1seccomp_attr_set(3) libseccomp Documentation seccomp_attr_set(3)
2
3
4
6 seccomp_attr_set, seccomp_attr_get - Manage the seccomp filter
7 attributes
8
10 #include <seccomp.h>
11
12 typedef void * scmp_filter_ctx;
13 enum scmp_filter_attr;
14
15 int seccomp_attr_set(scmp_filter_ctx ctx,
16 enum scmp_filter_attr attr, uint32_t value);
17 int seccomp_attr_get(scmp_filter_ctx ctx,
18 enum scmp_filter_attr attr, uint32_t *value);
19
20 Link with -lseccomp.
21
23 The seccomp_attr_set() function sets the different seccomp filter
24 attributes while the seccomp_attr_get() function fetches the filter
25 attributes. The seccomp filter attributes are tunable values that
26 affect how the library behaves when generating and loading the seccomp
27 filter into the kernel. The attributes are reset to their default val‐
28 ues whenever the filter is initialized or reset via seccomp_fil‐
29 ter_init(3) or seccomp_filter_reset(3).
30
31 The filter context ctx is the value returned by the call to sec‐
32 comp_init(3).
33
34 Valid attr values are as follows:
35
36 SCMP_FLTATR_ACT_DEFAULT
37 The default filter action as specified in the call to sec‐
38 comp_filter_init(3) or seccomp_filter_reset(3). This attribute
39 is read-only.
40
41 SCMP_FLTATR_ACT_BADARCH
42 The filter action taken when the loaded filter does not match
43 the architecture of the executing application. Defaults to the
44 SCMP_ACT_KILL action.
45
46 SCMP_FLTATR_CTL_NNP
47 A flag to specify if the NO_NEW_PRIVS functionality should be
48 enabled before loading the seccomp filter into the kernel. Set‐
49 ting this to off ( value == 0) results in no action, meaning
50 that loading the seccomp filter into the kernel will fail if
51 CAP_SYS_ADMIN is missing and NO_NEW_PRIVS has not been exter‐
52 nally set. Defaults to on ( value == 1).
53
54 SCMP_FLTATR_CTL_TSYNC
55 A flag to specify if the kernel should attempt to synchronize
56 the filters across all threads on seccomp_load(3). If the ker‐
57 nel is unable to synchronize all of the thread then the load
58 operation will fail. This flag is only available on Linux Ker‐
59 nel 3.17 or greater; attempting to enable this flag on earlier
60 kernels will result in an error being returned. Defaults to off
61 ( value == 0).
62
63 SCMP_FLTATR_API_TSKIP
64 A flag to specify if libseccomp should allow filter rules to be
65 created for the -1 syscall. The -1 syscall value can be used by
66 tracer programs to skip specific syscall invocations, see sec‐
67 comp(2) for more information. Defaults to off ( value == 0).
68
69 SCMP_FLTATR_CTL_LOG
70 A flag to specify if the kernel should log all filter actions
71 taken except for the SCMP_ACT_ALLOW action. Defaults to off (
72 value == 0).
73
75 Returns zero on success, negative errno values on failure.
76
78 #include <seccomp.h>
79
80 int main(int argc, char *argv[])
81 {
82 int rc = -1;
83 scmp_filter_ctx ctx;
84
85 ctx = seccomp_init(SCMP_ACT_ALLOW);
86 if (ctx == NULL)
87 goto out;
88
89 /* ... */
90
91 rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP);
92 if (rc < 0)
93 goto out;
94
95 /* ... */
96
97 out:
98 seccomp_release(ctx);
99 return -rc;
100 }
101
103 While the seccomp filter can be generated independent of the kernel,
104 kernel support is required to load and enforce the seccomp filter gen‐
105 erated by libseccomp.
106
107 The libseccomp project site, with more information and the source code
108 repository, can be found at https://github.com/seccomp/libseccomp.
109 This tool, as well as the libseccomp library, is currently under devel‐
110 opment, please report any bugs at the project site or directly to the
111 author.
112
114 Paul Moore <paul@paul-moore.com>
115
117 seccomp_init(3), seccomp_reset(3), seccomp_load(3), seccomp(2)
118
119
120
121paul@paul-moore.com 21 August 2014 seccomp_attr_set(3)