1seccomp_attr_set(3) libseccomp Documentation seccomp_attr_set(3)
2
3
4
6 seccomp_attr_set, seccomp_attr_get - Manage the seccomp filter at‐
7 tributes
8
10 #include <seccomp.h>
11
12 typedef void * scmp_filter_ctx;
13 enum scmp_filter_attr;
14
15 int seccomp_attr_set(scmp_filter_ctx ctx,
16 enum scmp_filter_attr attr, uint32_t value);
17 int seccomp_attr_get(scmp_filter_ctx ctx,
18 enum scmp_filter_attr attr, uint32_t *value);
19
20 Link with -lseccomp.
21
23 The seccomp_attr_set() function sets the different seccomp filter at‐
24 tributes while the seccomp_attr_get() function fetches the filter at‐
25 tributes. The seccomp filter attributes are tunable values that affect
26 how the library behaves when generating and loading the seccomp filter
27 into the kernel. The attributes are reset to their default values
28 whenever the filter is initialized or reset via seccomp_filter_init(3)
29 or seccomp_filter_reset(3).
30
31 The filter context ctx is the value returned by the call to sec‐
32 comp_init(3).
33
34 Valid attr values are as follows:
35
36 SCMP_FLTATR_ACT_DEFAULT
37 The default filter action as specified in the call to sec‐
38 comp_filter_init(3) or seccomp_filter_reset(3). This attribute
39 is read-only.
40
41 SCMP_FLTATR_ACT_BADARCH
42 The filter action taken when the loaded filter does not match
43 the architecture of the executing application. Defaults to the
44 SCMP_ACT_KILL action.
45
46 SCMP_FLTATR_CTL_NNP
47 A flag to specify if the NO_NEW_PRIVS functionality should be
48 enabled before loading the seccomp filter into the kernel. Set‐
49 ting this to off (value == 0) results in no action, meaning that
50 loading the seccomp filter into the kernel will fail if
51 CAP_SYS_ADMIN is missing and NO_NEW_PRIVS has not been exter‐
52 nally set. Defaults to on (value == 1).
53
54 SCMP_FLTATR_CTL_TSYNC
55 A flag to specify if the kernel should attempt to synchronize
56 the filters across all threads on seccomp_load(3). If the ker‐
57 nel is unable to synchronize all of the thread then the load op‐
58 eration will fail. This flag is only available on Linux Kernel
59 3.17 or greater; attempting to enable this flag on earlier ker‐
60 nels will result in an error being returned. Defaults to off
61 (value == 0).
62
63 SCMP_FLTATR_API_TSKIP
64 A flag to specify if libseccomp should allow filter rules to be
65 created for the -1 syscall. The -1 syscall value can be used by
66 tracer programs to skip specific syscall invocations, see sec‐
67 comp(2) for more information. Defaults to off (value == 0).
68
69 SCMP_FLTATR_CTL_LOG
70 A flag to specify if the kernel should log all filter actions
71 taken except for the SCMP_ACT_ALLOW action. Defaults to off
72 (value == 0).
73
74 SCMP_FLTATR_CTL_SSB
75 A flag to disable Speculative Store Bypass mitigations for this
76 filter. Defaults to off (value == 0).
77
78 SCMP_FLTATR_CTL_OPTIMIZE
79 A flag to specify the optimization level of the seccomp filter.
80 By default libseccomp generates a set of sequential ´if´ state‐
81 ments for each rule in the filter. seccomp_syscall_priority(3)
82 can be used to prioritize the order for the default cause. The
83 binary tree optimization sorts by syscall numbers and generates
84 consistent O(log n) filter traversal for every rule in the fil‐
85 ter. The binary tree may be advantageous for large filters.
86 Note that seccomp_syscall_priority(3) is ignored when
87 SCMP_FLTATR_CTL_OPTIMIZE == 2.
88
89 The different optimization levels are described below:
90
91 0 Reserved value, not currently used.
92
93 1 Rules sorted by priority and complexity (DEFAULT).
94
95 2 Binary tree sorted by syscall number.
96
97 SCMP_FLTATR_API_SYSRAWRC
98 A flag to specify if libseccomp should pass system error codes
99 back to the caller instead of the default -ECANCELED. Defaults
100 to off (value == 0).
101
103 Returns zero on success or one of the following error codes on failure:
104
105 -EACCES
106 Setting the attribute with the given value is not allowed.
107
108 -EEXIST
109 The attribute does not exist.
110
111 -EINVAL
112 Invalid input, either the context or architecture token is in‐
113 valid.
114
115 -EOPNOTSUPP
116 The library doesn't support the particular operation.
117
119 #include <seccomp.h>
120
121 int main(int argc, char *argv[])
122 {
123 int rc = -1;
124 scmp_filter_ctx ctx;
125
126 ctx = seccomp_init(SCMP_ACT_ALLOW);
127 if (ctx == NULL)
128 goto out;
129
130 /* ... */
131
132 rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP);
133 if (rc < 0)
134 goto out;
135
136 /* ... */
137
138 out:
139 seccomp_release(ctx);
140 return -rc;
141 }
142
144 While the seccomp filter can be generated independent of the kernel,
145 kernel support is required to load and enforce the seccomp filter gen‐
146 erated by libseccomp.
147
148 The libseccomp project site, with more information and the source code
149 repository, can be found at https://github.com/seccomp/libseccomp.
150 This tool, as well as the libseccomp library, is currently under devel‐
151 opment, please report any bugs at the project site or directly to the
152 author.
153
155 Paul Moore <paul@paul-moore.com>
156
158 seccomp_init(3), seccomp_reset(3), seccomp_load(3), seccomp(2)
159
160
161
162paul@paul-moore.com 06 June 2020 seccomp_attr_set(3)