.TH "seccomp_syscall_priority" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation"

.\" //////////////////////////////////////////////////////////////////////////

.SH NAME

.\" //////////////////////////////////////////////////////////////////////////

seccomp_syscall_priority \- Prioritize syscalls in the seccomp filter

.\" //////////////////////////////////////////////////////////////////////////

.SH SYNOPSIS

.\" //////////////////////////////////////////////////////////////////////////

.nf

.B #include <seccomp.h>

.sp

.B typedef void * scmp_filter_ctx;

.sp

.BI "int SCMP_SYS(" syscall_name ");"

.sp

.BI "int seccomp_syscall_priority(scmp_filter_ctx " ctx ","

.BI "                             int " syscall ", uint8_t " priority ");"

.sp

Link with \fI\-lseccomp\fP.

.fi

.\" //////////////////////////////////////////////////////////////////////////

.SH DESCRIPTION

.\" //////////////////////////////////////////////////////////////////////////

.P

The

.BR seccomp_syscall_priority ()

function provides a priority hint to the seccomp filter generator in libseccomp

such that higher priority syscalls are placed earlier in the seccomp filter code

so that they incur less overhead at the expense of lower priority syscalls.  A

syscall's priority can be set regardless of if any rules currently exist for

that syscall; the library will remember the priority and it will be assigned to

the syscall if and when a rule for that syscall is created.

.P

While it is possible to specify the

.I syscall

value directly using the standard

.B __NR_syscall

values, in order to ensure proper operation across multiple architectures it

is highly recommended to use the

.BR SCMP_SYS ()

macro instead.  See the EXAMPLES section below.

.P

The

.I priority

parameter takes an 8-bit value ranging from 0 \- 255; a higher value represents

a higher priority.

.P

The filter context

.I ctx

is the value returned by the call to

.BR seccomp_init ().

.\" //////////////////////////////////////////////////////////////////////////

.SH RETURN VALUE

.\" //////////////////////////////////////////////////////////////////////////

The

.BR SCMP_SYS ()

macro returns a value suitable for use as the

.I syscall

value in

.BR seccomp_syscall_priority ().

.P

The

.BR seccomp_syscall_priority ()

function returns zero on success or one of the following error codes on

failure:

.TP

.B -EDOM

Architecture specific failure.

.TP

.B -EFAULT

Internal libseccomp failure.

.TP

.B -EINVAL

Invalid input, either the context or architecture token is invalid.

.TP

.B -ENOMEM

The library was unable to allocate enough memory.

.\" //////////////////////////////////////////////////////////////////////////

.SH EXAMPLES

.\" //////////////////////////////////////////////////////////////////////////

.nf

#include <seccomp.h>

int main(int argc, char *argv[])

{

	int rc = \-1;

	scmp_filter_ctx ctx;

	ctx = seccomp_init(SCMP_ACT_KILL);

	if (ctx == NULL)

		goto out;

	/* ... */

	rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200);

	if (rc < 0)

		goto out;

	/* ... */

out:

	seccomp_release(ctx);

	return \-rc;

}

.fi

.\" //////////////////////////////////////////////////////////////////////////

.SH NOTES

.\" //////////////////////////////////////////////////////////////////////////

.P

While the seccomp filter can be generated independent of the kernel, kernel

support is required to load and enforce the seccomp filter generated by

libseccomp.

.P

The libseccomp project site, with more information and the source code

repository, can be found at https://github.com/seccomp/libseccomp.  This tool,

as well as the libseccomp library, is currently under development, please

report any bugs at the project site or directly to the author.

.\" //////////////////////////////////////////////////////////////////////////

.SH AUTHOR

.\" //////////////////////////////////////////////////////////////////////////

Paul Moore <paul@paul-moore.com>

.\" //////////////////////////////////////////////////////////////////////////

.SH SEE ALSO

.\" //////////////////////////////////////////////////////////////////////////

.BR seccomp_rule_add (3),

.BR seccomp_rule_add_exact (3)