|
Packit Service |
8eee21 |
.TH "seccomp_init" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.SH NAME
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
seccomp_init, seccomp_reset \- Initialize the seccomp filter state
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.SH SYNOPSIS
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.nf
|
|
Packit Service |
8eee21 |
.B #include <seccomp.h>
|
|
Packit Service |
8eee21 |
.sp
|
|
Packit Service |
8eee21 |
.B typedef void * scmp_filter_ctx;
|
|
Packit Service |
8eee21 |
.sp
|
|
Packit Service |
8eee21 |
.BI "scmp_filter_ctx seccomp_init(uint32_t " def_action ");"
|
|
Packit Service |
8eee21 |
.BI "int seccomp_reset(scmp_filter_ctx " ctx ", uint32_t " def_action ");"
|
|
Packit Service |
8eee21 |
.sp
|
|
Packit Service |
8eee21 |
Link with \fI\-lseccomp\fP.
|
|
Packit Service |
8eee21 |
.fi
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.SH DESCRIPTION
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.P
|
|
Packit Service |
8eee21 |
The
|
|
Packit Service |
8eee21 |
.BR seccomp_init ()
|
|
Packit Service |
8eee21 |
and
|
|
Packit Service |
8eee21 |
.BR seccomp_reset ()
|
|
Packit Service |
8eee21 |
functions (re)initialize the internal seccomp filter state, prepares it for
|
|
Packit Service |
8eee21 |
use, and sets the default action based on the
|
|
Packit Service |
8eee21 |
.I def_action
|
|
Packit Service |
8eee21 |
parameter. The
|
|
Packit Service |
8eee21 |
.BR seccomp_init ()
|
|
Packit Service |
8eee21 |
function must be called before any other libseccomp functions as the rest
|
|
Packit Service |
8eee21 |
of the library API will fail if the filter context is not initialized properly.
|
|
Packit Service |
8eee21 |
The
|
|
Packit Service |
8eee21 |
.BR seccomp_reset ()
|
|
Packit Service |
8eee21 |
function releases the existing filter context state before reinitializing it
|
|
Packit Service |
8eee21 |
and can only be called after a call to
|
|
Packit Service |
8eee21 |
.BR seccomp_init ()
|
|
Packit Service |
8eee21 |
has succeeded.
|
|
Packit Service |
8eee21 |
.P
|
|
Packit Service |
8eee21 |
When the caller is finished configuring the seccomp filter and has loaded it
|
|
Packit Service |
8eee21 |
into the kernel, the caller should call
|
|
Packit Service |
8eee21 |
.BR seccomp_release (3)
|
|
Packit Service |
8eee21 |
to release all of the filter context state.
|
|
Packit Service |
8eee21 |
.P
|
|
Packit Service |
8eee21 |
Valid
|
|
Packit Service |
8eee21 |
.I def_action
|
|
Packit Service |
8eee21 |
values are as follows:
|
|
Packit Service |
8eee21 |
.TP
|
|
Packit Service |
8eee21 |
.B SCMP_ACT_KILL
|
|
Packit Service |
8eee21 |
The thread will be terminated by the kernel with SIGSYS when it calls a syscall
|
|
Packit Service |
8eee21 |
that does not match any of the configured seccomp filter rules. The thread
|
|
Packit Service |
8eee21 |
will not be able to catch the signal.
|
|
Packit Service |
8eee21 |
.TP
|
|
Packit Service |
8eee21 |
.B SCMP_ACT_KILL_PROCESS
|
|
Packit Service |
8eee21 |
The entire process will be terminated by the kernel with SIGSYS when it calls a
|
|
Packit Service |
8eee21 |
syscall that does not match any of the configured seccomp filter rules.
|
|
Packit Service |
8eee21 |
.TP
|
|
Packit Service |
8eee21 |
.B SCMP_ACT_TRAP
|
|
Packit Service |
8eee21 |
The thread will be sent a SIGSYS signal when it calls a syscall that does not
|
|
Packit Service |
8eee21 |
match any of the configured seccomp filter rules. It may catch this and change
|
|
Packit Service |
8eee21 |
its behavior accordingly. When using SA_SIGINFO with
|
|
Packit Service |
8eee21 |
.BR sigaction (2),
|
|
Packit Service |
8eee21 |
si_code will be set to SYS_SECCOMP, si_syscall will be set to the syscall that
|
|
Packit Service |
8eee21 |
failed the rules, and si_arch will be set to the AUDIT_ARCH for the active ABI.
|
|
Packit Service |
8eee21 |
.TP
|
|
Packit Service |
8eee21 |
.B SCMP_ACT_ERRNO(uint16_t errno)
|
|
Packit Service |
8eee21 |
The thread will receive a return value of
|
|
Packit Service |
8eee21 |
.I errno
|
|
Packit Service |
8eee21 |
when it calls a syscall that does not match any of the configured seccomp filter
|
|
Packit Service |
8eee21 |
rules.
|
|
Packit Service |
8eee21 |
.TP
|
|
Packit Service |
8eee21 |
.B SCMP_ACT_TRACE(uint16_t msg_num)
|
|
Packit Service |
8eee21 |
If the thread is being traced and the tracing process specified the
|
|
Packit Service |
8eee21 |
.B PTRACE_O_TRACESECCOMP
|
|
Packit Service |
8eee21 |
option in the call to
|
|
Packit Service |
8eee21 |
.BR ptrace (2),
|
|
Packit Service |
8eee21 |
the tracing process will be notified, via
|
|
Packit Service |
8eee21 |
.BR PTRACE_EVENT_SECCOMP ,
|
|
Packit Service |
8eee21 |
and the value provided in
|
|
Packit Service |
8eee21 |
.I msg_num
|
|
Packit Service |
8eee21 |
can be retrieved using the
|
|
Packit Service |
8eee21 |
.B PTRACE_GETEVENTMSG
|
|
Packit Service |
8eee21 |
option.
|
|
Packit Service |
8eee21 |
.TP
|
|
Packit Service |
8eee21 |
.B SCMP_ACT_LOG
|
|
Packit Service |
8eee21 |
The seccomp filter will have no effect on the thread calling the syscall if it
|
|
Packit Service |
8eee21 |
does not match any of the configured seccomp filter rules but the syscall will
|
|
Packit Service |
8eee21 |
be logged.
|
|
Packit Service |
8eee21 |
.TP
|
|
Packit Service |
8eee21 |
.B SCMP_ACT_ALLOW
|
|
Packit Service |
8eee21 |
The seccomp filter will have no effect on the thread calling the syscall if it
|
|
Packit Service |
8eee21 |
does not match any of the configured seccomp filter rules.
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.SH RETURN VALUE
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
The
|
|
Packit Service |
8eee21 |
.BR seccomp_init ()
|
|
Packit Service |
8eee21 |
function returns a filter context on success, NULL on failure. The
|
|
Packit Service |
8eee21 |
.BR seccomp_reset ()
|
|
Packit Service |
8eee21 |
function returns zero on success, negative errno values on failure.
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.SH EXAMPLES
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.nf
|
|
Packit Service |
8eee21 |
#include <seccomp.h>
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
int main(int argc, char *argv[])
|
|
Packit Service |
8eee21 |
{
|
|
Packit Service |
8eee21 |
int rc = \-1;
|
|
Packit Service |
8eee21 |
scmp_filter_ctx ctx;
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
ctx = seccomp_init(SCMP_ACT_KILL);
|
|
Packit Service |
8eee21 |
if (ctx == NULL)
|
|
Packit Service |
8eee21 |
goto out;
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
/* ... */
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
rc = seccomp_reset(ctx, SCMP_ACT_KILL);
|
|
Packit Service |
8eee21 |
if (rc < 0)
|
|
Packit Service |
8eee21 |
goto out;
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
/* ... */
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
out:
|
|
Packit Service |
8eee21 |
seccomp_release(ctx);
|
|
Packit Service |
8eee21 |
return \-rc;
|
|
Packit Service |
8eee21 |
}
|
|
Packit Service |
8eee21 |
.fi
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.SH NOTES
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.P
|
|
Packit Service |
8eee21 |
While the seccomp filter can be generated independent of the kernel, kernel
|
|
Packit Service |
8eee21 |
support is required to load and enforce the seccomp filter generated by
|
|
Packit Service |
8eee21 |
libseccomp.
|
|
Packit Service |
8eee21 |
.P
|
|
Packit Service |
8eee21 |
The libseccomp project site, with more information and the source code
|
|
Packit Service |
8eee21 |
repository, can be found at https://github.com/seccomp/libseccomp. This tool,
|
|
Packit Service |
8eee21 |
as well as the libseccomp library, is currently under development, please
|
|
Packit Service |
8eee21 |
report any bugs at the project site or directly to the author.
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.SH AUTHOR
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
Paul Moore <paul@paul-moore.com>
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.SH SEE ALSO
|
|
Packit Service |
8eee21 |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit Service |
8eee21 |
.BR seccomp_release (3)
|
|
Packit Service |
8eee21 |
|