|
Packit |
56e23f |
.TH "seccomp_api_get" 3 "8 October 2017" "paul@paul-moore.com" "libseccomp Documentation"
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH NAME
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
seccomp_api_get, seccomp_api_set \- Manage the libseccomp API level
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH SYNOPSIS
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.nf
|
|
Packit |
56e23f |
.B #include <seccomp.h>
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
.BI "const unsigned int seccomp_api_get(" void ");"
|
|
Packit |
56e23f |
.BI "int seccomp_api_set(unsigned int " level ");"
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
Link with \fI\-lseccomp\fP.
|
|
Packit |
56e23f |
.fi
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH DESCRIPTION
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The
|
|
Packit |
56e23f |
.BR seccomp_api_get ()
|
|
Packit |
56e23f |
function returns an integer representing the functionality ("API level")
|
|
Packit |
56e23f |
provided by the current running kernel. It is important to note that while
|
|
Packit |
56e23f |
.BR seccomp_api_get ()
|
|
Packit |
56e23f |
can be called multiple times, the kernel is only probed the first time to see
|
|
Packit |
56e23f |
what functionality is supported, all following calls to
|
|
Packit |
56e23f |
.BR seccomp_api_get ()
|
|
Packit |
56e23f |
return a cached value.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The
|
|
Packit |
56e23f |
.BR seccomp_api_set ()
|
|
Packit |
56e23f |
function allows callers to force the API level to the provided value; however,
|
|
Packit |
56e23f |
this is almost always a bad idea and use of this function is strongly
|
|
Packit |
56e23f |
discouraged.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The different API level values are described below:
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B 0
|
|
Packit |
56e23f |
Reserved value, not currently used.
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B 1
|
|
Packit |
56e23f |
Base level support.
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B 2
|
|
Packit |
56e23f |
The SCMP_FLTATR_CTL_TSYNC filter attribute is supported and libseccomp uses
|
|
Packit |
56e23f |
the
|
|
Packit |
56e23f |
.BR seccomp(2)
|
|
Packit |
56e23f |
syscall to load the seccomp filter into the kernel.
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B 3
|
|
Packit |
56e23f |
The SCMP_FLTATR_CTL_LOG filter attribute and the SCMP_ACT_LOG action are supported.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH RETURN VALUE
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
The
|
|
Packit |
56e23f |
.BR seccomp_api_get ()
|
|
Packit |
56e23f |
function returns an integer representing the supported API level. The
|
|
Packit |
56e23f |
.BR seccomp_api_set ()
|
|
Packit |
56e23f |
function returns zero on success, negative values on failure.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH EXAMPLES
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.nf
|
|
Packit |
56e23f |
#include <seccomp.h>
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
int main(int argc, char *argv[])
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
unsigned int api;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
api = seccomp_api_get();
|
|
Packit |
56e23f |
switch (api) {
|
|
Packit |
56e23f |
case 2:
|
|
Packit |
56e23f |
/* ... */
|
|
Packit |
56e23f |
default:
|
|
Packit |
56e23f |
/* ... */
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
return 0;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
err:
|
|
Packit |
56e23f |
return \-1;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
.fi
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH NOTES
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
While the seccomp filter can be generated independent of the kernel, kernel
|
|
Packit |
56e23f |
support is required to load and enforce the seccomp filter generated by
|
|
Packit |
56e23f |
libseccomp.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The libseccomp project site, with more information and the source code
|
|
Packit |
56e23f |
repository, can be found at https://github.com/seccomp/libseccomp. This tool,
|
|
Packit |
56e23f |
as well as the libseccomp library, is currently under development, please
|
|
Packit |
56e23f |
report any bugs at the project site or directly to the author.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH AUTHOR
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
Paul Moore <paul@paul-moore.com>
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|