|
Packit Service |
10c312 |
.TH "seccomp_syscall_priority" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH NAME
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
seccomp_syscall_priority \- Prioritize syscalls in the seccomp filter
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH SYNOPSIS
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.nf
|
|
Packit |
56e23f |
.B #include <seccomp.h>
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
.B typedef void * scmp_filter_ctx;
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
.BI "int SCMP_SYS(" syscall_name ");"
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
.BI "int seccomp_syscall_priority(scmp_filter_ctx " ctx ","
|
|
Packit |
56e23f |
.BI " int " syscall ", uint8_t " priority ");"
|
|
Packit |
56e23f |
.sp
|
|
Packit |
56e23f |
Link with \fI\-lseccomp\fP.
|
|
Packit |
56e23f |
.fi
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH DESCRIPTION
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The
|
|
Packit |
56e23f |
.BR seccomp_syscall_priority ()
|
|
Packit |
56e23f |
function provides a priority hint to the seccomp filter generator in libseccomp
|
|
Packit |
56e23f |
such that higher priority syscalls are placed earlier in the seccomp filter code
|
|
Packit |
56e23f |
so that they incur less overhead at the expense of lower priority syscalls. A
|
|
Packit |
56e23f |
syscall's priority can be set regardless of if any rules currently exist for
|
|
Packit |
56e23f |
that syscall; the library will remember the priority and it will be assigned to
|
|
Packit |
56e23f |
the syscall if and when a rule for that syscall is created.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
While it is possible to specify the
|
|
Packit |
56e23f |
.I syscall
|
|
Packit |
56e23f |
value directly using the standard
|
|
Packit |
56e23f |
.B __NR_syscall
|
|
Packit |
56e23f |
values, in order to ensure proper operation across multiple architectures it
|
|
Packit |
56e23f |
is highly recommended to use the
|
|
Packit |
56e23f |
.BR SCMP_SYS ()
|
|
Packit |
56e23f |
macro instead. See the EXAMPLES section below.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The
|
|
Packit |
56e23f |
.I priority
|
|
Packit |
56e23f |
parameter takes an 8-bit value ranging from 0 \- 255; a higher value represents
|
|
Packit |
56e23f |
a higher priority.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The filter context
|
|
Packit |
56e23f |
.I ctx
|
|
Packit |
56e23f |
is the value returned by the call to
|
|
Packit |
56e23f |
.BR seccomp_init ().
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH RETURN VALUE
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
The
|
|
Packit |
56e23f |
.BR SCMP_SYS ()
|
|
Packit |
56e23f |
macro returns a value suitable for use as the
|
|
Packit |
56e23f |
.I syscall
|
|
Packit |
56e23f |
value in
|
|
Packit |
56e23f |
.BR seccomp_syscall_priority ().
|
|
Packit Service |
10c312 |
.P
|
|
Packit Service |
10c312 |
The
|
|
Packit Service |
10c312 |
.BR seccomp_syscall_priority ()
|
|
Packit Service |
10c312 |
function returns zero on success or one of the following error codes on
|
|
Packit Service |
10c312 |
failure:
|
|
Packit Service |
10c312 |
.TP
|
|
Packit Service |
10c312 |
.B -EDOM
|
|
Packit Service |
10c312 |
Architecture specific failure.
|
|
Packit Service |
10c312 |
.TP
|
|
Packit Service |
10c312 |
.B -EFAULT
|
|
Packit Service |
10c312 |
Internal libseccomp failure.
|
|
Packit Service |
10c312 |
.TP
|
|
Packit Service |
10c312 |
.B -EINVAL
|
|
Packit Service |
10c312 |
Invalid input, either the context or architecture token is invalid.
|
|
Packit Service |
10c312 |
.TP
|
|
Packit Service |
10c312 |
.B -ENOMEM
|
|
Packit Service |
10c312 |
The library was unable to allocate enough memory.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH EXAMPLES
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.nf
|
|
Packit |
56e23f |
#include <seccomp.h>
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
int main(int argc, char *argv[])
|
|
Packit |
56e23f |
{
|
|
Packit |
56e23f |
int rc = \-1;
|
|
Packit |
56e23f |
scmp_filter_ctx ctx;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
ctx = seccomp_init(SCMP_ACT_KILL);
|
|
Packit |
56e23f |
if (ctx == NULL)
|
|
Packit |
56e23f |
goto out;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* ... */
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200);
|
|
Packit |
56e23f |
if (rc < 0)
|
|
Packit |
56e23f |
goto out;
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
/* ... */
|
|
Packit |
56e23f |
|
|
Packit |
56e23f |
out:
|
|
Packit |
56e23f |
seccomp_release(ctx);
|
|
Packit |
56e23f |
return \-rc;
|
|
Packit |
56e23f |
}
|
|
Packit |
56e23f |
.fi
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH NOTES
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
While the seccomp filter can be generated independent of the kernel, kernel
|
|
Packit |
56e23f |
support is required to load and enforce the seccomp filter generated by
|
|
Packit |
56e23f |
libseccomp.
|
|
Packit |
56e23f |
.P
|
|
Packit |
56e23f |
The libseccomp project site, with more information and the source code
|
|
Packit |
56e23f |
repository, can be found at https://github.com/seccomp/libseccomp. This tool,
|
|
Packit |
56e23f |
as well as the libseccomp library, is currently under development, please
|
|
Packit |
56e23f |
report any bugs at the project site or directly to the author.
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH AUTHOR
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
Paul Moore <paul@paul-moore.com>
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.SH SEE ALSO
|
|
Packit |
56e23f |
.\" //////////////////////////////////////////////////////////////////////////
|
|
Packit |
56e23f |
.BR seccomp_rule_add (3),
|
|
Packit |
56e23f |
.BR seccomp_rule_add_exact (3)
|