seccomp_load - Load the current seccomp filter into the kernel
#include <seccomp.h>
typedef void * scmp_filter_ctx;
int seccomp_load(scmp_filter_ctx ctx);
Link with -lseccomp.
Loads the seccomp filter provided by
ctx into the kernel; if the function
succeeds the new seccomp filter will be active when the function returns.
As it is possible to have multiple stacked seccomp filters for a given task
(defined as either a process or a thread), it is important to remember that
each of the filters loaded for a given task are executed when a syscall is
made and the "strictest" rule is the rule that is applied. In the
case of seccomp, "strictest" is defined as the action with the
lowest value (e.g.
SCMP_ACT_KILL is "stricter" than
SCMP_ACT_ALLOW).
Returns zero on success or one of the following error codes on failure:
- -ECANCELED
- There was a system failure beyond the control of the
library.
- -EFAULT
- Internal libseccomp failure.
- -EINVAL
- Invalid input, either the context or architecture token is
invalid.
- -ENOMEM
- The library was unable to allocate enough memory.
- -ESRCH
- Unable to load the filter due to thread issues.
If the
SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then
additional error codes may be returned to the caller; these additional error
codes are the negative
errno values returned by the system.
Unfortunately libseccomp can make no guarantees about these return values.
#include <seccomp.h>
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
/* ... */
rc = seccomp_load(ctx);
if (rc < 0)
goto out;
/* ... */
out:
seccomp_release(ctx);
return -rc;
}
While the seccomp filter can be generated independent of the kernel, kernel
support is required to load and enforce the seccomp filter generated by
libseccomp.
The libseccomp project site, with more information and the source code
repository, can be found at
https://github.com/seccomp/libseccomp. This tool,
as well as the libseccomp library, is currently under development, please
report any bugs at the project site or directly to the author.
Paul Moore <
[email protected]>
seccomp_init(3),
seccomp_reset(3),
seccomp_release(3),
seccomp_rule_add(3),
seccomp_rule_add_exact(3)