1seccomp_init(3) libseccomp Documentation seccomp_init(3)
2
6 seccomp_init, seccomp_reset - Initialize the seccomp filter state
7
9 #include <seccomp.h>
10 typedef void * scmp_filter_ctx;
12 scmp_filter_ctx seccomp_init(uint32_t def_action);
14 int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);
15 Link with -lseccomp.
17
19 The seccomp_init() and seccomp_reset() functions (re)initialize the
20 internal seccomp filter state, prepares it for use, and sets the
21 default action based on the def_action parameter. The seccomp_init()
22 function must be called before any other libseccomp functions as the
23 rest of the library API will fail if the filter context is not initial‐
24 ized properly. The seccomp_reset() function releases the existing fil‐
25 ter context state before reinitializing it and can only be called after
26 a call to seccomp_init() has succeeded.
27 When the caller is finished configuring the seccomp filter and has
29 loaded it into the kernel, the caller should call seccomp_release(3) to
30 release all of the filter context state.
31 Valid def_action values are as follows:
33 SCMP_ACT_KILL
35 The thread will be terminated by the kernel with SIGSYS when it
36 calls a syscall that does not match any of the configured sec‐
37 comp filter rules. The thread will not be able to catch the
38 signal.
39 SCMP_ACT_KILL_PROCESS
41 The entire process will be terminated by the kernel with SIGSYS
42 when it calls a syscall that does not match any of the config‐
43 ured seccomp filter rules.
44 SCMP_ACT_TRAP
46 The thread will be sent a SIGSYS signal when it calls a syscall
47 that does not match any of the configured seccomp filter rules.
48 It may catch this and change its behavior accordingly. When
49 using SA_SIGINFO with sigaction(2), si_code will be set to
50 SYS_SECCOMP, si_syscall will be set to the syscall that failed
51 the rules, and si_arch will be set to the AUDIT_ARCH for the
52 active ABI.
53 SCMP_ACT_ERRNO(uint16_t errno)
55 The thread will receive a return value of errno when it calls a
56 syscall that does not match any of the configured seccomp filter
57 rules.
58 SCMP_ACT_TRACE(uint16_t msg_num)
60 If the thread is being traced and the tracing process specified
61 the PTRACE_O_TRACESECCOMP option in the call to ptrace(2), the
62 tracing process will be notified, via PTRACE_EVENT_SECCOMP, and
63 the value provided in msg_num can be retrieved using the
64 PTRACE_GETEVENTMSG option.
65 SCMP_ACT_LOG
67 The seccomp filter will have no effect on the thread calling the
68 syscall if it does not match any of the configured seccomp fil‐
69 ter rules but the syscall will be logged.
70 SCMP_ACT_ALLOW
72 The seccomp filter will have no effect on the thread calling the
73 syscall if it does not match any of the configured seccomp fil‐
74 ter rules.
75
77 The seccomp_init() function returns a filter context on success, NULL
78 on failure. The seccomp_reset() function returns zero on success, neg‐
79 ative errno values on failure.
80
82 #include <seccomp.h>
83 int main(int argc, char *argv[])
85 {
86 int rc = -1;
87 scmp_filter_ctx ctx;
88 ctx = seccomp_init(SCMP_ACT_KILL);
90 if (ctx == NULL)
91 goto out;
92 /* ... */
94 rc = seccomp_reset(ctx, SCMP_ACT_KILL);
96 if (rc < 0)
97 goto out;
98 /* ... */
100 out:
102 seccomp_release(ctx);
103 return -rc;
104 }
105
107 While the seccomp filter can be generated independent of the kernel,
108 kernel support is required to load and enforce the seccomp filter gen‐
109 erated by libseccomp.
110 The libseccomp project site, with more information and the source code
112 repository, can be found at https://github.com/seccomp/libseccomp.
113 This tool, as well as the libseccomp library, is currently under devel‐
114 opment, please report any bugs at the project site or directly to the
115 author.
116
118 Paul Moore <paul@paul-moore.com>
119
121 seccomp_release(3)
122paul@paul-moore.com 25 July 2012 seccomp_init(3)