From f5c440184fb7c02d420e3c4274e63474c74bbeff Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <dborkman@redhat.com>
Date: Sat, 15 Jun 2013 16:55:29 +0200
Subject: man: bpfc: add example of loadable x86_64 seccomp-BPF filter

Add the example in bpfc code from http://outflux.net/teach-seccomp/
to the man page, so that people can also experiment with seccomp
bpf and to demonstrate that there are no limits on bpfc when it
comes to this. Actually this code is even more efficient than the
one given in the example URL above.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
---
 bpfc.8 | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/bpfc.8 b/bpfc.8
index a70816b..5c35d0b 100644
--- a/bpfc.8
+++ b/bpfc.8
@@ -264,6 +264,24 @@ words, some small example filter programs:
   pass: ret #-1
   drop: ret #0
 .PP
+.SS A loadable x86_64 seccomp-BPF filter to allow a given set of syscalls:
+.PP
+  ld [4]                  /* offsetof(struct seccomp_data, arch) */
+  jne #0xc000003e, bad    /* AUDIT_ARCH_X86_64 */
+  ld [0]                  /* offsetof(struct seccomp_data, nr) */
+  jeq #15, good           /* __NR_rt_sigreturn */
+  jeq #231, good          /* __NR_exit_group */
+  jeq #60, good           /* __NR_exit */
+  jeq #0, good            /* __NR_read */
+  jeq #1, good            /* __NR_write */
+  jeq #5, good            /* __NR_fstat */
+  jeq #9, good            /* __NR_mmap */
+  jeq #14, good           /* __NR_rt_sigprocmask */
+  jeq #13, good           /* __NR_rt_sigaction */
+  jeq #35, good           /* __NR_nanosleep */
+  bad: ret #0             /* SECCOMP_RET_KILL */
+  good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */
+.PP
 .SS Allow any (hardware accelerated) VLAN:
 .PP
   ld vlanp
-- 
cgit v1.2.3-54-g00ecf