projects / linux-seccomp.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add new constants from libseccomp 2.3.2 and 2.3.3
[linux-seccomp.git] / lib / Linux / Seccomp.pm
CommitLineData
bcf524c1
MG		 1package Linux::Seccomp;
2
3use 5.014000;
4use strict;
5use warnings;
6use Carp;
7
8require Exporter;
9use AutoLoader;
10
11our @ISA = qw(Exporter);
12
13our %EXPORT_TAGS = (
14 functions => [
15 qw/arch_native
16 arch_resolve_name
17 syscall_resolve_name
18 syscall_resolve_name_arch
19 syscall_resolve_name_rewrite
e2ef1f21
MG		 20 syscall_resolve_num_arch
21 version/ ],
bcf524c1
MG		 22
23 macros => [
24 qw/SCMP_ACT_ALLOW
25 SCMP_ACT_ERRNO
26 SCMP_ACT_KILL
27 SCMP_ACT_TRACE
28 SCMP_ACT_TRAP
29 SCMP_ARCH_AARCH64
30 SCMP_ARCH_ARM
31 SCMP_ARCH_MIPS
32 SCMP_ARCH_MIPS64
33 SCMP_ARCH_MIPS64N32
34 SCMP_ARCH_MIPSEL
35 SCMP_ARCH_MIPSEL64
36 SCMP_ARCH_MIPSEL64N32
37 SCMP_ARCH_NATIVE
38 SCMP_ARCH_PPC
39 SCMP_ARCH_PPC64
40 SCMP_ARCH_PPC64LE
41 SCMP_ARCH_S390
42 SCMP_ARCH_S390X
43 SCMP_ARCH_X32
44 SCMP_ARCH_X86
45 SCMP_ARCH_X86_64
46 SCMP_CMP_EQ
47 SCMP_CMP_GE
48 SCMP_CMP_GT
49 SCMP_CMP_LE
50 SCMP_CMP_LT
51 SCMP_CMP_MASKED_EQ
52 SCMP_CMP_NE
53 SCMP_FLTATR_ACT_BADARCH
54 SCMP_FLTATR_ACT_DEFAULT
55 SCMP_FLTATR_CTL_NNP
56 SCMP_FLTATR_CTL_TSYNC
7f46b372 57 SCMP_FLTATR_API_TSKIP
bcf524c1
MG		 58 SCMP_VER_MAJOR
59 SCMP_VER_MICRO
60 SCMP_VER_MINOR
61 _SCMP_CMP_MAX
62 _SCMP_CMP_MIN
63 _SCMP_FLTATR_MAX
64 _SCMP_FLTATR_MIN
65 __NR_SCMP_ERROR
66 __NR_SCMP_UNDEF
67 __NR__llseek
68 __NR__newselect
69 __NR__sysctl
70 __NR_accept
71 __NR_accept4
72 __NR_access
73 __NR_afs_syscall
74 __NR_alarm
75 __NR_arch_prctl
76 __NR_arm_fadvise64_64
77 __NR_arm_sync_file_range
78 __NR_bdflush
79 __NR_bind
80 __NR_break
81 __NR_breakpoint
82 __NR_cachectl
83 __NR_cacheflush
84 __NR_chmod
85 __NR_chown
86 __NR_chown32
87 __NR_connect
88 __NR_creat
89 __NR_create_module
90 __NR_dup2
91 __NR_epoll_create
92 __NR_epoll_ctl_old
93 __NR_epoll_wait
94 __NR_epoll_wait_old
95 __NR_eventfd
96 __NR_fadvise64
97 __NR_fadvise64_64
98 __NR_fchown32
99 __NR_fcntl64
100 __NR_fork
101 __NR_fstat64
102 __NR_fstatat64
103 __NR_fstatfs64
104 __NR_ftime
105 __NR_ftruncate64
106 __NR_futimesat
107 __NR_get_kernel_syms
108 __NR_get_mempolicy
109 __NR_get_thread_area
110 __NR_getdents
111 __NR_getegid32
112 __NR_geteuid32
113 __NR_getgid32
114 __NR_getgroups32
115 __NR_getpeername
116 __NR_getpgrp
117 __NR_getpmsg
118 __NR_getrandom
119 __NR_getresgid32
120 __NR_getresuid32
121 __NR_getrlimit
122 __NR_getsockname
123 __NR_getsockopt
124 __NR_getuid32
125 __NR_gtty
126 __NR_idle
127 __NR_inotify_init
128 __NR_ioperm
129 __NR_iopl
130 __NR_ipc
131 __NR_kexec_file_load
132 __NR_lchown
133 __NR_lchown32
134 __NR_link
135 __NR_listen
136 __NR_lock
137 __NR_lstat
138 __NR_lstat64
139 __NR_mbind
140 __NR_membarrier
141 __NR_memfd_create
142 __NR_migrate_pages
143 __NR_mkdir
144 __NR_mknod
145 __NR_mmap
146 __NR_mmap2
147 __NR_modify_ldt
148 __NR_move_pages
149 __NR_mpx
150 __NR_msgctl
151 __NR_msgget
152 __NR_msgrcv
153 __NR_msgsnd
154 __NR_multiplexer
155 __NR_newfstatat
156 __NR_nfsservctl
157 __NR_nice
158 __NR_oldfstat
159 __NR_oldlstat
160 __NR_oldolduname
161 __NR_oldstat
162 __NR_olduname
163 __NR_oldwait4
164 __NR_open
165 __NR_pause
166 __NR_pciconfig_iobase
167 __NR_pciconfig_read
168 __NR_pciconfig_write
169 __NR_pipe
170 __NR_poll
171 __NR_prof
172 __NR_profil
173 __NR_putpmsg
174 __NR_query_module
175 __NR_readdir
176 __NR_readlink
ccd15039 177 __NR_recv
bcf524c1
MG		 178 __NR_recvfrom
179 __NR_recvmmsg
180 __NR_recvmsg
181 __NR_rename
182 __NR_rmdir
183 __NR_rtas
184 __NR_s390_pci_mmio_read
185 __NR_s390_pci_mmio_write
186 __NR_s390_runtime_instr
187 __NR_security
188 __NR_select
189 __NR_semctl
190 __NR_semget
191 __NR_semop
192 __NR_semtimedop
193 __NR_send
194 __NR_sendfile64
195 __NR_sendmmsg
196 __NR_sendmsg
197 __NR_sendto
198 __NR_set_mempolicy
199 __NR_set_thread_area
200 __NR_set_tls
201 __NR_setfsgid32
202 __NR_setfsuid32
203 __NR_setgid32
204 __NR_setgroups32
205 __NR_setregid32
206 __NR_setresgid32
207 __NR_setresuid32
208 __NR_setreuid32
209 __NR_setsockopt
210 __NR_setuid32
211 __NR_sgetmask
212 __NR_shmat
213 __NR_shmctl
214 __NR_shmdt
215 __NR_shmget
216 __NR_shutdown
217 __NR_sigaction
218 __NR_signal
219 __NR_signalfd
220 __NR_sigpending
221 __NR_sigprocmask
222 __NR_sigreturn
223 __NR_sigsuspend
224 __NR_socket
225 __NR_socketcall
226 __NR_socketpair
227 __NR_spu_create
228 __NR_spu_run
229 __NR_ssetmask
230 __NR_stat
231 __NR_stat64
232 __NR_statfs64
233 __NR_stime
234 __NR_stty
235 __NR_subpage_prot
236 __NR_swapcontext
237 __NR_switch_endian
238 __NR_symlink
239 __NR_sync_file_range
240 __NR_sync_file_range2
241 __NR_sys_debug_setcontext
242 __NR_syscall
243 __NR_sysfs
244 __NR_sysmips
245 __NR_time
246 __NR_timerfd
247 __NR_truncate64
248 __NR_tuxcall
249 __NR_ugetrlimit
250 __NR_ulimit
251 __NR_umount
252 __NR_unlink
253 __NR_uselib
254 __NR_userfaultfd
255 __NR_usr26
256 __NR_usr32
257 __NR_ustat
258 __NR_utime
259 __NR_utimes
260 __NR_vfork
261 __NR_vm86
262 __NR_vm86old
263 __NR_vserver
264 __NR_waitpid
265 __PNR__llseek
266 __PNR__newselect
267 __PNR__sysctl
268 __PNR_accept
269 __PNR_accept4
270 __PNR_access
271 __PNR_afs_syscall
272 __PNR_alarm
273 __PNR_arch_prctl
274 __PNR_arm_fadvise64_64
275 __PNR_arm_sync_file_range
276 __PNR_bdflush
277 __PNR_bind
278 __PNR_break
279 __PNR_breakpoint
280 __PNR_cachectl
281 __PNR_cacheflush
282 __PNR_chmod
283 __PNR_chown
284 __PNR_chown32
285 __PNR_connect
286 __PNR_creat
287 __PNR_create_module
288 __PNR_dup2
289 __PNR_epoll_create
290 __PNR_epoll_ctl_old
291 __PNR_epoll_wait
292 __PNR_epoll_wait_old
293 __PNR_eventfd
294 __PNR_fadvise64
295 __PNR_fadvise64_64
296 __PNR_fchown32
297 __PNR_fcntl64
298 __PNR_fork
299 __PNR_fstat64
300 __PNR_fstatat64
301 __PNR_fstatfs64
302 __PNR_ftime
303 __PNR_ftruncate64
304 __PNR_futimesat
305 __PNR_get_kernel_syms
306 __PNR_get_mempolicy
307 __PNR_get_thread_area
308 __PNR_getdents
309 __PNR_getegid32
310 __PNR_geteuid32
311 __PNR_getgid32
312 __PNR_getgroups32
313 __PNR_getpeername
314 __PNR_getpgrp
315 __PNR_getpmsg
316 __PNR_getrandom
317 __PNR_getresgid32
318 __PNR_getresuid32
319 __PNR_getrlimit
320 __PNR_getsockname
321 __PNR_getsockopt
322 __PNR_getuid32
323 __PNR_gtty
324 __PNR_idle
325 __PNR_inotify_init
326 __PNR_ioperm
327 __PNR_iopl
328 __PNR_ipc
329 __PNR_kexec_file_load
330 __PNR_lchown
331 __PNR_lchown32
332 __PNR_link
333 __PNR_listen
334 __PNR_lock
335 __PNR_lstat
336 __PNR_lstat64
337 __PNR_mbind
338 __PNR_membarrier
339 __PNR_memfd_create
340 __PNR_migrate_pages
341 __PNR_mkdir
342 __PNR_mknod
343 __PNR_mmap
344 __PNR_mmap2
345 __PNR_modify_ldt
346 __PNR_move_pages
347 __PNR_mpx
348 __PNR_msgctl
349 __PNR_msgget
350 __PNR_msgrcv
351 __PNR_msgsnd
352 __PNR_multiplexer
353 __PNR_newfstatat
354 __PNR_nfsservctl
355 __PNR_nice
356 __PNR_oldfstat
357 __PNR_oldlstat
358 __PNR_oldolduname
359 __PNR_oldstat
360 __PNR_olduname
361 __PNR_oldwait4
362 __PNR_open
363 __PNR_pause
364 __PNR_pciconfig_iobase
365 __PNR_pciconfig_read
366 __PNR_pciconfig_write
367 __PNR_pipe
368 __PNR_poll
369 __PNR_prof
370 __PNR_profil
371 __PNR_putpmsg
372 __PNR_query_module
373 __PNR_readdir
374 __PNR_readlink
375 __PNR_recv
376 __PNR_recvfrom
377 __PNR_recvmmsg
378 __PNR_recvmsg
379 __PNR_rename
380 __PNR_rmdir
381 __PNR_rtas
382 __PNR_s390_pci_mmio_read
383 __PNR_s390_pci_mmio_write
384 __PNR_s390_runtime_instr
385 __PNR_security
386 __PNR_select
387 __PNR_semctl
388 __PNR_semget
389 __PNR_semop
390 __PNR_semtimedop
391 __PNR_send
392 __PNR_sendfile64
393 __PNR_sendmmsg
394 __PNR_sendmsg
395 __PNR_sendto
396 __PNR_set_mempolicy
397 __PNR_set_thread_area
398 __PNR_set_tls
399 __PNR_setfsgid32
400 __PNR_setfsuid32
401 __PNR_setgid32
402 __PNR_setgroups32
403 __PNR_setregid32
404 __PNR_setresgid32
405 __PNR_setresuid32
406 __PNR_setreuid32
407 __PNR_setsockopt
408 __PNR_setuid32
409 __PNR_sgetmask
410 __PNR_shmat
411 __PNR_shmctl
412 __PNR_shmdt
413 __PNR_shmget
414 __PNR_shutdown
415 __PNR_sigaction
416 __PNR_signal
417 __PNR_signalfd
418 __PNR_sigpending
419 __PNR_sigprocmask
420 __PNR_sigreturn
421 __PNR_sigsuspend
422 __PNR_socket
423 __PNR_socketcall
424 __PNR_socketpair
425 __PNR_spu_create
426 __PNR_spu_run
427 __PNR_ssetmask
428 __PNR_stat
429 __PNR_stat64
430 __PNR_statfs64
431 __PNR_stime
432 __PNR_stty
433 __PNR_subpage_prot
434 __PNR_swapcontext
435 __PNR_switch_endian
436 __PNR_symlink
437 __PNR_sync_file_range
438 __PNR_sync_file_range2
439 __PNR_sys_debug_setcontext
440 __PNR_syscall
441 __PNR_sysfs
442 __PNR_sysmips
443 __PNR_time
444 __PNR_timerfd
445 __PNR_truncate64
446 __PNR_tuxcall
447 __PNR_ugetrlimit
448 __PNR_ulimit
449 __PNR_umount
450 __PNR_unlink
451 __PNR_uselib
452 __PNR_userfaultfd
453 __PNR_usr26
454 __PNR_usr32
455 __PNR_ustat
456 __PNR_utime
457 __PNR_utimes
458 __PNR_vfork
459 __PNR_vm86
460 __PNR_vm86old
461 __PNR_vserver
7f46b372
MG		 462 __PNR_waitpid
463
464 __PNR_pkey_mprotect __NR_pkey_mprotect __PNR_pkey_alloc
465 __NR_pkey_alloc __PNR_pkey_free __NR_pkey_free
466
467 __PNR_get_tls __NR_get_tls __PNR_s390_guarded_storage
468 __NR_s390_guarded_storage __PNR_s390_sthyi __NR_s390_sthyi/]
bcf524c1
MG		 469);
470
471$EXPORT_TAGS{all} = [@{$EXPORT_TAGS{functions}}, @{$EXPORT_TAGS{macros}}];
472our @EXPORT_OK = @{$EXPORT_TAGS{all}};
473our @EXPORT = @{$EXPORT_TAGS{macros}};
474
475our $VERSION;
476BEGIN{
a8d04cb2 477 $VERSION = '0.002001';
bcf524c1
MG		 478}
479
480sub AUTOLOAD {
481 my $constname;
482 our $AUTOLOAD;
483 ($constname = $AUTOLOAD) =~ s/.*:://;
484 croak "&Linux::Seccomp::constant not defined" if $constname eq 'constant';
485 my ($error, $val) = constant($constname);
486 if ($error) { croak $error; }
487 {
488 no strict 'refs';
489 *$AUTOLOAD = sub { $val };
490 }
491 goto &$AUTOLOAD;
492}
493
494BEGIN {
495 require XSLoader;
496 XSLoader::load('Linux::Seccomp', $VERSION);
497}
498
499sub new {
500 my ($ign, $def_action) = @_;
501 init $def_action
502}
503
504sub DESTROY {
505 shift->release
506}
507
508my %COMPARE_OP_TBL = (
509 '!=' => SCMP_CMP_NE(),
510 ne => SCMP_CMP_NE(),
511 '<' => SCMP_CMP_LT(),
512 lt => SCMP_CMP_LT(),
513 '<=' => SCMP_CMP_LE(),
514 le => SCMP_CMP_LE(),
515 '==' => SCMP_CMP_EQ(),
516 eq => SCMP_CMP_EQ(),
517 '>=' => SCMP_CMP_GE(),
518 ge => SCMP_CMP_GE(),
519 '>' => SCMP_CMP_GT(),
520 gt => SCMP_CMP_GT(),
521 '=~' => SCMP_CMP_MASKED_EQ(),
522 me => SCMP_CMP_MASKED_EQ(),
523
524 SCMP_CMP_NE() => SCMP_CMP_NE(),
525 SCMP_CMP_LT() => SCMP_CMP_LT(),
526 SCMP_CMP_LE() => SCMP_CMP_LE(),
527 SCMP_CMP_EQ() => SCMP_CMP_EQ(),
528 SCMP_CMP_GE() => SCMP_CMP_GE(),
529 SCMP_CMP_GT() => SCMP_CMP_GT(),
530 SCMP_CMP_MASKED_EQ() => SCMP_CMP_MASKED_EQ(),
531);
532
533sub _mangle_rule_add_args {
534 my @args = map {
535 my $op = $_->[1];
536 $_->[1] = $COMPARE_OP_TBL{$op} or croak "No mapping for compare operator '$op'";
537 make_arg_cmp (@$_)
538 } @_;
539 \@args
540}
541
542sub rule_add {
543 rule_add_array (shift, shift, shift, _mangle_rule_add_args (@_));
544}
545
546sub rule_add_exact {
547 rule_add_exact_array (shift, shift, shift, _mangle_rule_add_args (@_));
548}
549
5501;
551__END__
552
553=encoding utf-8
554
555=head1 NAME
556
557Linux::Seccomp - Interface to libseccomp Linux syscall filtering library
558
559=head1 SYNOPSIS
560
561 use Linux::Seccomp ':all';
562 my $ctx = Linux::Seccomp->new(SCMP_ACT_ALLOW);
563 # Block writes to STDERR
564 $ctx->rule_add(SCMP_ACT_KILL, syscall_resolve_name('write'), [0, '==', 2]);
565 $ctx->load;
566 $| = 1;
567 print STDOUT "Hello world!\n"; # works
568 print STDERR "Goodbye world!\n"; # Killed
569 print STDOUT "Hello again world!\n"; # never reached
570
571=head1 DESCRIPTION
572
573Secure Computing (seccomp) is Linux's system call filtering mechanism.
574This system can operate in two modes: I<strict>, where only a very
575small number of system calls are allowed and the more modern I<filter>
576(or seccomp mode 2) which permits advanced filtering of system calls.
577This module is only concerned with the latter.
578
579Linux::Seccomp is a Perl interface to the
580L<libseccomp|https://github.com/seccomp/libseccomp> library which
581provides a simple way to use seccomp mode 2.
582
583It should be mentioned that this module is not production-ready at the
584moment -- work needs to be done to port the libseccomp testsuite and
585the documentation needs to be improved.
586
587Basic usage of this module is straightforward: Create a filter using
588the B<new> method, add rules to it using the B<rule_add> method
589several times, and finally load the filter into the kernel using the
590B<load> method. An example of this can be seen in the SYNOPSIS.
591
592=head1 METHODS
593
594Most methods die on error.
595
596=over
597
53e03791 598=item I<$ctx> = Linux::Seccomp->B<new>(I<$def_action>)
bcf524c1
MG		 599
600Creates a new C<Linux::Seccomp> filter, with the default action for
601unhandled syscalls being I<$def_action>. Possible values for
602I<$def_action> are:
603
604=over
605
606=item SCMP_ACT_KILL
607
608The thread will be terminated by the kernel with SIGSYS when it calls
609a syscall that does not match any of the configured seccomp filter
610rules. The thread will not be able to catch the signal.
611
612=item SCMP_ACT_TRAP
613
614The thread will be sent a SIGSYS signal when it calls a syscall that
615does not match any of the configured seccomp filter rules. It may
616catch this and change its behavior accordingly. When using SA_SIGINFO
617with L<sigaction(2)>, si_code will be set to SYS_SECCOMP, si_syscall
618will be set to the syscall that failed the rules, and si_arch will be
619set to the AUDIT_ARCH for the active ABI.
620
621=item SCMP_ACT_ERRNO(I<$errno>)
622
623The thread will receive a return value of I<$errno> when it calls a
624syscall that does not match any of the configured seccomp filter
625rules.
626
627=item SCMP_ACT_TRACE(I<$msg_num>)
628
629If the thread is being traced and the tracing process specified the
630PTRACE_O_TRACESECCOMP option in the call to L<ptrace(2)>, the tracing
631process will be notified, via PTRACE_EVENT_SECCOMP, and the value
632provided in msg_num can be retrieved using the PTRACE_GETEVENTMSG
633option.
634
635=item SCMP_ACT_ALLOW
636
637The seccomp filter will have no effect on the thread calling the
638syscall if it does not match any of the configured seccomp filter
639rules.
640
641=back
642
643See L<seccomp_init(3)>.
644
645=item I<$ctx>->B<rule_add>(I<$action>, I<$syscall>, I<@args>)
646
647Adds a rule to the filter. If a system call with number I<$syscall>
648whose arguments match I<@args> is called, I<$action> will be taken.
649
650I<$action> can be any of the C<SCMP_ACT_*> macros listed above.
651
652I<@args> is a list of 0 or more constraints on the arguments to the
653syscall. Each constraint is an arrayref with 3 or 4 elements: C<[$arg,
654$op, $datum_a, $datum_b]> where I<$arg> is the index of the argument
655we are comparing. I<$op> is as follows:
656
657=over
658
659=item SCMP_CMP_NE
53e03791 660
bcf524c1 661=item '!='
53e03791 662
bcf524c1
MG		 663=item 'ne'
664
665Matches when the argument value is not equal to I<$datum_a>.
666
667=item SCMP_CMP_LT
53e03791 668
bcf524c1 669=item '<'
53e03791 670
bcf524c1
MG		 671=item 'lt'
672
673Matches when the argument value is less than I<$datum_a>.
674
675=item SCMP_CMP_LE
53e03791 676
bcf524c1 677=item '<='
53e03791 678
bcf524c1
MG		 679=item 'le'
680
681Matches when the argument value is less than or equal to I<$datum_a>.
682
683=item SCMP_CMP_EQ
53e03791 684
bcf524c1 685=item '=='
53e03791 686
bcf524c1
MG		 687=item 'eq'
688
689Matches when the argument value is equal to I<$datum_a>.
690
691=item SCMP_CMP_GE
53e03791 692
bcf524c1 693=item '>='
53e03791 694
bcf524c1
MG		 695=item 'ge'
696
697Matches when the argument value is greater than or equal to I<$datum_a>.
698
699=item SCMP_CMP_GT
53e03791 700
bcf524c1 701=item '>'
53e03791 702
bcf524c1
MG		 703=item 'gt'
704
705Matches when the argument value is greater than I<$datum_a>.
706
707=item SCMP_CMP_MASKED_EQ
53e03791 708
bcf524c1 709=item '=~'
53e03791 710
bcf524c1
MG		 711=item 'me'
712
713Matches when the argument value masked with I<$datum_a> is equal to I<$datum_b> masked with I<$datum_a>.
714
715=back
716
717See L<seccomp_rule_add(3)>.
718
719=item I<$ctx>->B<arch_add>(I<$arch_token>)
720
721Add an architecture to the filter. The native architecture is added by
722default.
723See L<seccomp_arch_add(3)>.
724
725=item I<$ctx>->B<arch_exists>(I<$arch_token>)
726
727Returns true if the given architecture is in the filter, false
728otherwise.
53e03791 729See L<seccomp_arch_add(3)>.
bcf524c1
MG		 730
731=item I<$ctx>->B<arch_remove>(I<$arch_token>)
732
733Removes an architecture from the filter.
53e03791 734See L<seccomp_arch_add(3)>.
bcf524c1
MG		 735
736=item I<$ctx>->B<attr_get>(I<$attr>)
737
738Returns the value of an attribute. The attributes are:
739
740=over
741
742=item SCMP_FLTATR_ACT_DEFAULT
743
744The default filter action as specified in the call to B<new>. Read-only.
745
746=item SCMP_FLTATR_ACT_BADARCH
747
748The filter action taken when the loaded filter does not match the
749architecture of the executing application. Defaults to SCMP_ACT_KILL.
750
751=item SCMP_FLTATR_CTL_NNP
752
753Specifies whether to turn on NO_NEW_PRIVS functionality when B<load>
754is called. Defaults to 1 (on). If this flag is turned off then the
755calling process must have CAP_SYS_ADMIN (or else the call to B<load>
756will fail).
757
758=item SCMP_FLTATR_CTL_TSYNC
759
760Specifies whether the kernel should synchronize the filters accross
761all threads when B<load> is called. Defaults to 0 (off).
762
7f46b372
MG		 763=item SCMP_FLTATR_API_TSKIP
764
765Specifies whether rules for the system call -1 should be allowed. This
766value can be used by tracer programs to skip specific system call
767invocations, see L<seccomp(2)> for more information. Defaults to 0
768(off).
769
bcf524c1
MG		 770=back
771
772See L<seccomp_attr_get(3)>.
773
774=item I<$ctx>->B<attr_set>(I<$attr>, I<$value>)
775
776Sets an attribute to the given value. The attributes are the ones from
777the list above except for SCMP_FLTATR_ACT_DEFAULT which is read-only.
778See L<seccomp_attr_get(3)>.
779
780=item I<$ctx>->B<export_bpf>(I<$fh>)
781
782Writes the BPF (Berkeley Packet Filter) representation of the filter
783to the given file handle.
784See L<seccomp_export_bpf(3)>.
785
786=item I<$ctx>->B<export_pfc>(I<$fh>)
787
788Writes the PFC (Pseudo Filter Code) representation of the filter to
789the given file handle.
790See L<seccomp_export_bpf(3)>.
791
792=item I<$ctx>->B<load>
793
794Loads the filter into the kernel.
795See L<seccomp_load(3)>.
796
797=back
798
799=head1 FUNCTIONS
800
801None exported by default. These functions die on error.
802
803=over
804
805=item B<arch_native>
806
807Returns the arch token for the native architecture.
808See L<seccomp_arch_add(3)>.
809
810=item B<arch_resolve_name>(I<$arch_name>)
811
812Returns the arch token for a named architecture.
813See L<seccomp_arch_add(3)>.
814
815=item B<syscall_resolve_name>(I<$name>)
816
817Resolves a system call name to its number for the native architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall.
818See L<seccomp_syscall_resolve_name(3)>.
819
820=item B<syscall_resolve_name_arch>(I<$arch_token>, I<$name>)
821
822Resolves a system call name to its number for a given architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall.
823See L<seccomp_syscall_resolve_name(3)>.
824
825=item B<syscall_resolve_name_rewrite>(I<$arch_token>, I<$name>)
826
827Resolves a system call name to its number for a given architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall. In contrast to the previous function, this function tries to obtain the actual syscall number in cases where the previous function would return a pseudo syscall number.
828See L<seccomp_syscall_resolve_name(3)>.
829
830=item B<syscall_resolve_num_arch>(I<$arch_token>, I<$num>)
831
832Returns the name of the system call with the given number on the given architecture.
833See L<seccomp_syscall_resolve_name(3)>.
834
835=item B<version>
836
837Returns the version of libseccomp as a three-element arrayref:
838[$major_version, $minor_version, $micro_version].
839
840=back
841
842=head1 CONSTANTS
843
844All exported by default. Most of the SCMP_ constants were seen above.
845Here is a list of all of them:
846
847 SCMP_ACT_ALLOW
848 SCMP_ACT_KILL
849 SCMP_ACT_TRAP
850 SCMP_ARCH_AARCH64
851 SCMP_ARCH_ARM
852 SCMP_ARCH_MIPS
853 SCMP_ARCH_MIPS64
854 SCMP_ARCH_MIPS64N32
855 SCMP_ARCH_MIPSEL
856 SCMP_ARCH_MIPSEL64
857 SCMP_ARCH_MIPSEL64N32
858 SCMP_ARCH_NATIVE
859 SCMP_ARCH_PPC
860 SCMP_ARCH_PPC64
861 SCMP_ARCH_PPC64LE
862 SCMP_ARCH_S390
863 SCMP_ARCH_S390X
864 SCMP_ARCH_X32
865 SCMP_ARCH_X86
866 SCMP_ARCH_X86_64
867 SCMP_CMP_EQ
868 SCMP_CMP_GE
869 SCMP_CMP_GT
870 SCMP_CMP_LE
871 SCMP_CMP_LT
872 SCMP_CMP_MASKED_EQ
873 SCMP_CMP_NE
874 SCMP_FLTATR_ACT_BADARCH
875 SCMP_FLTATR_ACT_DEFAULT
876 SCMP_FLTATR_CTL_NNP
877 SCMP_FLTATR_CTL_TSYNC
7f46b372 878 SCMP_FLTATR_API_TSKIP
bcf524c1
MG		 879 SCMP_VER_MAJOR
880 SCMP_VER_MICRO
881 SCMP_VER_MINOR
882
883Besides the SCMP_ constants, the module also provides a long list of
884__NR_syscall and __PNR_syscall constants that represent real and
885pseudo syscall numbers for many common system calls. A full list can
886be found in the source code of this module. See also the
887B<syscall_resolve_name> family of functions above which is more
888flexible than this set of constants.
889
890=head1 SEE ALSO
891
892L<https://github.com/seccomp/libseccomp>
893
894=head1 AUTHOR
895
896Marius Gavrilescu, E<lt>marius@ieval.roE<gt>
897
898=head1 COPYRIGHT AND LICENSE
899
900Copyright (C) 2016 by Marius Gavrilescu
901
902This library is free software; you can redistribute it and/or modify
903it under the same terms as Perl itself, either Perl version 5.24.0 or,
904at your option, any later version of Perl 5 you may have available.
905
906
907=cut
Interface to libseccomp Linux syscall filtering library
This page took 0.058709 seconds and 4 git commands to generate.