.TH "seccomp_attr_set" 3 "21 August 2014" "paul@paul-moore.com" "libseccomp Documentation"

.\" //////////////////////////////////////////////////////////////////////////

.SH NAME

.\" //////////////////////////////////////////////////////////////////////////

seccomp_attr_set, seccomp_attr_get \- Manage the seccomp filter attributes

.\" //////////////////////////////////////////////////////////////////////////

.SH SYNOPSIS

.\" //////////////////////////////////////////////////////////////////////////

.nf

.B #include <seccomp.h>

.sp

.B typedef void * scmp_filter_ctx;

.B enum scmp_filter_attr;

.sp

.BI "int seccomp_attr_set(scmp_filter_ctx " ctx ","

.BI "                     enum scmp_filter_attr " attr ", uint32_t " value ");"

.BI "int seccomp_attr_get(scmp_filter_ctx " ctx ","

.BI "                     enum scmp_filter_attr " attr ", uint32_t *" value ");"

.sp

Link with \fI\-lseccomp\fP.

.fi

.\" //////////////////////////////////////////////////////////////////////////

.SH DESCRIPTION

.\" //////////////////////////////////////////////////////////////////////////

.P

The

.BR seccomp_attr_set ()

function sets the different seccomp filter attributes while the

.BR seccomp_attr_get ()

function fetches the filter attributes.  The seccomp filter attributes are

tunable values that affect how the library behaves when generating and loading

the seccomp filter into the kernel.  The attributes are reset to their default

values whenever the filter is initialized or reset via

.BR seccomp_filter_init (3)

or

.BR seccomp_filter_reset (3).

.P

The filter context

.I ctx

is the value returned by the call to

.BR seccomp_init (3).

.P

Valid

.I attr

values are as follows:

.TP

.B SCMP_FLTATR_ACT_DEFAULT

The default filter action as specified in the call to

.BR seccomp_filter_init (3)

or

.BR seccomp_filter_reset (3).

This attribute is read-only.

.TP

.B SCMP_FLTATR_ACT_BADARCH

The filter action taken when the loaded filter does not match the architecture

of the executing application.  Defaults to the

.B SCMP_ACT_KILL

action.

.TP

.B SCMP_FLTATR_CTL_NNP

A flag to specify if the NO_NEW_PRIVS functionality should be enabled before

loading the seccomp filter into the kernel.  Setting this to off (

.I value

== 0) results in no action, meaning that loading the seccomp filter into the

kernel will fail if CAP_SYS_ADMIN is missing and NO_NEW_PRIVS has not been

externally set.  Defaults to on (

.I value

== 1).

.TP

.B SCMP_FLTATR_CTL_TSYNC

A flag to specify if the kernel should attempt to synchronize the filters

across all threads on

.BR seccomp_load (3).

If the kernel is unable to synchronize all of the thread then the load

operation will fail.  This flag is only available on Linux Kernel 3.17 or

greater; attempting to enable this flag on earlier kernels will result in an

error being returned.  Defaults to off (

.I value

== 0).

.TP

.B SCMP_FLTATR_API_TSKIP

A flag to specify if libseccomp should allow filter rules to be created for

the -1 syscall.  The -1 syscall value can be used by tracer programs to skip

specific syscall invocations, see

.BR seccomp (2)

for more information.  Defaults to off (

.I value

== 0).

.TP

.B SCMP_FLTATR_CTL_LOG

A flag to specify if the kernel should log all filter actions taken except for

the

.BR SCMP_ACT_ALLOW

action. Defaults to off (

.I value

== 0).

.\" //////////////////////////////////////////////////////////////////////////

.SH RETURN VALUE

.\" //////////////////////////////////////////////////////////////////////////

Returns zero on success, negative errno values on failure.

.\" //////////////////////////////////////////////////////////////////////////

.SH EXAMPLES

.\" //////////////////////////////////////////////////////////////////////////

.nf

#include <seccomp.h>

int main(int argc, char *argv[])

{

	int rc = \-1;

	scmp_filter_ctx ctx;

	ctx = seccomp_init(SCMP_ACT_ALLOW);

	if (ctx == NULL)

		goto out;

	/* ... */

	rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP);

	if (rc < 0)

		goto out;

	/* ... */

out:

	seccomp_release(ctx);

	return \-rc;

}

.fi

.\" //////////////////////////////////////////////////////////////////////////

.SH NOTES

.\" //////////////////////////////////////////////////////////////////////////

.P

While the seccomp filter can be generated independent of the kernel, kernel

support is required to load and enforce the seccomp filter generated by

libseccomp.

.P

The libseccomp project site, with more information and the source code

repository, can be found at https://github.com/seccomp/libseccomp.  This tool,

as well as the libseccomp library, is currently under development, please

report any bugs at the project site or directly to the author.

.\" //////////////////////////////////////////////////////////////////////////

.SH AUTHOR

.\" //////////////////////////////////////////////////////////////////////////

Paul Moore <paul@paul-moore.com>

.\" //////////////////////////////////////////////////////////////////////////

.SH SEE ALSO

.\" //////////////////////////////////////////////////////////////////////////

.BR seccomp_init (3),

.BR seccomp_reset (3),

.BR seccomp_load (3),

.BR seccomp (2)