1seccomp_attr_set(3)        libseccomp Documentation        seccomp_attr_set(3)
2
3
4

NAME

6       seccomp_attr_set,  seccomp_attr_get  -  Manage  the  seccomp filter at‐
7       tributes
8

SYNOPSIS

10       #include <seccomp.h>
11
12       typedef void * scmp_filter_ctx;
13       enum scmp_filter_attr;
14
15       int seccomp_attr_set(scmp_filter_ctx ctx,
16                            enum scmp_filter_attr attr, uint32_t value);
17       int seccomp_attr_get(scmp_filter_ctx ctx,
18                            enum scmp_filter_attr attr, uint32_t *value);
19
20       Link with -lseccomp.
21

DESCRIPTION

23       The seccomp_attr_set() function sets the different seccomp  filter  at‐
24       tributes  while  the seccomp_attr_get() function fetches the filter at‐
25       tributes.  The seccomp filter attributes are tunable values that affect
26       how  the library behaves when generating and loading the seccomp filter
27       into the kernel.  The attributes are  reset  to  their  default  values
28       whenever  the filter is initialized or reset via seccomp_filter_init(3)
29       or seccomp_filter_reset(3).
30
31       The filter context ctx is the  value  returned  by  the  call  to  sec‐
32       comp_init(3).
33
34       Valid attr values are as follows:
35
36       SCMP_FLTATR_ACT_DEFAULT
37              The  default  filter  action  as  specified  in the call to sec‐
38              comp_filter_init(3) or seccomp_filter_reset(3).  This  attribute
39              is read-only.
40
41       SCMP_FLTATR_ACT_BADARCH
42              The  filter  action  taken when the loaded filter does not match
43              the architecture of the executing application.  Defaults to  the
44              SCMP_ACT_KILL action.
45
46       SCMP_FLTATR_CTL_NNP
47              A  flag  to  specify if the NO_NEW_PRIVS functionality should be
48              enabled before loading the seccomp filter into the kernel.  Set‐
49              ting this to off (value == 0) results in no action, meaning that
50              loading  the  seccomp  filter  into  the  kernel  will  fail  if
51              CAP_SYS_ADMIN  is  missing  and NO_NEW_PRIVS has not been exter‐
52              nally set.  Defaults to on (value == 1).
53
54       SCMP_FLTATR_CTL_TSYNC
55              A flag to specify if the kernel should  attempt  to  synchronize
56              the  filters across all threads on seccomp_load(3).  If the ker‐
57              nel is unable to synchronize all of the thread then the load op‐
58              eration  will fail.  This flag is only available on Linux Kernel
59              3.17 or greater; attempting to enable this flag on earlier  ker‐
60              nels  will  result  in an error being returned.  Defaults to off
61              (value == 0).
62
63       SCMP_FLTATR_API_TSKIP
64              A flag to specify if libseccomp should allow filter rules to  be
65              created for the -1 syscall.  The -1 syscall value can be used by
66              tracer programs to skip specific syscall invocations,  see  sec‐
67              comp(2) for more information.  Defaults to off (value == 0).
68
69       SCMP_FLTATR_CTL_LOG
70              A  flag  to  specify if the kernel should log all filter actions
71              taken except for the  SCMP_ACT_ALLOW  action.  Defaults  to  off
72              (value == 0).
73
74       SCMP_FLTATR_CTL_SSB
75              A  flag to disable Speculative Store Bypass mitigations for this
76              filter.  Defaults to off (value == 0).
77
78       SCMP_FLTATR_CTL_OPTIMIZE
79              A flag to specify the optimization level of the seccomp  filter.
80              By  default libseccomp generates a set of sequential ´if´ state‐
81              ments for each rule in the filter.   seccomp_syscall_priority(3)
82              can  be used to prioritize the order for the default cause.  The
83              binary tree optimization sorts by syscall numbers and  generates
84              consistent  O(log n) filter traversal for every rule in the fil‐
85              ter.  The binary tree may be  advantageous  for  large  filters.
86              Note    that   seccomp_syscall_priority(3)   is   ignored   when
87              SCMP_FLTATR_CTL_OPTIMIZE == 2.
88
89              The different optimization levels are described below:
90
91              0      Reserved value, not currently used.
92
93              1      Rules sorted by priority and complexity (DEFAULT).
94
95              2      Binary tree sorted by syscall number.
96
97       SCMP_FLTATR_API_SYSRAWRC
98              A flag to specify if libseccomp should pass system  error  codes
99              back  to the caller instead of the default -ECANCELED.  Defaults
100              to off (value == 0).
101

RETURN VALUE

103       Returns zero on success or one of the following error codes on failure:
104
105       -EACCES
106              Setting the attribute with the given value is not allowed.
107
108       -EEXIST
109              The attribute does not exist.
110
111       -EINVAL
112              Invalid input, either the context or architecture token  is  in‐
113              valid.
114
115       -EOPNOTSUPP
116              The library doesn't support the particular operation.
117

EXAMPLES

119       #include <seccomp.h>
120
121       int main(int argc, char *argv[])
122       {
123            int rc = -1;
124            scmp_filter_ctx ctx;
125
126            ctx = seccomp_init(SCMP_ACT_ALLOW);
127            if (ctx == NULL)
128                 goto out;
129
130            /* ... */
131
132            rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP);
133            if (rc < 0)
134                 goto out;
135
136            /* ... */
137
138       out:
139            seccomp_release(ctx);
140            return -rc;
141       }
142

NOTES

144       While  the  seccomp  filter can be generated independent of the kernel,
145       kernel support is required to load and enforce the seccomp filter  gen‐
146       erated by libseccomp.
147
148       The  libseccomp project site, with more information and the source code
149       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
150       This tool, as well as the libseccomp library, is currently under devel‐
151       opment, please report any bugs at the project site or directly  to  the
152       author.
153

AUTHOR

155       Paul Moore <paul@paul-moore.com>
156

SEE ALSO

158       seccomp_init(3), seccomp_reset(3), seccomp_load(3), seccomp(2)
159
160
161
162paul@paul-moore.com              06 June 2020              seccomp_attr_set(3)
Impressum