seccomp_syscall_priority(3)

1seccomp_syscall_priority(3)libseccomp Documentationseccomp_syscall_priority(3)
2
3
4

NAME

6       seccomp_syscall_priority - Prioritize syscalls in the seccomp filter
7

SYNOPSIS

9       #include <seccomp.h>
10
11       typedef void * scmp_filter_ctx;
12
13       int SCMP_SYS(syscall_name);
14
15       int seccomp_syscall_priority(scmp_filter_ctx ctx,
16                                    int syscall, uint8_t priority);
17
18       Link with -lseccomp.
19

DESCRIPTION

21       The seccomp_syscall_priority() function provides a priority hint to the
22       seccomp filter  generator  in  libseccomp  such  that  higher  priority
23       syscalls  are  placed  earlier  in the seccomp filter code so that they
24       incur less overhead at the  expense  of  lower  priority  syscalls.   A
25       syscall's  priority  can  be  set  regardless of if any rules currently
26       exist for that syscall; the library will remember the priority  and  it
27       will  be assigned to the syscall if and when a rule for that syscall is
28       created.
29
30       While it is possible to specify the syscall value  directly  using  the
31       standard  __NR_syscall  values,  in  order  to  ensure proper operation
32       across multiple architectures it  is  highly  recommended  to  use  the
33       SCMP_SYS() macro instead.  See the EXAMPLES section below.
34
35       The  priority  parameter  takes  an 8-bit value ranging from 0 - 255; a
36       higher value represents a higher priority.
37
38       The filter context ctx is the  value  returned  by  the  call  to  sec‐
39       comp_init().
40

RETURN VALUE

42       The  seccomp_syscall_priority() function returns zero on success, nega‐
43       tive errno values on failure.  The SCMP_SYS()  macro  returns  a  value
44       suitable for use as the syscall value in seccomp_syscall_priority().
45

EXAMPLES

47       #include <seccomp.h>
48
49       int main(int argc, char *argv[])
50       {
51            int rc = -1;
52            scmp_filter_ctx ctx;
53
54            ctx = seccomp_init(SCMP_ACT_KILL);
55            if (ctx == NULL)
56                 goto out;
57
58            /* ... */
59
60            rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200);
61            if (rc < 0)
62                 goto out;
63
64            /* ... */
65
66       out:
67            seccomp_release(ctx);
68            return -rc;
69       }
70

NOTES

72       While  the  seccomp  filter can be generated independent of the kernel,
73       kernel support is required to load and enforce the seccomp filter  gen‐
74       erated by libseccomp.
75
76       The  libseccomp project site, with more information and the source code
77       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
78       This tool, as well as the libseccomp library, is currently under devel‐
79       opment, please report any bugs at the project site or directly  to  the
80       author.
81

AUTHOR

83       Paul Moore <paul@paul-moore.com>
84