3/seccomp_attr_get.3 @@ -0,0 +1 @@ +.so man3/seccomp_attr_set.3 diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3 new file mode 100644 index 0000000..0f2898c --- /dev/null +++ b/doc/man/man3/seccomp_attr_set.3 @@ -0,0 +1,110 @@ +.TH "seccomp_attr_set" 3 "16 April 2012" "paul@paul-moore.com" "libseccomp Documentation" +.////////////////////////////////////////////////////////////////////////////// +.SH NAME +.////////////////////////////////////////////////////////////////////////////// +seccomp_attr_set, seccomp_attr_get \- Manage the seccomp filter attributes +.////////////////////////////////////////////////////////////////////////////// +.SH SYNOPSIS +.////////////////////////////////////////////////////////////////////////////// +.nf +.B #include <seccomp.h> +.sp +.B enum scmp_filter_attr; +.sp +.BI "int seccomp_attr_set(enum scmp_filter_attr " attr ", uint32_t " value ");" +.BI "int seccomp_attr_get(enum scmp_filter_attr " attr ", uint32_t " value ");" +.fi +.////////////////////////////////////////////////////////////////////////////// +.SH DESCRIPTION +.////////////////////////////////////////////////////////////////////////////// +.P +The +.BR seccomp_attr_set () +function sets the different seccomp filter attributes while the +.BR seccomp_attr_get () +function fetches the filter attributes. The seccomp filter attributes are +tunable values that affect how the library behaves when generating and loading +the seccomp filter into the kernel. The attributes are reset to their default +values whenever the filter is initialized or reset via +.BR seccomp_filter_init () +or +.BR seccomp_filter_reset (). +.P +Valid +.I attr +values are as follows: +.TP +.B SCMP_FLTATR_ACT_DEFAULT +The default filter action as specified in the call to +.BR seccomp_filter_init () +or +.BR seccomp_filter_reset (). +This attribute is read-only. +.TP +.B SCMP_FLTATR_ACT_BADARCH +The filter action taken when the loaded filter does not match the architecture +of the executing application. Defaults to the +.B SCMP_ACT_KILL +action. +.TP +.B SCMP_FLTATR_CTL_NNP +A flag to specify if the NO_NEW_PRIVS functionality should be enabled before +loading the seccomp filter into the kernel. If set to off ( +.I value +== 0) then loading the seccomp filter into the kernel will fail if CAP_SYS_ADMIN +is not set. Defaults to on ( +.I value +== 1). +.////////////////////////////////////////////////////////////////////////////// +.SH RETURN VALUE +.////////////////////////////////////////////////////////////////////////////// +Returns zero on success, negative errno values on failure. +.////////////////////////////////////////////////////////////////////////////// +.SH EXAMPLES +.////////////////////////////////////////////////////////////////////////////// +.nf +#include <seccomp.h> + +int main(int argc, char *argv[]) +{ + int rc; + + rc = seccomp_init(SCMP_ACT_ALLOW); + if (rc < 0) + goto out; + + /* ... */ + + rc = seccomp_attr_set(SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP); + if (rc < 0) + goto out; + + /* ... */ + +out: + seccomp_release(); + return -rc; +} +.fi +.////////////////////////////////////////////////////////////////////////////// +.SH NOTES +.////////////////////////////////////////////////////////////////////////////// +.P +While the seccomp filter can be generated independent of the kernel, kernel +support is required to load and enforce the seccomp filter generated by +libseccomp. +.P +The libseccomp project site, with more information and the source code +repository, can be found at http://libseccomp.sf.net. This library is currently +under development, please report any bugs at the project site or directly to +the author. +.////////////////////////////////////////////////////////////////////////////// +.SH AUTHOR +.////////////////////////////////////////////////////////////////////////////// +Paul Moore <paul@paul-moore.com> +.////////////////////////////////////////////////////////////////////////////// +.SH SEE ALSO +.////////////////////////////////////////////////////////////////////////////// +.BR seccomp_init (3), +.BR seccomp_reset (3), +.BR seccomp_load (3) |