seccomp_init(3) libseccomp Documentation seccomp_init(3)NAME
seccomp_init, seccomp_reset - Initialize the seccomp filter state
SYNOPSIS
#include <seccomp.h>
typedef void * scmp_filter_ctx;
scmp_filter_ctx seccomp_init(uint32_t def_action);
int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);
Link with -lseccomp.
DESCRIPTION
The seccomp_init() and seccomp_reset() functions (re)initialize the
internal seccomp filter state, prepares it for use, and sets the
default action based on the def_action parameter. The seccomp_init()
function must be called before any other libseccomp functions as the
rest of the library API will fail if the filter context is not initial‐
ized properly. The seccomp_reset() function releases the existing fil‐
ter context state before reinitializing it and can only be called after
a call to seccomp_init() has succeeded.
When the caller is finished configuring the seccomp filter and has
loaded it into the kernel, the caller should call seccomp_release(3) to
release all of the filter context state.
Valid def_action values are as follows:
SCMP_ACT_KILL
The process will be killed by the kernel when it calls a syscall
that does not match any of the configured seccomp filter rules.
SCMP_ACT_TRAP
The process will throw a SIGSYS signal when it calls a syscall
that does not match any of the configured seccomp filter rules.
SCMP_ACT_ERRNO(uint16_t errno)
The process will receive a return value of errno when it calls a
syscall that does not match any of the configured seccomp filter
rules.
SCMP_ACT_TRACE(uint16_t msg_num)
If the process is being traced and the tracing process specified
the PTRACE_O_TRACESECCOMP option in the call to ptrace(2), the
tracing process will be notified, via PTRACE_EVENT_SECCOMP , and
the value provided in msg_num can be retrieved using the
PTRACE_GETEVENTMSG option.
SCMP_ACT_ALLOW
The seccomp filter will have no effect on the process calling
the syscall if it does not match any of the configured seccomp
filter rules.
RETURN VALUE
The seccomp_init() function returns a filter context on success, NULL
on failure. The seccomp_reset() function returns zero on success, neg‐
ative errno values on failure.
EXAMPLES
#include <seccomp.h>
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
/* ... */
rc = seccomp_reset(ctx, SCMP_ACT_KILL);
if (rc < 0)
goto out;
/* ... */
out:
seccomp_release(ctx);
return -rc;
}
NOTES
While the seccomp filter can be generated independent of the kernel,
kernel support is required to load and enforce the seccomp filter gen‐
erated by libseccomp.
The libseccomp project site, with more information and the source code
repository, can be found at http://libseccomp.sf.net. This library is
currently under development, please report any bugs at the project site
or directly to the author.
AUTHOR
Paul Moore <paul@paul-moore.com>
SEE ALSOseccomp_release(3)paul@paul-moore.com 25 July 2012 seccomp_init(3)
