seccomp_attr_set(3)

1seccomp_attr_set(3)        libseccomp Documentation        seccomp_attr_set(3)
2
3
4

NAME

6       seccomp_attr_set,   seccomp_attr_get   -   Manage  the  seccomp  filter
7       attributes
8

SYNOPSIS

10       #include <seccomp.h>
11
12       typedef void * scmp_filter_ctx;
13       enum scmp_filter_attr;
14
15       int seccomp_attr_set(scmp_filter_ctx ctx,
16                            enum scmp_filter_attr attr, uint32_t value);
17       int seccomp_attr_get(scmp_filter_ctx ctx,
18                            enum scmp_filter_attr attr, uint32_t *value);
19
20       Link with -lseccomp.
21

DESCRIPTION

23       The seccomp_attr_set()  function  sets  the  different  seccomp  filter
24       attributes  while  the  seccomp_attr_get()  function fetches the filter
25       attributes.  The seccomp filter  attributes  are  tunable  values  that
26       affect  how the library behaves when generating and loading the seccomp
27       filter into the kernel.  The attributes are reset to their default val‐
28       ues  whenever  the  filter  is  initialized  or  reset via seccomp_fil‐
29       ter_init(3) or seccomp_filter_reset(3).
30
31       The filter context ctx is the  value  returned  by  the  call  to  sec‐
32       comp_init(3).
33
34       Valid attr values are as follows:
35
36       SCMP_FLTATR_ACT_DEFAULT
37              The  default  filter  action  as  specified  in the call to sec‐
38              comp_filter_init(3) or seccomp_filter_reset(3).  This  attribute
39              is read-only.
40
41       SCMP_FLTATR_ACT_BADARCH
42              The  filter  action  taken when the loaded filter does not match
43              the architecture of the executing application.  Defaults to  the
44              SCMP_ACT_KILL action.
45
46       SCMP_FLTATR_CTL_NNP
47              A  flag  to  specify if the NO_NEW_PRIVS functionality should be
48              enabled before loading the seccomp filter into the  kernel.   If
49              set  to  off  ( value == 0) then loading the seccomp filter into
50              the kernel will fail if CAP_SYS_ADMIN is not set.   Defaults  to
51              on ( value == 1).
52
53       SCMP_FLTATR_CTL_TSYNC
54              A  flag  to  specify if the kernel should attempt to synchronize
55              the filters across all threads on seccomp_load(3).  If the  ker‐
56              nel  is  unable  to  synchronize all of the thread then the load
57              operation will fail.  This flag is only available on Linux  Ker‐
58              nel  3.17  or greater; attempting to enable this flag on earlier
59              kernels will result in an error being returned.  Defaults to off
60              ( value == 0).
61

RETURN VALUE

63       Returns zero on success, negative errno values on failure.
64

EXAMPLES

66       #include <seccomp.h>
67
68       int main(int argc, char *argv[])
69       {
70            int rc = -1;
71            scmp_filter_ctx ctx;
72
73            ctx = seccomp_init(SCMP_ACT_ALLOW);
74            if (ctx == NULL)
75                 goto out;
76
77            /* ... */
78
79            rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP);
80            if (rc < 0)
81                 goto out;
82
83            /* ... */
84
85       out:
86            seccomp_release(ctx);
87            return -rc;
88       }
89

NOTES

91       While  the  seccomp  filter can be generated independent of the kernel,
92       kernel support is required to load and enforce the seccomp filter  gen‐
93       erated by libseccomp.
94
95       The  libseccomp project site, with more information and the source code
96       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
97       This tool, as well as the libseccomp library, is currently under devel‐
98       opment, please report any bugs at the project site or directly  to  the
99       author.
100

AUTHOR

102       Paul Moore <paul@paul-moore.com>
103