]>
Commit | Line | Data |
---|---|---|
1 | .TH "seccomp_attr_set" 3 "21 August 2014" "paul@paul-moore.com" "libseccomp Documentation" | |
2 | .\" ////////////////////////////////////////////////////////////////////////// | |
3 | .SH NAME | |
4 | .\" ////////////////////////////////////////////////////////////////////////// | |
5 | seccomp_attr_set, seccomp_attr_get \- Manage the seccomp filter attributes | |
6 | .\" ////////////////////////////////////////////////////////////////////////// | |
7 | .SH SYNOPSIS | |
8 | .\" ////////////////////////////////////////////////////////////////////////// | |
9 | .nf | |
10 | .B #include <seccomp.h> | |
11 | .sp | |
12 | .B typedef void * scmp_filter_ctx; | |
13 | .B enum scmp_filter_attr; | |
14 | .sp | |
15 | .BI "int seccomp_attr_set(scmp_filter_ctx " ctx "," | |
16 | .BI " enum scmp_filter_attr " attr ", uint32_t " value ");" | |
17 | .BI "int seccomp_attr_get(scmp_filter_ctx " ctx "," | |
18 | .BI " enum scmp_filter_attr " attr ", uint32_t *" value ");" | |
19 | .sp | |
20 | Link with \fI\-lseccomp\fP. | |
21 | .fi | |
22 | .\" ////////////////////////////////////////////////////////////////////////// | |
23 | .SH DESCRIPTION | |
24 | .\" ////////////////////////////////////////////////////////////////////////// | |
25 | .P | |
26 | The | |
27 | .BR seccomp_attr_set () | |
28 | function sets the different seccomp filter attributes while the | |
29 | .BR seccomp_attr_get () | |
30 | function fetches the filter attributes. The seccomp filter attributes are | |
31 | tunable values that affect how the library behaves when generating and loading | |
32 | the seccomp filter into the kernel. The attributes are reset to their default | |
33 | values whenever the filter is initialized or reset via | |
34 | .BR seccomp_filter_init (3) | |
35 | or | |
36 | .BR seccomp_filter_reset (3). | |
37 | .P | |
38 | The filter context | |
39 | .I ctx | |
40 | is the value returned by the call to | |
41 | .BR seccomp_init (3). | |
42 | .P | |
43 | Valid | |
44 | .I attr | |
45 | values are as follows: | |
46 | .TP | |
47 | .B SCMP_FLTATR_ACT_DEFAULT | |
48 | The default filter action as specified in the call to | |
49 | .BR seccomp_filter_init (3) | |
50 | or | |
51 | .BR seccomp_filter_reset (3). | |
52 | This attribute is read-only. | |
53 | .TP | |
54 | .B SCMP_FLTATR_ACT_BADARCH | |
55 | The filter action taken when the loaded filter does not match the architecture | |
56 | of the executing application. Defaults to the | |
57 | .B SCMP_ACT_KILL | |
58 | action. | |
59 | .TP | |
60 | .B SCMP_FLTATR_CTL_NNP | |
61 | A flag to specify if the NO_NEW_PRIVS functionality should be enabled before | |
62 | loading the seccomp filter into the kernel. If set to off ( | |
63 | .I value | |
64 | == 0) then loading the seccomp filter into the kernel will fail if CAP_SYS_ADMIN | |
65 | is not set. Defaults to on ( | |
66 | .I value | |
67 | == 1). | |
68 | .TP | |
69 | .B SCMP_FLTATR_CTL_TSYNC | |
70 | A flag to specify if the kernel should attempt to synchronize the filters | |
71 | across all threads on | |
72 | .BR seccomp_load (3). | |
73 | If the kernel is unable to synchronize all of the thread then the load | |
74 | operation will fail. This flag is only available on Linux Kernel 3.17 or | |
75 | greater; attempting to enable this flag on earlier kernels will result in an | |
76 | error being returned. Defaults to off ( | |
77 | .I value | |
78 | == 0). | |
79 | .\" ////////////////////////////////////////////////////////////////////////// | |
80 | .SH RETURN VALUE | |
81 | .\" ////////////////////////////////////////////////////////////////////////// | |
82 | Returns zero on success, negative errno values on failure. | |
83 | .\" ////////////////////////////////////////////////////////////////////////// | |
84 | .SH EXAMPLES | |
85 | .\" ////////////////////////////////////////////////////////////////////////// | |
86 | .nf | |
87 | #include <seccomp.h> | |
88 | ||
89 | int main(int argc, char *argv[]) | |
90 | { | |
91 | int rc = \-1; | |
92 | scmp_filter_ctx ctx; | |
93 | ||
94 | ctx = seccomp_init(SCMP_ACT_ALLOW); | |
95 | if (ctx == NULL) | |
96 | goto out; | |
97 | ||
98 | /* ... */ | |
99 | ||
100 | rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP); | |
101 | if (rc < 0) | |
102 | goto out; | |
103 | ||
104 | /* ... */ | |
105 | ||
106 | out: | |
107 | seccomp_release(ctx); | |
108 | return \-rc; | |
109 | } | |
110 | .fi | |
111 | .\" ////////////////////////////////////////////////////////////////////////// | |
112 | .SH NOTES | |
113 | .\" ////////////////////////////////////////////////////////////////////////// | |
114 | .P | |
115 | While the seccomp filter can be generated independent of the kernel, kernel | |
116 | support is required to load and enforce the seccomp filter generated by | |
117 | libseccomp. | |
118 | .P | |
119 | The libseccomp project site, with more information and the source code | |
120 | repository, can be found at https://github.com/seccomp/libseccomp. This tool, | |
121 | as well as the libseccomp library, is currently under development, please | |
122 | report any bugs at the project site or directly to the author. | |
123 | .\" ////////////////////////////////////////////////////////////////////////// | |
124 | .SH AUTHOR | |
125 | .\" ////////////////////////////////////////////////////////////////////////// | |
126 | Paul Moore <paul@paul-moore.com> | |
127 | .\" ////////////////////////////////////////////////////////////////////////// | |
128 | .SH SEE ALSO | |
129 | .\" ////////////////////////////////////////////////////////////////////////// | |
130 | .BR seccomp_init (3), | |
131 | .BR seccomp_reset (3), | |
132 | .BR seccomp_load (3) |