|
Packit |
56e23f |
.TH "seccomp_attr_set" 3 "21 August 2014" "paul@paul-moore.com" "libseccomp Documentation"
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH NAME
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
seccomp_attr_set, seccomp_attr_get \- Manage the seccomp filter attributes
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH SYNOPSIS
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.nf
|
|
Packit |
56e23f |
.B #include <seccomp.h>
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
.B typedef void * scmp_filter_ctx;
|
|
Packit |
56e23f |
.B enum scmp_filter_attr;
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
.BI "int seccomp_attr_set(scmp_filter_ctx " ctx ","
|
|
Packit |
56e23f |
.BI " enum scmp_filter_attr " attr ", uint32_t " value ");"
|
|
Packit |
56e23f |
.BI "int seccomp_attr_get(scmp_filter_ctx " ctx ","
|
|
Packit |
56e23f |
.BI " enum scmp_filter_attr " attr ", uint32_t *" value ");"
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
Link with \fI\-lseccomp\fP.
|
|
Packit |
56e23f |
.fi
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH DESCRIPTION
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The
|
|
Packit |
56e23f |
.BR seccomp_attr_set ()
|
|
Packit |
56e23f |
function sets the different seccomp filter attributes while the
|
|
Packit |
56e23f |
.BR seccomp_attr_get ()
|
|
Packit |
56e23f |
function fetches the filter attributes. The seccomp filter attributes are
|
|
Packit |
56e23f |
tunable values that affect how the library behaves when generating and loading
|
|
Packit |
56e23f |
the seccomp filter into the kernel. The attributes are reset to their default
|
|
Packit |
56e23f |
values whenever the filter is initialized or reset via
|
|
Packit |
56e23f |
.BR seccomp_filter_init (3)
|
|
Packit |
56e23f |
or
|
|
Packit |
56e23f |
.BR seccomp_filter_reset (3).
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The filter context
|
|
Packit |
56e23f |
.I ctx
|
|
Packit |
56e23f |
is the value returned by the call to
|
|
Packit |
56e23f |
.BR seccomp_init (3).
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
Valid
|
|
Packit |
56e23f |
.I attr
|
|
Packit |
56e23f |
values are as follows:
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B SCMP_FLTATR_ACT_DEFAULT
|
|
Packit |
56e23f |
The default filter action as specified in the call to
|
|
Packit |
56e23f |
.BR seccomp_filter_init (3)
|
|
Packit |
56e23f |
or
|
|
Packit |
56e23f |
.BR seccomp_filter_reset (3).
|
|
Packit |
56e23f |
This attribute is read-only.
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B SCMP_FLTATR_ACT_BADARCH
|
|
Packit |
56e23f |
The filter action taken when the loaded filter does not match the architecture
|
|
Packit |
56e23f |
of the executing application. Defaults to the
|
|
Packit |
56e23f |
.B SCMP_ACT_KILL
|
|
Packit |
56e23f |
action.
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B SCMP_FLTATR_CTL_NNP
|
|
Packit |
56e23f |
A flag to specify if the NO_NEW_PRIVS functionality should be enabled before
|
|
Packit |
56e23f |
loading the seccomp filter into the kernel. Setting this to off (
|
|
Packit |
56e23f |
.I value
|
|
Packit |
56e23f |
== 0) results in no action, meaning that loading the seccomp filter into the
|
|
Packit |
56e23f |
kernel will fail if CAP_SYS_ADMIN is missing and NO_NEW_PRIVS has not been
|
|
Packit |
56e23f |
externally set. Defaults to on (
|
|
Packit |
56e23f |
.I value
|
|
Packit |
56e23f |
== 1).
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B SCMP_FLTATR_CTL_TSYNC
|
|
Packit |
56e23f |
A flag to specify if the kernel should attempt to synchronize the filters
|
|
Packit |
56e23f |
across all threads on
|
|
Packit |
56e23f |
.BR seccomp_load (3).
|
|
Packit |
56e23f |
If the kernel is unable to synchronize all of the thread then the load
|
|
Packit |
56e23f |
operation will fail. This flag is only available on Linux Kernel 3.17 or
|
|
Packit |
56e23f |
greater; attempting to enable this flag on earlier kernels will result in an
|
|
Packit |
56e23f |
error being returned. Defaults to off (
|
|
Packit |
56e23f |
.I value
|
|
Packit |
56e23f |
== 0).
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B SCMP_FLTATR_API_TSKIP
|
|
Packit |
56e23f |
A flag to specify if libseccomp should allow filter rules to be created for
|
|
Packit |
56e23f |
the -1 syscall. The -1 syscall value can be used by tracer programs to skip
|
|
Packit |
56e23f |
specific syscall invocations, see
|
|
Packit |
56e23f |
.BR seccomp (2)
|
|
Packit |
56e23f |
for more information. Defaults to off (
|
|
Packit |
56e23f |
.I value
|
|
Packit |
56e23f |
== 0).
|
|
Packit |
56e23f |
.TP
|
|
Packit |
56e23f |
.B SCMP_FLTATR_CTL_LOG
|
|
Packit |
56e23f |
A flag to specify if the kernel should log all filter actions taken except for
|
|
Packit |
56e23f |
the
|
|
Packit |
56e23f |
.BR SCMP_ACT_ALLOW
|
|
Packit |
56e23f |
action. Defaults to off (
|
|
Packit |
56e23f |
.I value
|
|
Packit |
56e23f |
== 0).
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH RETURN VALUE
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
Returns zero on success, negative errno values on failure.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH EXAMPLES
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.nf
|
|
Packit |
56e23f |
#include <seccomp.h>
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
int main(int argc, char *argv[])
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
int rc = \-1;
|
|
Packit |
56e23f |
scmp_filter_ctx ctx;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
ctx = seccomp_init(SCMP_ACT_ALLOW);
|
|
Packit |
56e23f |
if (ctx == NULL)
|
|
Packit |
56e23f |
goto out;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* ... */
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP);
|
|
Packit |
56e23f |
if (rc < 0)
|
|
Packit |
56e23f |
goto out;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* ... */
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
out:
|
|
Packit |
56e23f |
seccomp_release(ctx);
|
|
Packit |
56e23f |
return \-rc;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
.fi
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH NOTES
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
While the seccomp filter can be generated independent of the kernel, kernel
|
|
Packit |
56e23f |
support is required to load and enforce the seccomp filter generated by
|
|
Packit |
56e23f |
libseccomp.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The libseccomp project site, with more information and the source code
|
|
Packit |
56e23f |
repository, can be found at https://github.com/seccomp/libseccomp. This tool,
|
|
Packit |
56e23f |
as well as the libseccomp library, is currently under development, please
|
|
Packit |
56e23f |
report any bugs at the project site or directly to the author.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH AUTHOR
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
Paul Moore <paul@paul-moore.com>
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH SEE ALSO
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.BR seccomp_init (3),
|
|
Packit |
56e23f |
.BR seccomp_reset (3),
|
|
Packit |
56e23f |
.BR seccomp_load (3),
|
|
Packit |
56e23f |
.BR seccomp (2)
|