lxccontainer.h: document seccomp_notify_fd()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index da7aefa2e57320bf77652f9e8cb397d776efda58..e5fa29fed130140ba0ad51e2edf647c6d3215fb7 100644 (file)
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -46,6 +46,8 @@ the kernel will generate a poll event and send a message over the file descripto
 
 The caller can read this message, inspect the syscalls including its arguments. Based on this information the caller is expected to send back a message informing the kernel which action to take. Until that message is sent the kernel will block the calling process. The format of the messages to read and sent is documented in seccomp itself.
 
+A new API function `seccomp_notify_fd()` has been added which allows callers to retrieve the notifier fd for the container's seccomp filter.
+
 ## network\_veth\_routes
 
 This introduces the `lxc.net.[i].veth.ipv4.route` and `lxc.net.[i].veth.ipv6.route` properties

diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 7ffd19fb3cf93b3bcf94d0751f7eebf9f88fb930..5bb38e45321f907ed224eee3aef3cbf002a6e842 100644 (file)
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -848,6 +848,13 @@ struct lxc_container {
        int (*umount)(struct lxc_container *c, const char *target,
                      unsigned long mountflags, struct lxc_mount *mnt);
 
+       /*!
+        * \brief Retrieve a file descriptor for the container's seccomp filter.
+        *
+        * \param c Container
+        *
+        * \return file descriptor for container's seccomp filter
+        */
        int (*seccomp_notify_fd)(struct lxc_container *c);
 };