projects / linux-seccomp.git / blob
? search:


e4143eee4c33da9974823257562e931aab4a9345
[linux-seccomp.git] / lib / Linux / Seccomp.pm
1 package Linux::Seccomp;
2
3 use 5.014000;
4 use strict;
5 use warnings;
6 use Carp;
7
8 require Exporter;
9 use AutoLoader;
10
11 our @ISA = qw(Exporter);
12
13 our %EXPORT_TAGS = (
14 functions => [
15 qw/arch_native
16 arch_resolve_name
17 syscall_resolve_name
18 syscall_resolve_name_arch
19 syscall_resolve_name_rewrite
20 syscall_resolve_num_arch/ ],
21
22 macros => [
23 qw/SCMP_ACT_ALLOW
24 SCMP_ACT_ERRNO
25 SCMP_ACT_KILL
26 SCMP_ACT_TRACE
27 SCMP_ACT_TRAP
28 SCMP_ARCH_AARCH64
29 SCMP_ARCH_ARM
30 SCMP_ARCH_MIPS
31 SCMP_ARCH_MIPS64
32 SCMP_ARCH_MIPS64N32
33 SCMP_ARCH_MIPSEL
34 SCMP_ARCH_MIPSEL64
35 SCMP_ARCH_MIPSEL64N32
36 SCMP_ARCH_NATIVE
37 SCMP_ARCH_PPC
38 SCMP_ARCH_PPC64
39 SCMP_ARCH_PPC64LE
40 SCMP_ARCH_S390
41 SCMP_ARCH_S390X
42 SCMP_ARCH_X32
43 SCMP_ARCH_X86
44 SCMP_ARCH_X86_64
45 SCMP_CMP_EQ
46 SCMP_CMP_GE
47 SCMP_CMP_GT
48 SCMP_CMP_LE
49 SCMP_CMP_LT
50 SCMP_CMP_MASKED_EQ
51 SCMP_CMP_NE
52 SCMP_FLTATR_ACT_BADARCH
53 SCMP_FLTATR_ACT_DEFAULT
54 SCMP_FLTATR_CTL_NNP
55 SCMP_FLTATR_CTL_TSYNC
56 SCMP_VER_MAJOR
57 SCMP_VER_MICRO
58 SCMP_VER_MINOR
59 _SCMP_CMP_MAX
60 _SCMP_CMP_MIN
61 _SCMP_FLTATR_MAX
62 _SCMP_FLTATR_MIN
63 __NR_SCMP_ERROR
64 __NR_SCMP_UNDEF
65 __NR__llseek
66 __NR__newselect
67 __NR__sysctl
68 __NR_accept
69 __NR_accept4
70 __NR_access
71 __NR_afs_syscall
72 __NR_alarm
73 __NR_arch_prctl
74 __NR_arm_fadvise64_64
75 __NR_arm_sync_file_range
76 __NR_bdflush
77 __NR_bind
78 __NR_break
79 __NR_breakpoint
80 __NR_cachectl
81 __NR_cacheflush
82 __NR_chmod
83 __NR_chown
84 __NR_chown32
85 __NR_connect
86 __NR_creat
87 __NR_create_module
88 __NR_dup2
89 __NR_epoll_create
90 __NR_epoll_ctl_old
91 __NR_epoll_wait
92 __NR_epoll_wait_old
93 __NR_eventfd
94 __NR_fadvise64
95 __NR_fadvise64_64
96 __NR_fchown32
97 __NR_fcntl64
98 __NR_fork
99 __NR_fstat64
100 __NR_fstatat64
101 __NR_fstatfs64
102 __NR_ftime
103 __NR_ftruncate64
104 __NR_futimesat
105 __NR_get_kernel_syms
106 __NR_get_mempolicy
107 __NR_get_thread_area
108 __NR_getdents
109 __NR_getegid32
110 __NR_geteuid32
111 __NR_getgid32
112 __NR_getgroups32
113 __NR_getpeername
114 __NR_getpgrp
115 __NR_getpmsg
116 __NR_getrandom
117 __NR_getresgid32
118 __NR_getresuid32
119 __NR_getrlimit
120 __NR_getsockname
121 __NR_getsockopt
122 __NR_getuid32
123 __NR_gtty
124 __NR_idle
125 __NR_inotify_init
126 __NR_ioperm
127 __NR_iopl
128 __NR_ipc
129 __NR_kexec_file_load
130 __NR_lchown
131 __NR_lchown32
132 __NR_link
133 __NR_listen
134 __NR_lock
135 __NR_lstat
136 __NR_lstat64
137 __NR_mbind
138 __NR_membarrier
139 __NR_memfd_create
140 __NR_migrate_pages
141 __NR_mkdir
142 __NR_mknod
143 __NR_mmap
144 __NR_mmap2
145 __NR_modify_ldt
146 __NR_move_pages
147 __NR_mpx
148 __NR_msgctl
149 __NR_msgget
150 __NR_msgrcv
151 __NR_msgsnd
152 __NR_multiplexer
153 __NR_newfstatat
154 __NR_nfsservctl
155 __NR_nice
156 __NR_oldfstat
157 __NR_oldlstat
158 __NR_oldolduname
159 __NR_oldstat
160 __NR_olduname
161 __NR_oldwait4
162 __NR_open
163 __NR_pause
164 __NR_pciconfig_iobase
165 __NR_pciconfig_read
166 __NR_pciconfig_write
167 __NR_pipe
168 __NR_poll
169 __NR_prof
170 __NR_profil
171 __NR_putpmsg
172 __NR_query_module
173 __NR_readdir
174 __NR_readlink
175 s __NR_recv
176 __NR_recvfrom
177 __NR_recvmmsg
178 __NR_recvmsg
179 __NR_rename
180 __NR_rmdir
181 __NR_rtas
182 __NR_s390_pci_mmio_read
183 __NR_s390_pci_mmio_write
184 __NR_s390_runtime_instr
185 __NR_security
186 __NR_select
187 __NR_semctl
188 __NR_semget
189 __NR_semop
190 __NR_semtimedop
191 __NR_send
192 __NR_sendfile64
193 __NR_sendmmsg
194 __NR_sendmsg
195 __NR_sendto
196 __NR_set_mempolicy
197 __NR_set_thread_area
198 __NR_set_tls
199 __NR_setfsgid32
200 __NR_setfsuid32
201 __NR_setgid32
202 __NR_setgroups32
203 __NR_setregid32
204 __NR_setresgid32
205 __NR_setresuid32
206 __NR_setreuid32
207 __NR_setsockopt
208 __NR_setuid32
209 __NR_sgetmask
210 __NR_shmat
211 __NR_shmctl
212 __NR_shmdt
213 __NR_shmget
214 __NR_shutdown
215 __NR_sigaction
216 __NR_signal
217 __NR_signalfd
218 __NR_sigpending
219 __NR_sigprocmask
220 __NR_sigreturn
221 __NR_sigsuspend
222 __NR_socket
223 __NR_socketcall
224 __NR_socketpair
225 __NR_spu_create
226 __NR_spu_run
227 __NR_ssetmask
228 __NR_stat
229 __NR_stat64
230 __NR_statfs64
231 __NR_stime
232 __NR_stty
233 __NR_subpage_prot
234 __NR_swapcontext
235 __NR_switch_endian
236 __NR_symlink
237 __NR_sync_file_range
238 __NR_sync_file_range2
239 __NR_sys_debug_setcontext
240 __NR_syscall
241 __NR_sysfs
242 __NR_sysmips
243 __NR_time
244 __NR_timerfd
245 __NR_truncate64
246 __NR_tuxcall
247 __NR_ugetrlimit
248 __NR_ulimit
249 __NR_umount
250 __NR_unlink
251 __NR_uselib
252 __NR_userfaultfd
253 __NR_usr26
254 __NR_usr32
255 __NR_ustat
256 __NR_utime
257 __NR_utimes
258 __NR_vfork
259 __NR_vm86
260 __NR_vm86old
261 __NR_vserver
262 __NR_waitpid
263 __PNR__llseek
264 __PNR__newselect
265 __PNR__sysctl
266 __PNR_accept
267 __PNR_accept4
268 __PNR_access
269 __PNR_afs_syscall
270 __PNR_alarm
271 __PNR_arch_prctl
272 __PNR_arm_fadvise64_64
273 __PNR_arm_sync_file_range
274 __PNR_bdflush
275 __PNR_bind
276 __PNR_break
277 __PNR_breakpoint
278 __PNR_cachectl
279 __PNR_cacheflush
280 __PNR_chmod
281 __PNR_chown
282 __PNR_chown32
283 __PNR_connect
284 __PNR_creat
285 __PNR_create_module
286 __PNR_dup2
287 __PNR_epoll_create
288 __PNR_epoll_ctl_old
289 __PNR_epoll_wait
290 __PNR_epoll_wait_old
291 __PNR_eventfd
292 __PNR_fadvise64
293 __PNR_fadvise64_64
294 __PNR_fchown32
295 __PNR_fcntl64
296 __PNR_fork
297 __PNR_fstat64
298 __PNR_fstatat64
299 __PNR_fstatfs64
300 __PNR_ftime
301 __PNR_ftruncate64
302 __PNR_futimesat
303 __PNR_get_kernel_syms
304 __PNR_get_mempolicy
305 __PNR_get_thread_area
306 __PNR_getdents
307 __PNR_getegid32
308 __PNR_geteuid32
309 __PNR_getgid32
310 __PNR_getgroups32
311 __PNR_getpeername
312 __PNR_getpgrp
313 __PNR_getpmsg
314 __PNR_getrandom
315 __PNR_getresgid32
316 __PNR_getresuid32
317 __PNR_getrlimit
318 __PNR_getsockname
319 __PNR_getsockopt
320 __PNR_getuid32
321 __PNR_gtty
322 __PNR_idle
323 __PNR_inotify_init
324 __PNR_ioperm
325 __PNR_iopl
326 __PNR_ipc
327 __PNR_kexec_file_load
328 __PNR_lchown
329 __PNR_lchown32
330 __PNR_link
331 __PNR_listen
332 __PNR_lock
333 __PNR_lstat
334 __PNR_lstat64
335 __PNR_mbind
336 __PNR_membarrier
337 __PNR_memfd_create
338 __PNR_migrate_pages
339 __PNR_mkdir
340 __PNR_mknod
341 __PNR_mmap
342 __PNR_mmap2
343 __PNR_modify_ldt
344 __PNR_move_pages
345 __PNR_mpx
346 __PNR_msgctl
347 __PNR_msgget
348 __PNR_msgrcv
349 __PNR_msgsnd
350 __PNR_multiplexer
351 __PNR_newfstatat
352 __PNR_nfsservctl
353 __PNR_nice
354 __PNR_oldfstat
355 __PNR_oldlstat
356 __PNR_oldolduname
357 __PNR_oldstat
358 __PNR_olduname
359 __PNR_oldwait4
360 __PNR_open
361 __PNR_pause
362 __PNR_pciconfig_iobase
363 __PNR_pciconfig_read
364 __PNR_pciconfig_write
365 __PNR_pipe
366 __PNR_poll
367 __PNR_prof
368 __PNR_profil
369 __PNR_putpmsg
370 __PNR_query_module
371 __PNR_readdir
372 __PNR_readlink
373 __PNR_recv
374 __PNR_recvfrom
375 __PNR_recvmmsg
376 __PNR_recvmsg
377 __PNR_rename
378 __PNR_rmdir
379 __PNR_rtas
380 __PNR_s390_pci_mmio_read
381 __PNR_s390_pci_mmio_write
382 __PNR_s390_runtime_instr
383 __PNR_security
384 __PNR_select
385 __PNR_semctl
386 __PNR_semget
387 __PNR_semop
388 __PNR_semtimedop
389 __PNR_send
390 __PNR_sendfile64
391 __PNR_sendmmsg
392 __PNR_sendmsg
393 __PNR_sendto
394 __PNR_set_mempolicy
395 __PNR_set_thread_area
396 __PNR_set_tls
397 __PNR_setfsgid32
398 __PNR_setfsuid32
399 __PNR_setgid32
400 __PNR_setgroups32
401 __PNR_setregid32
402 __PNR_setresgid32
403 __PNR_setresuid32
404 __PNR_setreuid32
405 __PNR_setsockopt
406 __PNR_setuid32
407 __PNR_sgetmask
408 __PNR_shmat
409 __PNR_shmctl
410 __PNR_shmdt
411 __PNR_shmget
412 __PNR_shutdown
413 __PNR_sigaction
414 __PNR_signal
415 __PNR_signalfd
416 __PNR_sigpending
417 __PNR_sigprocmask
418 __PNR_sigreturn
419 __PNR_sigsuspend
420 __PNR_socket
421 __PNR_socketcall
422 __PNR_socketpair
423 __PNR_spu_create
424 __PNR_spu_run
425 __PNR_ssetmask
426 __PNR_stat
427 __PNR_stat64
428 __PNR_statfs64
429 __PNR_stime
430 __PNR_stty
431 __PNR_subpage_prot
432 __PNR_swapcontext
433 __PNR_switch_endian
434 __PNR_symlink
435 __PNR_sync_file_range
436 __PNR_sync_file_range2
437 __PNR_sys_debug_setcontext
438 __PNR_syscall
439 __PNR_sysfs
440 __PNR_sysmips
441 __PNR_time
442 __PNR_timerfd
443 __PNR_truncate64
444 __PNR_tuxcall
445 __PNR_ugetrlimit
446 __PNR_ulimit
447 __PNR_umount
448 __PNR_unlink
449 __PNR_uselib
450 __PNR_userfaultfd
451 __PNR_usr26
452 __PNR_usr32
453 __PNR_ustat
454 __PNR_utime
455 __PNR_utimes
456 __PNR_vfork
457 __PNR_vm86
458 __PNR_vm86old
459 __PNR_vserver
460 __PNR_waitpid/]
461 );
462
463 $EXPORT_TAGS{all} = [@{$EXPORT_TAGS{functions}}, @{$EXPORT_TAGS{macros}}];
464 our @EXPORT_OK = @{$EXPORT_TAGS{all}};
465 our @EXPORT = @{$EXPORT_TAGS{macros}};
466
467 our $VERSION;
468 BEGIN{
469 $VERSION = '0.001';
470 }
471
472 sub AUTOLOAD {
473 my $constname;
474 our $AUTOLOAD;
475 ($constname = $AUTOLOAD) =~ s/.*:://;
476 croak "&Linux::Seccomp::constant not defined" if $constname eq 'constant';
477 my ($error, $val) = constant($constname);
478 if ($error) { croak $error; }
479 {
480 no strict 'refs';
481 *$AUTOLOAD = sub { $val };
482 }
483 goto &$AUTOLOAD;
484 }
485
486 BEGIN {
487 require XSLoader;
488 XSLoader::load('Linux::Seccomp', $VERSION);
489 }
490
491 sub new {
492 my ($ign, $def_action) = @_;
493 init $def_action
494 }
495
496 sub DESTROY {
497 shift->release
498 }
499
500 my %COMPARE_OP_TBL = (
501 '!=' => SCMP_CMP_NE(),
502 ne => SCMP_CMP_NE(),
503 '<' => SCMP_CMP_LT(),
504 lt => SCMP_CMP_LT(),
505 '<=' => SCMP_CMP_LE(),
506 le => SCMP_CMP_LE(),
507 '==' => SCMP_CMP_EQ(),
508 eq => SCMP_CMP_EQ(),
509 '>=' => SCMP_CMP_GE(),
510 ge => SCMP_CMP_GE(),
511 '>' => SCMP_CMP_GT(),
512 gt => SCMP_CMP_GT(),
513 '=~' => SCMP_CMP_MASKED_EQ(),
514 me => SCMP_CMP_MASKED_EQ(),
515
516 SCMP_CMP_NE() => SCMP_CMP_NE(),
517 SCMP_CMP_LT() => SCMP_CMP_LT(),
518 SCMP_CMP_LE() => SCMP_CMP_LE(),
519 SCMP_CMP_EQ() => SCMP_CMP_EQ(),
520 SCMP_CMP_GE() => SCMP_CMP_GE(),
521 SCMP_CMP_GT() => SCMP_CMP_GT(),
522 SCMP_CMP_MASKED_EQ() => SCMP_CMP_MASKED_EQ(),
523 );
524
525 sub _mangle_rule_add_args {
526 my @args = map {
527 my $op = $_->[1];
528 $_->[1] = $COMPARE_OP_TBL{$op} or croak "No mapping for compare operator '$op'";
529 make_arg_cmp (@$_)
530 } @_;
531 \@args
532 }
533
534 sub rule_add {
535 rule_add_array (shift, shift, shift, _mangle_rule_add_args (@_));
536 }
537
538 sub rule_add_exact {
539 rule_add_exact_array (shift, shift, shift, _mangle_rule_add_args (@_));
540 }
541
542 1;
543 __END__
544
545 =encoding utf-8
546
547 =head1 NAME
548
549 Linux::Seccomp - Interface to libseccomp Linux syscall filtering library
550
551 =head1 SYNOPSIS
552
553 use Linux::Seccomp ':all';
554 my $ctx = Linux::Seccomp->new(SCMP_ACT_ALLOW);
555 # Block writes to STDERR
556 $ctx->rule_add(SCMP_ACT_KILL, syscall_resolve_name('write'), [0, '==', 2]);
557 $ctx->load;
558 $| = 1;
559 print STDOUT "Hello world!\n"; # works
560 print STDERR "Goodbye world!\n"; # Killed
561 print STDOUT "Hello again world!\n"; # never reached
562
563 =head1 DESCRIPTION
564
565 Secure Computing (seccomp) is Linux's system call filtering mechanism.
566 This system can operate in two modes: I<strict>, where only a very
567 small number of system calls are allowed and the more modern I<filter>
568 (or seccomp mode 2) which permits advanced filtering of system calls.
569 This module is only concerned with the latter.
570
571 Linux::Seccomp is a Perl interface to the
572 L<libseccomp|https://github.com/seccomp/libseccomp> library which
573 provides a simple way to use seccomp mode 2.
574
575 It should be mentioned that this module is not production-ready at the
576 moment -- work needs to be done to port the libseccomp testsuite and
577 the documentation needs to be improved.
578
579 Basic usage of this module is straightforward: Create a filter using
580 the B<new> method, add rules to it using the B<rule_add> method
581 several times, and finally load the filter into the kernel using the
582 B<load> method. An example of this can be seen in the SYNOPSIS.
583
584 =head1 METHODS
585
586 Most methods die on error.
587
588 =over
589
590 =item I<$ctx> = Linux::Seccomp->B<new>(I<$def_action>>)
591
592 Creates a new C<Linux::Seccomp> filter, with the default action for
593 unhandled syscalls being I<$def_action>. Possible values for
594 I<$def_action> are:
595
596 =over
597
598 =item SCMP_ACT_KILL
599
600 The thread will be terminated by the kernel with SIGSYS when it calls
601 a syscall that does not match any of the configured seccomp filter
602 rules. The thread will not be able to catch the signal.
603
604 =item SCMP_ACT_TRAP
605
606 The thread will be sent a SIGSYS signal when it calls a syscall that
607 does not match any of the configured seccomp filter rules. It may
608 catch this and change its behavior accordingly. When using SA_SIGINFO
609 with L<sigaction(2)>, si_code will be set to SYS_SECCOMP, si_syscall
610 will be set to the syscall that failed the rules, and si_arch will be
611 set to the AUDIT_ARCH for the active ABI.
612
613 =item SCMP_ACT_ERRNO(I<$errno>)
614
615 The thread will receive a return value of I<$errno> when it calls a
616 syscall that does not match any of the configured seccomp filter
617 rules.
618
619 =item SCMP_ACT_TRACE(I<$msg_num>)
620
621 If the thread is being traced and the tracing process specified the
622 PTRACE_O_TRACESECCOMP option in the call to L<ptrace(2)>, the tracing
623 process will be notified, via PTRACE_EVENT_SECCOMP, and the value
624 provided in msg_num can be retrieved using the PTRACE_GETEVENTMSG
625 option.
626
627 =item SCMP_ACT_ALLOW
628
629 The seccomp filter will have no effect on the thread calling the
630 syscall if it does not match any of the configured seccomp filter
631 rules.
632
633 =back
634
635 See L<seccomp_init(3)>.
636
637 =item I<$ctx>->B<rule_add>(I<$action>, I<$syscall>, I<@args>)
638
639 Adds a rule to the filter. If a system call with number I<$syscall>
640 whose arguments match I<@args> is called, I<$action> will be taken.
641
642 I<$action> can be any of the C<SCMP_ACT_*> macros listed above.
643
644 I<@args> is a list of 0 or more constraints on the arguments to the
645 syscall. Each constraint is an arrayref with 3 or 4 elements: C<[$arg,
646 $op, $datum_a, $datum_b]> where I<$arg> is the index of the argument
647 we are comparing. I<$op> is as follows:
648
649 =over
650
651 =item SCMP_CMP_NE
652 =item '!='
653 =item 'ne'
654
655 Matches when the argument value is not equal to I<$datum_a>.
656
657 =item SCMP_CMP_LT
658 =item '<'
659 =item 'lt'
660
661 Matches when the argument value is less than I<$datum_a>.
662
663 =item SCMP_CMP_LE
664 =item '<='
665 =item 'le'
666
667 Matches when the argument value is less than or equal to I<$datum_a>.
668
669 =item SCMP_CMP_EQ
670 =item '=='
671 =item 'eq'
672
673 Matches when the argument value is equal to I<$datum_a>.
674
675 =item SCMP_CMP_GE
676 =item '>='
677 =item 'ge'
678
679 Matches when the argument value is greater than or equal to I<$datum_a>.
680
681 =item SCMP_CMP_GT
682 =item '>'
683 =item 'gt'
684
685 Matches when the argument value is greater than I<$datum_a>.
686
687 =item SCMP_CMP_MASKED_EQ
688 =item '=~'
689 =item 'me'
690
691 Matches when the argument value masked with I<$datum_a> is equal to I<$datum_b> masked with I<$datum_a>.
692
693 =back
694
695 See L<seccomp_rule_add(3)>.
696
697 =item I<$ctx>->B<arch_add>(I<$arch_token>)
698
699 Add an architecture to the filter. The native architecture is added by
700 default.
701 See L<seccomp_arch_add(3)>.
702
703 =item I<$ctx>->B<arch_exists>(I<$arch_token>)
704
705 Returns true if the given architecture is in the filter, false
706 otherwise.
707 See L<seccomp_arch_add(3).
708
709 =item I<$ctx>->B<arch_remove>(I<$arch_token>)
710
711 Removes an architecture from the filter.
712 See L<seccomp_arch_add(3).
713
714 =item I<$ctx>->B<attr_get>(I<$attr>)
715
716 Returns the value of an attribute. The attributes are:
717
718 =over
719
720 =item SCMP_FLTATR_ACT_DEFAULT
721
722 The default filter action as specified in the call to B<new>. Read-only.
723
724 =item SCMP_FLTATR_ACT_BADARCH
725
726 The filter action taken when the loaded filter does not match the
727 architecture of the executing application. Defaults to SCMP_ACT_KILL.
728
729 =item SCMP_FLTATR_CTL_NNP
730
731 Specifies whether to turn on NO_NEW_PRIVS functionality when B<load>
732 is called. Defaults to 1 (on). If this flag is turned off then the
733 calling process must have CAP_SYS_ADMIN (or else the call to B<load>
734 will fail).
735
736 =item SCMP_FLTATR_CTL_TSYNC
737
738 Specifies whether the kernel should synchronize the filters accross
739 all threads when B<load> is called. Defaults to 0 (off).
740
741 =back
742
743 See L<seccomp_attr_get(3)>.
744
745 =item I<$ctx>->B<attr_set>(I<$attr>, I<$value>)
746
747 Sets an attribute to the given value. The attributes are the ones from
748 the list above except for SCMP_FLTATR_ACT_DEFAULT which is read-only.
749 See L<seccomp_attr_get(3)>.
750
751 =item I<$ctx>->B<export_bpf>(I<$fh>)
752
753 Writes the BPF (Berkeley Packet Filter) representation of the filter
754 to the given file handle.
755 See L<seccomp_export_bpf(3)>.
756
757 =item I<$ctx>->B<export_pfc>(I<$fh>)
758
759 Writes the PFC (Pseudo Filter Code) representation of the filter to
760 the given file handle.
761 See L<seccomp_export_bpf(3)>.
762
763 =item I<$ctx>->B<load>
764
765 Loads the filter into the kernel.
766 See L<seccomp_load(3)>.
767
768 =back
769
770 =head1 FUNCTIONS
771
772 None exported by default. These functions die on error.
773
774 =over
775
776 =item B<arch_native>
777
778 Returns the arch token for the native architecture.
779 See L<seccomp_arch_add(3)>.
780
781 =item B<arch_resolve_name>(I<$arch_name>)
782
783 Returns the arch token for a named architecture.
784 See L<seccomp_arch_add(3)>.
785
786 =item B<syscall_resolve_name>(I<$name>)
787
788 Resolves a system call name to its number for the native architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall.
789 See L<seccomp_syscall_resolve_name(3)>.
790
791 =item B<syscall_resolve_name_arch>(I<$arch_token>, I<$name>)
792
793 Resolves a system call name to its number for a given architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall.
794 See L<seccomp_syscall_resolve_name(3)>.
795
796 =item B<syscall_resolve_name_rewrite>(I<$arch_token>, I<$name>)
797
798 Resolves a system call name to its number for a given architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall. In contrast to the previous function, this function tries to obtain the actual syscall number in cases where the previous function would return a pseudo syscall number.
799 See L<seccomp_syscall_resolve_name(3)>.
800
801 =item B<syscall_resolve_num_arch>(I<$arch_token>, I<$num>)
802
803 Returns the name of the system call with the given number on the given architecture.
804 See L<seccomp_syscall_resolve_name(3)>.
805
806 =item B<version>
807
808 Returns the version of libseccomp as a three-element arrayref:
809 [$major_version, $minor_version, $micro_version].
810
811 =back
812
813 =head1 CONSTANTS
814
815 All exported by default. Most of the SCMP_ constants were seen above.
816 Here is a list of all of them:
817
818 SCMP_ACT_ALLOW
819 SCMP_ACT_KILL
820 SCMP_ACT_TRAP
821 SCMP_ARCH_AARCH64
822 SCMP_ARCH_ARM
823 SCMP_ARCH_MIPS
824 SCMP_ARCH_MIPS64
825 SCMP_ARCH_MIPS64N32
826 SCMP_ARCH_MIPSEL
827 SCMP_ARCH_MIPSEL64
828 SCMP_ARCH_MIPSEL64N32
829 SCMP_ARCH_NATIVE
830 SCMP_ARCH_PPC
831 SCMP_ARCH_PPC64
832 SCMP_ARCH_PPC64LE
833 SCMP_ARCH_S390
834 SCMP_ARCH_S390X
835 SCMP_ARCH_X32
836 SCMP_ARCH_X86
837 SCMP_ARCH_X86_64
838 SCMP_CMP_EQ
839 SCMP_CMP_GE
840 SCMP_CMP_GT
841 SCMP_CMP_LE
842 SCMP_CMP_LT
843 SCMP_CMP_MASKED_EQ
844 SCMP_CMP_NE
845 SCMP_FLTATR_ACT_BADARCH
846 SCMP_FLTATR_ACT_DEFAULT
847 SCMP_FLTATR_CTL_NNP
848 SCMP_FLTATR_CTL_TSYNC
849 SCMP_VER_MAJOR
850 SCMP_VER_MICRO
851 SCMP_VER_MINOR
852
853 Besides the SCMP_ constants, the module also provides a long list of
854 __NR_syscall and __PNR_syscall constants that represent real and
855 pseudo syscall numbers for many common system calls. A full list can
856 be found in the source code of this module. See also the
857 B<syscall_resolve_name> family of functions above which is more
858 flexible than this set of constants.
859
860 =head1 SEE ALSO
861
862 L<https://github.com/seccomp/libseccomp>
863
864 =head1 AUTHOR
865
866 Marius Gavrilescu, E<lt>marius@ieval.roE<gt>
867
868 =head1 COPYRIGHT AND LICENSE
869
870 Copyright (C) 2016 by Marius Gavrilescu
871
872 This library is free software; you can redistribute it and/or modify
873 it under the same terms as Perl itself, either Perl version 5.24.0 or,
874 at your option, any later version of Perl 5 you may have available.
875
876
877 =cut
Interface to libseccomp Linux syscall filtering library
This page took 0.048964 seconds and 3 git commands to generate.