1seccomp_init(3) libseccomp Documentation seccomp_init(3)
2
6 seccomp_init, seccomp_reset - Initialize the seccomp filter state
7
9 #include <seccomp.h>
10 typedef void * scmp_filter_ctx;
12 scmp_filter_ctx seccomp_init(uint32_t def_action);
14 int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);
15 Link with -lseccomp.
17
19 The seccomp_init() and seccomp_reset() functions (re)initialize the
20 internal seccomp filter state, prepares it for use, and sets the
21 default action based on the def_action parameter. The seccomp_init()
22 function must be called before any other libseccomp functions as the
23 rest of the library API will fail if the filter context is not initial‐
24 ized properly. The seccomp_reset() function releases the existing fil‐
25 ter context state before reinitializing it and can only be called after
26 a call to seccomp_init() has succeeded.
27 When the caller is finished configuring the seccomp filter and has
29 loaded it into the kernel, the caller should call seccomp_release(3) to
30 release all of the filter context state.
31 Valid def_action values are as follows:
33 SCMP_ACT_KILL
35 The thread will be terminated by the kernel with SIGSYS when it
36 calls a syscall that does not match any of the configured sec‐
37 comp filter rules. The thread will not be able to catch the
38 signal.
39 SCMP_ACT_TRAP
41 The thread will be sent a SIGSYS signal when it calls a syscall
42 that does not match any of the configured seccomp filter rules.
43 It may catch this and change its behavior accordingly. When
44 using SA_SIGINFO with sigaction(2), si_code will be set to
45 SYS_SECCOMP, si_syscall will be set to the syscall that failed
46 the rules, and si_arch will be set to the AUDIT_ARCH for the
47 active ABI.
48 SCMP_ACT_ERRNO(uint16_t errno)
50 The thread will receive a return value of errno when it calls a
51 syscall that does not match any of the configured seccomp filter
52 rules.
53 SCMP_ACT_TRACE(uint16_t msg_num)
55 If the thread is being traced and the tracing process specified
56 the PTRACE_O_TRACESECCOMP option in the call to ptrace(2), the
57 tracing process will be notified, via PTRACE_EVENT_SECCOMP, and
58 the value provided in msg_num can be retrieved using the
59 PTRACE_GETEVENTMSG option.
60 SCMP_ACT_ALLOW
62 The seccomp filter will have no effect on the thread calling the
63 syscall if it does not match any of the configured seccomp fil‐
64 ter rules.
65
67 The seccomp_init() function returns a filter context on success, NULL
68 on failure. The seccomp_reset() function returns zero on success, neg‐
69 ative errno values on failure.
70
72 #include <seccomp.h>
73 int main(int argc, char *argv[])
75 {
76 int rc = -1;
77 scmp_filter_ctx ctx;
78 ctx = seccomp_init(SCMP_ACT_KILL);
80 if (ctx == NULL)
81 goto out;
82 /* ... */
84 rc = seccomp_reset(ctx, SCMP_ACT_KILL);
86 if (rc < 0)
87 goto out;
88 /* ... */
90 out:
92 seccomp_release(ctx);
93 return -rc;
94 }
95
97 While the seccomp filter can be generated independent of the kernel,
98 kernel support is required to load and enforce the seccomp filter gen‐
99 erated by libseccomp.
100 The libseccomp project site, with more information and the source code
102 repository, can be found at https://github.com/seccomp/libseccomp.
103 This tool, as well as the libseccomp library, is currently under devel‐
104 opment, please report any bugs at the project site or directly to the
105 author.
106
108 Paul Moore <paul@paul-moore.com>
109
111 seccomp_release(3)
112paul@paul-moore.com 25 July 2012 seccomp_init(3)