man: bpfc: add example of loadable x86_64 seccomp-BPF filter

Add the example in bpfc code from http://outflux.net/teach-seccomp/
to the man page, so that people can also experiment with seccomp
bpf and to demonstrate that there are no limits on bpfc when it
comes to this. Actually this code is even more efficient than the
one given in the example URL above.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>

1 files changed, 18 insertions, 0 deletions

diff --git a/bpfc.8 b/bpfc.8
index a70816b..5c35d0b 100644
--- a/bpfc.8
+++ b/bpfc.8
@@ -264,6 +264,24 @@ words, some small example filter programs:
   pass: ret #-1
   drop: ret #0
 .PP
+.SS A loadable x86_64 seccomp-BPF filter to allow a given set of syscalls:
+.PP
+  ld [4]                  /* offsetof(struct seccomp_data, arch) */
+  jne #0xc000003e, bad    /* AUDIT_ARCH_X86_64 */
+  ld [0]                  /* offsetof(struct seccomp_data, nr) */
+  jeq #15, good           /* __NR_rt_sigreturn */
+  jeq #231, good          /* __NR_exit_group */
+  jeq #60, good           /* __NR_exit */
+  jeq #0, good            /* __NR_read */
+  jeq #1, good            /* __NR_write */
+  jeq #5, good            /* __NR_fstat */
+  jeq #9, good            /* __NR_mmap */
+  jeq #14, good           /* __NR_rt_sigprocmask */
+  jeq #13, good           /* __NR_rt_sigaction */
+  jeq #35, good           /* __NR_nanosleep */
+  bad: ret #0             /* SECCOMP_RET_KILL */
+  good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */
+.PP
 .SS Allow any (hardware accelerated) VLAN:
 .PP
   ld vlanp