Commit | Line | Data |
---|---|---|
8befd5cc MG |
1 | .TH "seccomp_syscall_priority" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation" |
2 | .\" ////////////////////////////////////////////////////////////////////////// | |
3 | .SH NAME | |
4 | .\" ////////////////////////////////////////////////////////////////////////// | |
5 | seccomp_syscall_priority \- Prioritize syscalls in the seccomp filter | |
6 | .\" ////////////////////////////////////////////////////////////////////////// | |
7 | .SH SYNOPSIS | |
8 | .\" ////////////////////////////////////////////////////////////////////////// | |
9 | .nf | |
10 | .B #include <seccomp.h> | |
11 | .sp | |
12 | .B typedef void * scmp_filter_ctx; | |
13 | .sp | |
14 | .BI "int SCMP_SYS(" syscall_name ");" | |
15 | .sp | |
16 | .BI "int seccomp_syscall_priority(scmp_filter_ctx " ctx "," | |
17 | .BI " int " syscall ", uint8_t " priority ");" | |
18 | .sp | |
19 | Link with \fI\-lseccomp\fP. | |
20 | .fi | |
21 | .\" ////////////////////////////////////////////////////////////////////////// | |
22 | .SH DESCRIPTION | |
23 | .\" ////////////////////////////////////////////////////////////////////////// | |
24 | .P | |
25 | The | |
26 | .BR seccomp_syscall_priority () | |
27 | function provides a priority hint to the seccomp filter generator in libseccomp | |
28 | such that higher priority syscalls are placed earlier in the seccomp filter code | |
29 | so that they incur less overhead at the expense of lower priority syscalls. A | |
30 | syscall's priority can be set regardless of if any rules currently exist for | |
31 | that syscall; the library will remember the priority and it will be assigned to | |
32 | the syscall if and when a rule for that syscall is created. | |
33 | .P | |
34 | While it is possible to specify the | |
35 | .I syscall | |
36 | value directly using the standard | |
37 | .B __NR_syscall | |
38 | values, in order to ensure proper operation across multiple architectures it | |
39 | is highly recommended to use the | |
40 | .BR SCMP_SYS () | |
41 | macro instead. See the EXAMPLES section below. | |
42 | .P | |
43 | The | |
44 | .I priority | |
45 | parameter takes an 8-bit value ranging from 0 \- 255; a higher value represents | |
46 | a higher priority. | |
47 | .P | |
48 | The filter context | |
49 | .I ctx | |
50 | is the value returned by the call to | |
51 | .BR seccomp_init (). | |
52 | .\" ////////////////////////////////////////////////////////////////////////// | |
53 | .SH RETURN VALUE | |
54 | .\" ////////////////////////////////////////////////////////////////////////// | |
55 | The | |
56 | .BR seccomp_syscall_priority () | |
57 | function returns zero on success, negative errno values on failure. The | |
58 | .BR SCMP_SYS () | |
59 | macro returns a value suitable for use as the | |
60 | .I syscall | |
61 | value in | |
62 | .BR seccomp_syscall_priority (). | |
63 | .\" ////////////////////////////////////////////////////////////////////////// | |
64 | .SH EXAMPLES | |
65 | .\" ////////////////////////////////////////////////////////////////////////// | |
66 | .nf | |
67 | #include <seccomp.h> | |
68 | ||
69 | int main(int argc, char *argv[]) | |
70 | { | |
71 | int rc = \-1; | |
72 | scmp_filter_ctx ctx; | |
73 | ||
74 | ctx = seccomp_init(SCMP_ACT_KILL); | |
75 | if (ctx == NULL) | |
76 | goto out; | |
77 | ||
78 | /* ... */ | |
79 | ||
80 | rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200); | |
81 | if (rc < 0) | |
82 | goto out; | |
83 | ||
84 | /* ... */ | |
85 | ||
86 | out: | |
87 | seccomp_release(ctx); | |
88 | return \-rc; | |
89 | } | |
90 | .fi | |
91 | .\" ////////////////////////////////////////////////////////////////////////// | |
92 | .SH NOTES | |
93 | .\" ////////////////////////////////////////////////////////////////////////// | |
94 | .P | |
95 | While the seccomp filter can be generated independent of the kernel, kernel | |
96 | support is required to load and enforce the seccomp filter generated by | |
97 | libseccomp. | |
98 | .P | |
99 | The libseccomp project site, with more information and the source code | |
100 | repository, can be found at https://github.com/seccomp/libseccomp. This tool, | |
101 | as well as the libseccomp library, is currently under development, please | |
102 | report any bugs at the project site or directly to the author. | |
103 | .\" ////////////////////////////////////////////////////////////////////////// | |
104 | .SH AUTHOR | |
105 | .\" ////////////////////////////////////////////////////////////////////////// | |
106 | Paul Moore <paul@paul-moore.com> | |
107 | .\" ////////////////////////////////////////////////////////////////////////// | |
108 | .SH SEE ALSO | |
109 | .\" ////////////////////////////////////////////////////////////////////////// | |
110 | .BR seccomp_rule_add (3), | |
111 | .BR seccomp_rule_add_exact (3) |