seccomp_syscall_priority(3)

1seccomp_syscall_priority(3)libseccomp Documentationseccomp_syscall_priority(3)
2
3
4

NAME

6       seccomp_syscall_priority - Prioritize syscalls in the seccomp filter
7

SYNOPSIS

9       #include <seccomp.h>
10
11       typedef void * scmp_filter_ctx;
12
13       int SCMP_SYS(syscall_name);
14
15       int seccomp_syscall_priority(scmp_filter_ctx ctx,
16                                    int syscall, uint8_t priority);
17
18       Link with -lseccomp.
19

DESCRIPTION

21       The seccomp_syscall_priority() function provides a priority hint to the
22       seccomp filter  generator  in  libseccomp  such  that  higher  priority
23       syscalls  are  placed  earlier  in the seccomp filter code so that they
24       incur less overhead at the  expense  of  lower  priority  syscalls.   A
25       syscall's  priority  can  be  set  regardless of if any rules currently
26       exist for that syscall; the library will remember the priority  and  it
27       will  be assigned to the syscall if and when a rule for that syscall is
28       created.
29
30       While it is possible to specify the syscall value  directly  using  the
31       standard  __NR_syscall  values,  in  order  to  ensure proper operation
32       across multiple architectures it  is  highly  recommended  to  use  the
33       SCMP_SYS() macro instead.  See the EXAMPLES section below.
34
35       The  priority  parameter  takes  an 8-bit value ranging from 0 - 255; a
36       higher value represents a higher priority.
37
38       The filter context ctx is the  value  returned  by  the  call  to  sec‐
39       comp_init().
40

RETURN VALUE

42       The  SCMP_SYS()  macro  returns a value suitable for use as the syscall
43       value in seccomp_syscall_priority().
44
45       The seccomp_syscall_priority() function returns zero on success or  one
46       of the following error codes on failure:
47
48       -EDOM  Architecture specific failure.
49
50       -EFAULT
51              Internal libseccomp failure.
52
53       -EINVAL
54              Invalid  input,  either  the  context  or  architecture token is
55              invalid.
56
57       -ENOMEM
58              The library was unable to allocate enough memory.
59

EXAMPLES

61       #include <seccomp.h>
62
63       int main(int argc, char *argv[])
64       {
65            int rc = -1;
66            scmp_filter_ctx ctx;
67
68            ctx = seccomp_init(SCMP_ACT_KILL);
69            if (ctx == NULL)
70                 goto out;
71
72            /* ... */
73
74            rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200);
75            if (rc < 0)
76                 goto out;
77
78            /* ... */
79
80       out:
81            seccomp_release(ctx);
82            return -rc;
83       }
84

NOTES

86       While the seccomp filter can be generated independent  of  the  kernel,
87       kernel  support is required to load and enforce the seccomp filter gen‐
88       erated by libseccomp.
89
90       The libseccomp project site, with more information and the source  code
91       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
92       This tool, as well as the libseccomp library, is currently under devel‐
93       opment,  please  report any bugs at the project site or directly to the
94       author.
95

AUTHOR

97       Paul Moore <paul@paul-moore.com>
98