+
+#. type: TH
+#: build/C/man2/seccomp.2:27
+#, no-wrap
+msgid "SECCOMP"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:30
+msgid "seccomp - operate on Secure Computing state of the process"
+msgstr ""
+
+#. Kees Cook noted: Anything that uses SECCOMP_RET_TRACE returns will
+#. need <sys/ptrace.h>
+#. type: Plain text
+#: build/C/man2/seccomp.2:39
+#, no-wrap
+msgid ""
+"B<#include E<lt>linux/seccomp.hE<gt>>\n"
+"B<#include E<lt>linux/filter.hE<gt>>\n"
+"B<#include E<lt>linux/audit.hE<gt>>\n"
+"B<#include E<lt>linux/signal.hE<gt>>\n"
+"B<#include E<lt>sys/ptrace.hE<gt>>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:42
+#, no-wrap
+msgid ""
+"B<int seccomp(unsigned int >I<operation>B<, unsigned int >I<flags>B<, void "
+"*>I<args>B<);>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:48
+msgid ""
+"The B<seccomp>() system call operates on the Secure Computing (seccomp) "
+"state of the calling process."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:52
+msgid "Currently, Linux supports the following I<operation> values:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:52
+#, no-wrap
+msgid "B<SECCOMP_SET_MODE_STRICT>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:66
+msgid ""
+"The only system calls that the calling thread is permitted to make are "
+"B<read>(2), B<write>(2), B<_exit>(2), and B<sigreturn>(2). Other system "
+"calls result in the delivery of a B<SIGKILL> signal. Strict secure "
+"computing mode is useful for number-crunching applications that may need to "
+"execute untrusted byte code, perhaps obtained by reading from a pipe or "
+"socket."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:70
+msgid ""
+"This operation is available only if the kernel is configured with "
+"B<CONFIG_SECCOMP> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:76
+msgid "The value of I<flags> must be 0, and I<args> must be NULL."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:78
+msgid "This operation is functionally identical to the call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:80
+#, no-wrap
+msgid " prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);\n"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:80
+#, no-wrap
+msgid "B<SECCOMP_SET_MODE_FILTER>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:95
+msgid ""
+"The system calls allowed are defined by a pointer to a Berkeley Packet "
+"Filter (BPF) passed via I<args>. This argument is a pointer to a I<struct\\ "
+"sock_fprog>; it can be designed to filter arbitrary system calls and system "
+"call arguments. If the filter is invalid, B<seccomp>() fails, returning "
+"B<EINVAL> in I<errno>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:107
+msgid ""
+"If B<fork>(2) or B<clone>(2) is allowed by the filter, any child processes "
+"will be constrained to the same system call filters as the parent. If "
+"B<execve>(2) is allowed, the existing filters will be preserved across a "
+"call to B<execve>(2)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:117
+msgid ""
+"In order to use the B<SECCOMP_SET_MODE_FILTER> operation, either the caller "
+"must have the B<CAP_SYS_ADMIN> capability, or the thread must already have "
+"the I<no_new_privs> bit set. If that bit was not already set by an ancestor "
+"of this thread, the thread must make the following call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:119
+#, no-wrap
+msgid " prctl(PR_SET_NO_NEW_PRIVS, 1);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:138
+msgid ""
+"Otherwise, the B<SECCOMP_SET_MODE_FILTER> operation will fail and return "
+"B<EACCES> in I<errno>. This requirement ensures that an unprivileged "
+"process cannot apply a malicious filter and then invoke a set-user-ID or "
+"other privileged program using B<execve>(2), thus potentially compromising "
+"that program. (Such a malicious filter might, for example, cause an attempt "
+"to use B<setuid>(2) to set the caller's user IDs to non-zero values to "
+"instead return 0 without actually making the system call. Thus, the program "
+"might be tricked into retaining superuser privileges in circumstances where "
+"it is possible to influence it to do dangerous things because it did not "
+"actually drop privileges.)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:146
+msgid ""
+"If B<prctl>(2) or B<seccomp>(2) is allowed by the attached filter, further "
+"filters may be added. This will increase evaluation time, but allows for "
+"further reduction of the attack surface during execution of a thread."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:152
+msgid ""
+"The B<SECCOMP_SET_MODE_FILTER> operation is available only if the kernel is "
+"configured with B<CONFIG_SECCOMP_FILTER> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:156
+msgid "When I<flags> is 0, this operation is functionally identical to the call:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:158
+#, no-wrap
+msgid " prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:162
+msgid "The recognized I<flags> are:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:163
+#, no-wrap
+msgid "B<SECCOMP_FILTER_FLAG_TSYNC>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:171
+msgid ""
+"When adding a new filter, synchronize all other threads of the calling "
+"process to the same seccomp filter tree. A \"filter tree\" is the ordered "
+"list of filters attached to a thread. (Attaching identical filters in "
+"separate B<seccomp>() calls results in different filters from this "
+"perspective.)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:179
+msgid ""
+"If any thread cannot synchronize to the same filter tree, the call will not "
+"attach the new seccomp filter, and will fail, returning the first thread ID "
+"found that cannot synchronize. Synchronization will fail if another thread "
+"in the same process is in B<SECCOMP_MODE_STRICT> or if it has attached new "
+"seccomp filters to itself, diverging from the calling thread's filter tree."
+msgstr ""
+
+#. type: SS
+#: build/C/man2/seccomp.2:180
+#, no-wrap
+msgid "Filters"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:185
+msgid ""
+"When adding filters via B<SECCOMP_SET_MODE_FILTER>, I<args> points to a "
+"filter program:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:193
+#, no-wrap
+msgid ""
+"struct sock_fprog {\n"
+" unsigned short len; /* Number of BPF instructions */\n"
+" struct sock_filter *filter; /* Pointer to array of\n"
+" BPF instructions */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:197
+msgid "Each program must contain one or more BPF instructions:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:206
+#, no-wrap
+msgid ""
+"struct sock_filter { /* Filter block */\n"
+" __u16 code; /* Actual filter code */\n"
+" __u8 jt; /* Jump true */\n"
+" __u8 jf; /* Jump false */\n"
+" __u32 k; /* Generic multiuse field */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:213
+msgid ""
+"When executing the instructions, the BPF program operates on the system call "
+"information made available (i.e., use the B<BPF_ABS> addressing mode) as a "
+"buffer of the following form:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:223
+#, no-wrap
+msgid ""
+"struct seccomp_data {\n"
+" int nr; /* System call number */\n"
+" __u32 arch; /* AUDIT_ARCH_* value\n"
+" (see E<lt>linux/audit.hE<gt>) */\n"
+" __u64 instruction_pointer; /* CPU instruction pointer */\n"
+" __u64 args[6]; /* Up to 6 system call arguments */\n"
+"};\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:234
+msgid ""
+"A seccomp filter returns a 32-bit value consisting of two parts: the most "
+"significant 16 bits (corresponding to the mask defined by the constant "
+"B<SECCOMP_RET_ACTION>) contain one of the \"action\" values listed below; "
+"the least significant 16-bits (defined by the constant B<SECCOMP_RET_DATA>) "
+"are \"data\" to be associated with this return value."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:242
+msgid ""
+"If multiple filters exist, they are all executed, in reverse order of their "
+"addition to the filter tree (i.e., the most recently installed filter is "
+"executed first). The return value for the evaluation of a given system call "
+"is the first-seen B<SECCOMP_RET_ACTION> value of highest precedence (along "
+"with its accompanying data) returned by execution of all of the filters."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:245
+msgid ""
+"In decreasing order of precedence, the values that may be returned by a "
+"seccomp filter are:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:245
+#, no-wrap
+msgid "B<SECCOMP_RET_KILL>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:254
+msgid ""
+"This value results in the process exiting immediately without executing the "
+"system call. The process terminates as though killed by a B<SIGSYS> signal "
+"(I<not> B<SIGKILL>)."
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:254
+#, no-wrap
+msgid "B<SECCOMP_RET_TRAP>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:264
+msgid ""
+"This value results in the kernel sending a B<SIGSYS> signal to the "
+"triggering process without executing the system call. Various fields will "
+"be set in the I<siginfo_t> structure (see B<sigaction>(2)) associated with "
+"signal:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:269
+msgid "I<si_signo> will contain B<SIGSYS>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:272
+msgid "I<si_call_addr> will show the address of the system call instruction."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:277
+msgid "I<si_syscall> and I<si_arch> will indicate which system call was attempted."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:281
+msgid "I<si_code> will contain B<SYS_SECCOMP>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:286
+msgid ""
+"I<si_errno> will contain the B<SECCOMP_RET_DATA> portion of the filter "
+"return value."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:295
+msgid ""
+"The program counter will be as though the system call happened (i.e., it "
+"will not point to the system call instruction). The return value register "
+"will contain an architecture-dependent value; if resuming execution, set it "
+"to something appropriate for the system call. (The architecture dependency "
+"is because replacing it with B<ENOSYS> could overwrite some useful "
+"information.)"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:295
+#, no-wrap
+msgid "B<SECCOMP_RET_ERRNO>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:302
+msgid ""
+"This value results in the B<SECCOMP_RET_DATA> portion of the filter's return "
+"value being passed to user space as the I<errno> value without executing the "
+"system call."
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:302
+#, no-wrap
+msgid "B<SECCOMP_RET_TRACE>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:312
+msgid ""
+"When returned, this value will cause the kernel to attempt to notify a "
+"B<ptrace>(2)-based tracer prior to executing the system call. If there is "
+"no tracer present, the system call is not executed and returns a failure "
+"status with I<errno> set to B<ENOSYS>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:323
+msgid ""
+"A tracer will be notified if it requests B<PTRACE_O_TRACESECCOMP> using "
+"I<ptrace(PTRACE_SETOPTIONS)>. The tracer will be notified of a "
+"B<PTRACE_EVENT_SECCOMP> and the B<SECCOMP_RET_DATA> portion of the filter's "
+"return value will be available to the tracer via B<PTRACE_GETEVENTMSG>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:330
+msgid ""
+"The tracer can skip the system call by changing the system call number to "
+"-1. Alternatively, the tracer can change the system call requested by "
+"changing the system call to a valid system call number. If the tracer asks "
+"to skip the system call, then the system call will appear to return the "
+"value that the tracer puts in the return value register."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:339
+msgid ""
+"The seccomp check will not be run again after the tracer is notified. (This "
+"means that seccomp-based sandboxes B<must not> allow use of "
+"B<ptrace>(2)\\(emeven of other sandboxed processes\\(emwithout extreme care; "
+"ptracers can use this mechanism to escape from the seccomp sandbox.)"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:339
+#, no-wrap
+msgid "B<SECCOMP_RET_ALLOW>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:342
+msgid "This value results in the system call being executed."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:358
+msgid ""
+"On success, B<seccomp>() returns 0. On error, if "
+"B<SECCOMP_FILTER_FLAG_TSYNC> was used, the return value is the ID of the "
+"thread that caused the synchronization failure. (This ID is a kernel thread "
+"ID of the type returned by B<clone>(2) and B<gettid>(2).) On other errors, "
+"-1 is returned, and I<errno> is set to indicate the cause of the error."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:361
+msgid "B<seccomp>() can fail for the following reasons:"
+msgstr ""
+
+#. type: TP
+#: build/C/man2/seccomp.2:361
+#, no-wrap
+msgid "B<EACCESS>"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:369
+msgid ""
+"The caller did not have the B<CAP_SYS_ADMIN> capability, or had not set "
+"I<no_new_privs> before using B<SECCOMP_SET_MODE_FILTER>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:373
+msgid "I<args> was not a valid address."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:380
+msgid "I<operation> is unknown; or I<flags> are invalid for the given I<operation>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:387
+msgid ""
+"I<operation> included B<BPF_ABS>, but the specified offset was not aligned "
+"to a 32-bit boundary or exceeded I<sizeof(struct\\ seccomp_data)>."
+msgstr ""
+
+#. See kernel/seccomp.c::seccomp_may_assign_mode() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:393
+msgid ""
+"A secure computing mode has already been set, and I<operation> differs from "
+"the existing setting."
+msgstr ""
+
+#. See stub kernel/seccomp.c::seccomp_set_mode_filter() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:402
+msgid ""
+"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the kernel was not "
+"built with B<CONFIG_SECCOMP_FILTER> enabled."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:413
+msgid ""
+"I<operation> specified B<SECCOMP_SET_MODE_FILTER>, but the filter program "
+"pointed to by I<args> was not valid or the length of the filter program was "
+"zero or exceeded B<BPF_MAXINSNS> (4096) instructions. B<EINVAL>"
+msgstr ""
+
+#. ENOMEM in kernel/seccomp.c::seccomp_attach_filter() in 3.18 sources
+#. type: Plain text
+#: build/C/man2/seccomp.2:426
+msgid ""
+"The total length of all filter programs attached to the calling thread would "
+"exceed B<MAX_INSNS_PER_PATH> (32768) instructions. Note that for the "
+"purposes of calculating this limit, each already existing filter program "
+"incurs an overhead penalty of 4 instructions."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:430
+msgid ""
+"Another thread caused a failure during thread sync, but its ID could not be "
+"determined."
+msgstr ""
+
+#. FIXME . Add glibc version
+#. type: Plain text
+#: build/C/man2/seccomp.2:435
+msgid "The B<seccomp>() system call first appeared in Linux 3.17."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:439
+msgid "The B<seccomp>() system call is a nonstandard Linux extension."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:446
+msgid ""
+"The I<Seccomp> field of the I</proc/[pid]/status> file provides a method of "
+"viewing the seccomp mode of a process; see B<proc>(5)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:453
+msgid ""
+"B<seccomp>() provides a superset of the functionality provided by the "
+"B<prctl>(2) B<PR_SET_SECCOMP> operation (which does not support I<flags>)."
+msgstr ""
+
+#. type: SS
+#: build/C/man2/seccomp.2:453
+#, no-wrap
+msgid "Seccomp-specific BPF details"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:455
+msgid "Note the following BPF details specific to seccomp filters:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:463
+msgid ""
+"The B<BPF_H> and B<BPF_B> size modifiers are not supported: all operations "
+"must load and store (4-byte) words (B<BPF_W>)."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:469
+msgid ""
+"To access the contents of the I<seccomp_data> buffer, use the B<BPF_ABS> "
+"addressing mode modifier."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:476
+msgid ""
+"The B<BPF_LEN> addressing mode modifier yields an immediate mode operand "
+"whose value is the size of the I<seccomp_data> buffer."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:482
+msgid ""
+"The program below accepts four or more arguments. The first three arguments "
+"are a system call number, a numeric architecture identifier, and an error "
+"number. The program uses these values to construct a BPF filter that is "
+"used at run time to perform the following checks:"
+msgstr ""
+
+#. type: IP
+#: build/C/man2/seccomp.2:482
+#, no-wrap
+msgid "[1]"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:486
+msgid ""
+"If the program is not running on the specified architecture, the BPF filter "
+"causes system calls to fail with the error B<ENOSYS>."
+msgstr ""
+
+#. type: IP
+#: build/C/man2/seccomp.2:486
+#, no-wrap
+msgid "[2]"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:491
+msgid ""
+"If the program attempts to execute the system call with the specified "
+"number, the BPF filter causes the system call to fail, with I<errno> being "
+"set to the specified error number."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:500
+msgid ""
+"The remaining command-line arguments specify the pathname and additional "
+"arguments of a program that the example program should attempt to execute "
+"using B<execve>(3) (a library function that employs the B<execve>(2) "
+"system call). Some example runs of the program are shown below."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:504
+msgid ""
+"First, we display the architecture that we are running on (x86-64) and then "
+"construct a shell function that looks up system call numbers on this "
+"architecture:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:513
+#, no-wrap
+msgid ""
+"$ B<uname -m>\n"
+"x86_64\n"
+"$ B<syscall_nr() {\n"
+" cat /usr/src/linux/arch/x86/syscalls/syscall_64.tbl | \\e\n"
+" awk '$2 != \"x32\" && $3 == \"'$1'\" { print $1 }'\n"
+"}>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:520
+msgid ""
+"When the BPF filter rejects a system call (case [2] above), it causes the "
+"system call to fail with the error number specified on the command line. In "
+"the experiments shown here, we'll use error number 99:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:525
+#, no-wrap
+msgid ""
+"$ B<errno 99>\n"
+"EADDRNOTAVAIL 99 Cannot assign requested address\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:533
+msgid ""
+"In the following example, we attempt to run the command B<whoami>(1), but "
+"the BPF filter rejects the B<execve>(2) system call, so that the command is "
+"not even executed:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:544
+#, no-wrap
+msgid ""
+"$ B<syscall_nr execve>\n"
+"59\n"
+"$ B<./a.out>\n"
+"Usage: ./a.out E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> "
+"E<lt>progE<gt> [E<lt>argsE<gt>]\n"
+"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x40000003\n"
+" AUDIT_ARCH_X86_64: 0xC000003E\n"
+"$ B<./a.out 59 0xC000003E 99 /bin/whoami>\n"
+"execv: Cannot assign requested address\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:552
+msgid ""
+"In the next example, the BPF filter rejects the B<write>(2) system call, so "
+"that, although it is successfully started, the B<whoami>(1) command is not "
+"able to write output:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:558
+#, no-wrap
+msgid ""
+"$ B<syscall_nr write>\n"
+"1\n"
+"$ B<./a.out 1 0xC000003E 99 /bin/whoami>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:565
+msgid ""
+"In the final example, the BPF filter rejects a system call that is not used "
+"by the B<whoami>(1) command, so it is able to successfully execute and "
+"produce output:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:572
+#, no-wrap
+msgid ""
+"$ B<syscall_nr preadv>\n"
+"295\n"
+"$ B<./a.out 295 0xC000003E 99 /bin/whoami>\n"
+"cecilia\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:586
+#, no-wrap
+msgid ""
+"#include E<lt>errno.hE<gt>\n"
+"#include E<lt>stddef.hE<gt>\n"
+"#include E<lt>stdio.hE<gt>\n"
+"#include E<lt>stdlib.hE<gt>\n"
+"#include E<lt>unistd.hE<gt>\n"
+"#include E<lt>linux/audit.hE<gt>\n"
+"#include E<lt>linux/filter.hE<gt>\n"
+"#include E<lt>linux/seccomp.hE<gt>\n"
+"#include E<lt>sys/prctl.hE<gt>\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:595
+#, no-wrap
+msgid ""
+"static int\n"
+"install_filter(int syscall_nr, int t_arch, int f_errno)\n"
+"{\n"
+" struct sock_filter filter[] = {\n"
+" /* [0] Load architecture from 'seccomp_data' buffer into\n"
+" accumulator */\n"
+" BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
+" (offsetof(struct seccomp_data, arch))),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:599
+#, no-wrap
+msgid ""
+" /* [1] Jump forward 4 instructions if architecture does not\n"
+" match 't_arch' */\n"
+" BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 4),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:604
+#, no-wrap
+msgid ""
+" /* [2] Load system call number from 'seccomp_data' buffer into\n"
+" accumulator */\n"
+" BPF_STMT(BPF_LD | BPF_W | BPF_ABS,\n"
+" (offsetof(struct seccomp_data, nr))),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:608
+#, no-wrap
+msgid ""
+" /* [3] Jump forward 1 instruction if system call number\n"
+" does not match 'syscall_nr' */\n"
+" BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:613
+#, no-wrap
+msgid ""
+" /* [4] Matching architecture and system call: don't execute\n"
+"\t the system call, and return 'f_errno' in 'errno' */\n"
+" BPF_STMT(BPF_RET | BPF_K,\n"
+" SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:617
+#, no-wrap
+msgid ""
+" /* [5] Destination of system call number mismatch: allow other\n"
+" system calls */\n"
+" BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:621
+#, no-wrap
+msgid ""
+" /* [6] Destination of architecture mismatch: kill process */\n"
+" BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),\n"
+" };\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:626
+#, no-wrap
+msgid ""
+" struct sock_fprog prog = {\n"
+" .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),\n"
+" .filter = filter,\n"
+" };\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:631
+#, no-wrap
+msgid ""
+" if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {\n"
+" perror(\"seccomp\");\n"
+" return 1;\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:634
+#, no-wrap
+msgid ""
+" return 0;\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:646
+#, no-wrap
+msgid ""
+"int\n"
+"main(int argc, char **argv)\n"
+"{\n"
+" if (argc E<lt> 5) {\n"
+" fprintf(stderr, \"Usage: \"\n"
+" \"%s E<lt>syscall_nrE<gt> E<lt>archE<gt> E<lt>errnoE<gt> "
+"E<lt>progE<gt> [E<lt>argsE<gt>]\\en\"\n"
+" \"Hint for E<lt>archE<gt>: AUDIT_ARCH_I386: 0x%X\\en\"\n"
+" \" AUDIT_ARCH_X86_64: 0x%X\\en\"\n"
+" \"\\en\", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);\n"
+" exit(EXIT_FAILURE);\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:651
+#, no-wrap
+msgid ""
+" if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {\n"
+" perror(\"prctl\");\n"
+" exit(EXIT_FAILURE);\n"
+" }\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:656
+#, no-wrap
+msgid ""
+" if (install_filter(strtol(argv[1], NULL, 0),\n"
+" strtol(argv[2], NULL, 0),\n"
+" strtol(argv[3], NULL, 0)))\n"
+" exit(EXIT_FAILURE);\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:661
+#, no-wrap
+msgid ""
+" execv(argv[4], &argv[4]);\n"
+" perror(\"execv\");\n"
+" exit(EXIT_FAILURE);\n"
+"}\n"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:668
+msgid "B<prctl>(2), B<ptrace>(2), B<sigaction>(2), B<signal>(7), B<socket>(7)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:673
+msgid ""
+"The kernel source files I<Documentation/networking/filter.txt> and "
+"I<Documentation/prctl/seccomp_filter.txt>."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man2/seccomp.2:679
+msgid ""
+"McCanne, S. and Jacobson, V. (1992) I<The BSD Packet Filter: A New "
+"Architecture for User-level Packet Capture>, Proceedings of the USENIX "
+"Winter 1993 Conference E<.UR http://www.tcpdump.org/papers/bpf-usenix93.pdf> "
+"E<.UE>"
+msgstr ""