[linux-seccomp.git] / libseccomp / doc / man / man3 / seccomp_syscall_priority.3

.TH "seccomp_syscall_priority" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
.\" //////////////////////////////////////////////////////////////////////////
.SH NAME
.\" //////////////////////////////////////////////////////////////////////////
seccomp_syscall_priority \- Prioritize syscalls in the seccomp filter
.\" //////////////////////////////////////////////////////////////////////////
.SH SYNOPSIS
.\" //////////////////////////////////////////////////////////////////////////
.nf
.B #include <seccomp.h>
.sp
.B typedef void * scmp_filter_ctx;
.sp
.BI "int SCMP_SYS(" syscall_name ");"
.sp
.BI "int seccomp_syscall_priority(scmp_filter_ctx " ctx ","
.BI "                             int " syscall ", uint8_t " priority ");"
.sp
Link with \fI\-lseccomp\fP.
.fi
.\" //////////////////////////////////////////////////////////////////////////
.SH DESCRIPTION
.\" //////////////////////////////////////////////////////////////////////////
.P
The
.BR seccomp_syscall_priority ()
function provides a priority hint to the seccomp filter generator in libseccomp
such that higher priority syscalls are placed earlier in the seccomp filter code
so that they incur less overhead at the expense of lower priority syscalls.  A
syscall's priority can be set regardless of if any rules currently exist for
that syscall; the library will remember the priority and it will be assigned to
the syscall if and when a rule for that syscall is created.
.P
While it is possible to specify the
.I syscall
value directly using the standard
.B __NR_syscall
values, in order to ensure proper operation across multiple architectures it
is highly recommended to use the
.BR SCMP_SYS ()
macro instead.  See the EXAMPLES section below.
.P
The
.I priority
parameter takes an 8-bit value ranging from 0 \- 255; a higher value represents
a higher priority.
.P
The filter context
.I ctx
is the value returned by the call to
.BR seccomp_init ().
.\" //////////////////////////////////////////////////////////////////////////
.SH RETURN VALUE
.\" //////////////////////////////////////////////////////////////////////////
The
.BR seccomp_syscall_priority ()
function returns zero on success, negative errno values on failure.  The
.BR SCMP_SYS ()
macro returns a value suitable for use as the
.I syscall
value in
.BR seccomp_syscall_priority ().
.\" //////////////////////////////////////////////////////////////////////////
.SH EXAMPLES
.\" //////////////////////////////////////////////////////////////////////////
.nf
#include <seccomp.h>

int main(int argc, char *argv[])
{
	int rc = \-1;
	scmp_filter_ctx ctx;

	ctx = seccomp_init(SCMP_ACT_KILL);
	if (ctx == NULL)
		goto out;

	/* ... */

	rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200);
	if (rc < 0)
		goto out;

	/* ... */

out:
	seccomp_release(ctx);
	return \-rc;
}
.fi
.\" //////////////////////////////////////////////////////////////////////////
.SH NOTES
.\" //////////////////////////////////////////////////////////////////////////
.P
While the seccomp filter can be generated independent of the kernel, kernel
support is required to load and enforce the seccomp filter generated by
libseccomp.
.P
The libseccomp project site, with more information and the source code
repository, can be found at https://github.com/seccomp/libseccomp.  This tool,
as well as the libseccomp library, is currently under development, please
report any bugs at the project site or directly to the author.
.\" //////////////////////////////////////////////////////////////////////////
.SH AUTHOR
.\" //////////////////////////////////////////////////////////////////////////
Paul Moore <paul@paul-moore.com>
.\" //////////////////////////////////////////////////////////////////////////
.SH SEE ALSO
.\" //////////////////////////////////////////////////////////////////////////
.BR seccomp_rule_add (3),
.BR seccomp_rule_add_exact (3)
Commit	Line	Data
8befd5cc MG	1	.TH "seccomp_syscall_priority" 3 "25 July 2012" "paul@paul-moore.com" "libseccomp Documentation"
	2	.\" //////////////////////////////////////////////////////////////////////////
	3	.SH NAME
	4	.\" //////////////////////////////////////////////////////////////////////////
	5	seccomp_syscall_priority \- Prioritize syscalls in the seccomp filter
	6	.\" //////////////////////////////////////////////////////////////////////////
	7	.SH SYNOPSIS
	8	.\" //////////////////////////////////////////////////////////////////////////
	9	.nf
	10	.B #include <seccomp.h>
	11	.sp
	12	.B typedef void * scmp_filter_ctx;
	13	.sp
	14	.BI "int SCMP_SYS(" syscall_name ");"
	15	.sp
	16	.BI "int seccomp_syscall_priority(scmp_filter_ctx " ctx ","
	17	.BI " int " syscall ", uint8_t " priority ");"
	18	.sp
	19	Link with \fI\-lseccomp\fP.
	20	.fi
	21	.\" //////////////////////////////////////////////////////////////////////////
	22	.SH DESCRIPTION
	23	.\" //////////////////////////////////////////////////////////////////////////
	24	.P
	25	The
	26	.BR seccomp_syscall_priority ()
	27	function provides a priority hint to the seccomp filter generator in libseccomp
	28	such that higher priority syscalls are placed earlier in the seccomp filter code
	29	so that they incur less overhead at the expense of lower priority syscalls. A
	30	syscall's priority can be set regardless of if any rules currently exist for
	31	that syscall; the library will remember the priority and it will be assigned to
	32	the syscall if and when a rule for that syscall is created.
	33	.P
	34	While it is possible to specify the
	35	.I syscall
	36	value directly using the standard
	37	.B __NR_syscall
	38	values, in order to ensure proper operation across multiple architectures it
	39	is highly recommended to use the
	40	.BR SCMP_SYS ()
	41	macro instead. See the EXAMPLES section below.
	42	.P
	43	The
	44	.I priority
	45	parameter takes an 8-bit value ranging from 0 \- 255; a higher value represents
	46	a higher priority.
	47	.P
	48	The filter context
	49	.I ctx
	50	is the value returned by the call to
	51	.BR seccomp_init ().
	52	.\" //////////////////////////////////////////////////////////////////////////
	53	.SH RETURN VALUE
	54	.\" //////////////////////////////////////////////////////////////////////////
	55	The
	56	.BR seccomp_syscall_priority ()
	57	function returns zero on success, negative errno values on failure. The
	58	.BR SCMP_SYS ()
	59	macro returns a value suitable for use as the
	60	.I syscall
	61	value in
	62	.BR seccomp_syscall_priority ().
	63	.\" //////////////////////////////////////////////////////////////////////////
	64	.SH EXAMPLES
65	.\" //////////////////////////////////////////////////////////////////////////
66	.nf
67	#include <seccomp.h>
68
69	int main(int argc, char *argv[])
70	{
71	int rc = \-1;
72	scmp_filter_ctx ctx;
73
74	ctx = seccomp_init(SCMP_ACT_KILL);
75	if (ctx == NULL)
76	goto out;
77
78	/* ... */
79
80	rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200);
81	if (rc < 0)
82	goto out;
83
84	/* ... */
85
86	out:
87	seccomp_release(ctx);
88	return \-rc;
89	}
90	.fi
91	.\" //////////////////////////////////////////////////////////////////////////
92	.SH NOTES
93	.\" //////////////////////////////////////////////////////////////////////////
94	.P
95	While the seccomp filter can be generated independent of the kernel, kernel
96	support is required to load and enforce the seccomp filter generated by
97	libseccomp.
98	.P
99	The libseccomp project site, with more information and the source code
100	repository, can be found at https://github.com/seccomp/libseccomp. This tool,
101	as well as the libseccomp library, is currently under development, please
102	report any bugs at the project site or directly to the author.
103	.\" //////////////////////////////////////////////////////////////////////////
104	.SH AUTHOR
105	.\" //////////////////////////////////////////////////////////////////////////
106	Paul Moore <paul@paul-moore.com>
107	.\" //////////////////////////////////////////////////////////////////////////
108	.SH SEE ALSO
109	.\" //////////////////////////////////////////////////////////////////////////
110	.BR seccomp_rule_add (3),
111	.BR seccomp_rule_add_exact (3)