all: add support for new log filter flag

Extend libseccomp to support SECCOMP_FILTER_FLAG_LOG, which is intended
to cause log events for all actions taken by a filter except for
SCMP_ACT_ALLOW actions. This is done via a new filter attribute called
SCMP_FLTATR_CTL_LOG that is off by default.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

2 files changed, 11 insertions, 0 deletions

diff --git a/doc/man/man3/seccomp_api_get.3 b/doc/man/man3/seccomp_api_get.3
index a209dcc..b6c0453 100644
--- a/doc/man/man3/seccomp_api_get.3
+++ b/doc/man/man3/seccomp_api_get.3
@@ -47,6 +47,9 @@ The SCMP_FLTATR_CTL_TSYNC filter attribute is supported and libseccomp uses
 the
 .BR seccomp(2)
 syscall to load the seccomp filter into the kernel.
+.TP
+.B 3
+The SCMP_FLTATR_CTL_LOG filter attribute is supported.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////
diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3
index 091d6d1..7050d5f 100644
--- a/doc/man/man3/seccomp_attr_set.3
+++ b/doc/man/man3/seccomp_attr_set.3
@@ -86,6 +86,14 @@ specific syscall invocations, see
 for more information.  Defaults to off (
 .I value
 == 0).
+.TP
+.B SCMP_FLTATR_CTL_LOG
+A flag to specify if the kernel should log all filter actions taken except for
+the
+.BR SCMP_ACT_ALLOW
+action. Defaults to off (
+.I value
+== 0).
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////