libseccomp
|
Macros | |
#define | API __attribute__((visibility("default"))) |
Functions | |
API const struct scmp_version * | seccomp_version (void) |
API unsigned int | seccomp_api_get (void) |
API int | seccomp_api_set (unsigned int level) |
API scmp_filter_ctx | seccomp_init (uint32_t def_action) |
API int | seccomp_reset (scmp_filter_ctx ctx, uint32_t def_action) |
API void | seccomp_release (scmp_filter_ctx ctx) |
API int | seccomp_merge (scmp_filter_ctx ctx_dst, scmp_filter_ctx ctx_src) |
API uint32_t | seccomp_arch_resolve_name (const char *arch_name) |
API uint32_t | seccomp_arch_native (void) |
API int | seccomp_arch_exist (const scmp_filter_ctx ctx, uint32_t arch_token) |
API int | seccomp_arch_add (scmp_filter_ctx ctx, uint32_t arch_token) |
API int | seccomp_arch_remove (scmp_filter_ctx ctx, uint32_t arch_token) |
API int | seccomp_load (const scmp_filter_ctx ctx) |
API int | seccomp_attr_get (const scmp_filter_ctx ctx, enum scmp_filter_attr attr, uint32_t *value) |
API int | seccomp_attr_set (scmp_filter_ctx ctx, enum scmp_filter_attr attr, uint32_t value) |
API char * | seccomp_syscall_resolve_num_arch (uint32_t arch_token, int num) |
API int | seccomp_syscall_resolve_name_arch (uint32_t arch_token, const char *name) |
API int | seccomp_syscall_resolve_name_rewrite (uint32_t arch_token, const char *name) |
API int | seccomp_syscall_resolve_name (const char *name) |
API int | seccomp_syscall_priority (scmp_filter_ctx ctx, int syscall, uint8_t priority) |
API int | seccomp_rule_add_array (scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, const struct scmp_arg_cmp *arg_array) |
API int | seccomp_rule_add (scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt,...) |
API int | seccomp_rule_add_exact_array (scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt, const struct scmp_arg_cmp *arg_array) |
API int | seccomp_rule_add_exact (scmp_filter_ctx ctx, uint32_t action, int syscall, unsigned int arg_cnt,...) |
API int | seccomp_notify_alloc (struct seccomp_notif **req, struct seccomp_notif_resp **resp) |
API void | seccomp_notify_free (struct seccomp_notif *req, struct seccomp_notif_resp *resp) |
API int | seccomp_notify_receive (int fd, struct seccomp_notif *req) |
API int | seccomp_notify_respond (int fd, struct seccomp_notif_resp *resp) |
API int | seccomp_notify_id_valid (int fd, uint64_t id) |
API int | seccomp_notify_fd (const scmp_filter_ctx ctx) |
API int | seccomp_export_pfc (const scmp_filter_ctx ctx, int fd) |
API int | seccomp_export_bpf (const scmp_filter_ctx ctx, int fd) |
API int | seccomp_export_bpf_mem (const scmp_filter_ctx ctx, void *buf, size_t *len) |
Variables | |
const struct scmp_version | library_version |
unsigned int | seccomp_api_level = 0 |
Seccomp Library API
Copyright (c) 2012,2013 Red Hat pmoor Author: Paul Moore e@re dhat. compaul@ paul -moor e.co m
#define API __attribute__((visibility("default"))) |
API unsigned int seccomp_api_get | ( | void | ) |
Query the library's level of API support
This function returns an API level value indicating the current supported functionality. It is important to note that this level of support is determined at runtime and therefore can change based on the running kernel and system configuration (e.g. any previously loaded seccomp filters). This function can be called multiple times, but it only queries the system the first time it is called, the API level is cached and used in subsequent calls.
The current API levels are described below: 0 : reserved 1 : base level 2 : support for the SCMP_FLTATR_CTL_TSYNC filter attribute uses the seccomp(2) syscall instead of the prctl(2) syscall 3 : support for the SCMP_FLTATR_CTL_LOG filter attribute support for the SCMP_ACT_LOG action support for the SCMP_ACT_KILL_PROCESS action 4 : support for the SCMP_FLTATR_CTL_SSB filter attrbute 5 : support for the SCMP_ACT_NOTIFY action and notify APIs 6 : support the simultaneous use of SCMP_FLTATR_CTL_TSYNC and notify APIs
API int seccomp_api_set | ( | unsigned int | level | ) |
Set the library's level of API support
This function forcibly sets the API level of the library at runtime. Valid API levels are discussed in the description of the seccomp_api_get() function. General use of this function is strongly discouraged.
API int seccomp_arch_add | ( | scmp_filter_ctx | ctx, |
uint32_t | arch_token | ||
) |
Adds an architecture to the filter
ctx | the filter context |
arch_token | the architecture token, e.g. SCMP_ARCH_* |
This function adds a new architecture to the given seccomp filter context. Any new rules added after this function successfully returns will be added to this architecture but existing rules will not be added to this architecture. If the architecture token is SCMP_ARCH_NATIVE then the native architecture will be assumed. Returns zero on success, -EEXIST if specified architecture is already present, other negative values on failure.
API int seccomp_arch_exist | ( | const scmp_filter_ctx | ctx, |
uint32_t | arch_token | ||
) |
Check to see if an existing architecture is present in the filter
ctx | the filter context |
arch_token | the architecture token, e.g. SCMP_ARCH_* |
This function tests to see if a given architecture is included in the filter context. If the architecture token is SCMP_ARCH_NATIVE then the native architecture will be assumed. Returns zero if the architecture exists in the filter, -EEXIST if it is not present, and other negative values on failure.
API uint32_t seccomp_arch_native | ( | void | ) |
API int seccomp_arch_remove | ( | scmp_filter_ctx | ctx, |
uint32_t | arch_token | ||
) |
Removes an architecture from the filter
ctx | the filter context |
arch_token | the architecture token, e.g. SCMP_ARCH_* |
This function removes an architecture from the given seccomp filter context. If the architecture token is SCMP_ARCH_NATIVE then the native architecture will be assumed. Returns zero on success, negative values on failure.
API uint32_t seccomp_arch_resolve_name | ( | const char * | arch_name | ) |
API int seccomp_attr_get | ( | const scmp_filter_ctx | ctx, |
enum scmp_filter_attr | attr, | ||
uint32_t * | value | ||
) |
Get the value of a filter attribute
ctx | the filter context |
attr | the filter attribute name |
value | the filter attribute value |
This function fetches the value of the given attribute name and returns it via @value. Returns zero on success, negative values on failure.
API int seccomp_attr_set | ( | scmp_filter_ctx | ctx, |
enum scmp_filter_attr | attr, | ||
uint32_t | value | ||
) |
API int seccomp_export_bpf | ( | const scmp_filter_ctx | ctx, |
int | fd | ||
) |
Generate seccomp Berkeley Packet Filter (BPF) code and export it to a file
ctx | the filter context |
fd | the destination fd |
This function generates seccomp Berkeley Packer Filter (BPF) code and writes it to the given fd. Returns zero on success, negative values on failure.
API int seccomp_export_bpf_mem | ( | const scmp_filter_ctx | ctx, |
void * | buf, | ||
size_t * | len | ||
) |
Generate seccomp Berkeley Packet Filter (BPF) code and export it to a buffer
ctx | the filter context |
buf | the destination buffer |
len | on input the length of the buffer, on output the number of bytes in the program |
This function generates seccomp Berkeley Packer Filter (BPF) code and writes it to the given buffer. Returns zero on success, negative values on failure.
API int seccomp_export_pfc | ( | const scmp_filter_ctx | ctx, |
int | fd | ||
) |
API scmp_filter_ctx seccomp_init | ( | uint32_t | def_action | ) |
Initialize the filter state
def_action | the default filter action |
This function initializes the internal seccomp filter state and should be called before any other functions in this library to ensure the filter state is initialized. Returns a filter context on success, NULL on failure.
API int seccomp_load | ( | const scmp_filter_ctx | ctx | ) |
Loads the filter into the kernel
ctx | the filter context |
This function loads the given seccomp filter context into the kernel. If the filter was loaded correctly, the kernel will be enforcing the filter when this function returns. Returns zero on success, negative values on error.
API int seccomp_merge | ( | scmp_filter_ctx | ctx_dst, |
scmp_filter_ctx | ctx_src | ||
) |
Merge two filters
ctx_dst | the destination filter context |
ctx_src | the source filter context |
This function merges two filter contexts into a single filter context and destroys the second filter context. The two filter contexts must have the same attribute values and not contain any of the same architectures; if they do, the merge operation will fail. On success, the source filter context will be destroyed and should no longer be used; it is not necessary to call seccomp_release() on the source filter context. Returns zero on success, negative values on failure.
API int seccomp_notify_alloc | ( | struct seccomp_notif ** | req, |
struct seccomp_notif_resp ** | resp | ||
) |
Allocate a pair of notification request/response structures
req | the request location |
resp | the response location |
This function allocates a pair of request/response structure by computing the correct sized based on the currently running kernel. It returns zero on success, and negative values on failure.
API int seccomp_notify_fd | ( | const scmp_filter_ctx | ctx | ) |
Return the notification fd from a filter that has already been loaded
ctx | the filter context |
This returns the listener fd that was generated when the seccomp policy was loaded. This is only valid after seccomp_load() with a filter that makes use of SCMP_ACT_NOTIFY.
API void seccomp_notify_free | ( | struct seccomp_notif * | req, |
struct seccomp_notif_resp * | resp | ||
) |
API int seccomp_notify_id_valid | ( | int | fd, |
uint64_t | id | ||
) |
API int seccomp_notify_receive | ( | int | fd, |
struct seccomp_notif * | req | ||
) |
Receive a notification from a seccomp notification fd
fd | the notification fd |
req | the request buffer to save into |
Blocks waiting for a notification on this fd. This function is thread safe (synchronization is performed in the kernel). Returns zero on success, negative values on error.
API int seccomp_notify_respond | ( | int | fd, |
struct seccomp_notif_resp * | resp | ||
) |
Send a notification response to a seccomp notification fd
fd | the notification fd |
resp | the response buffer to use |
Sends a notification response on this fd. This function is thread safe (synchronization is performed in the kernel). Returns zero on success, negative values on error.
API void seccomp_release | ( | scmp_filter_ctx | ctx | ) |
Destroys the filter state and releases any resources
ctx | the filter context |
This functions destroys the given seccomp filter state and releases any resources, including memory, associated with the filter state. This function does not reset any seccomp filters already loaded into the kernel. The filter context can no longer be used after calling this function.
API int seccomp_reset | ( | scmp_filter_ctx | ctx, |
uint32_t | def_action | ||
) |
Reset the filter state
ctx | the filter context |
def_action | the default filter action |
This function resets the given seccomp filter state and ensures the filter state is reinitialized. This function does not reset any seccomp filters already loaded into the kernel. Returns zero on success, negative values on failure.
API int seccomp_rule_add | ( | scmp_filter_ctx | ctx, |
uint32_t | action, | ||
int | syscall, | ||
unsigned int | arg_cnt, | ||
... | |||
) |
Add a new rule to the filter
ctx | the filter context |
action | the filter action |
syscall | the syscall number |
arg_cnt | the number of argument filters in the argument filter chain |
... | scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) |
This function adds a series of new argument/value checks to the seccomp filter for the given syscall; multiple argument/value checks can be specified and they will be chained together (AND'd together) in the filter. If the specified rule needs to be adjusted due to architecture specifics it will be adjusted without notification. Returns zero on success, negative values on failure.
API int seccomp_rule_add_array | ( | scmp_filter_ctx | ctx, |
uint32_t | action, | ||
int | syscall, | ||
unsigned int | arg_cnt, | ||
const struct scmp_arg_cmp * | arg_array | ||
) |
Add a new rule to the filter
ctx | the filter context |
action | the filter action |
syscall | the syscall number |
arg_cnt | the number of elements in the arg_array parameter |
arg_array | array of scmp_arg_cmp structs |
This function adds a series of new argument/value checks to the seccomp filter for the given syscall; multiple argument/value checks can be specified and they will be chained together (AND'd together) in the filter. If the specified rule needs to be adjusted due to architecture specifics it will be adjusted without notification. Returns zero on success, negative values on failure.
API int seccomp_rule_add_exact | ( | scmp_filter_ctx | ctx, |
uint32_t | action, | ||
int | syscall, | ||
unsigned int | arg_cnt, | ||
... | |||
) |
Add a new rule to the filter
ctx | the filter context |
action | the filter action |
syscall | the syscall number |
arg_cnt | the number of argument filters in the argument filter chain |
... | scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) |
This function adds a series of new argument/value checks to the seccomp filter for the given syscall; multiple argument/value checks can be specified and they will be chained together (AND'd together) in the filter. If the specified rule can not be represented on the architecture the function will fail. Returns zero on success, negative values on failure.
API int seccomp_rule_add_exact_array | ( | scmp_filter_ctx | ctx, |
uint32_t | action, | ||
int | syscall, | ||
unsigned int | arg_cnt, | ||
const struct scmp_arg_cmp * | arg_array | ||
) |
Add a new rule to the filter
ctx | the filter context |
action | the filter action |
syscall | the syscall number |
arg_cnt | the number of elements in the arg_array parameter |
arg_array | array of scmp_arg_cmp structs |
This function adds a series of new argument/value checks to the seccomp filter for the given syscall; multiple argument/value checks can be specified and they will be chained together (AND'd together) in the filter. If the specified rule can not be represented on the architecture the function will fail. Returns zero on success, negative values on failure.
API int seccomp_syscall_priority | ( | scmp_filter_ctx | ctx, |
int | syscall, | ||
uint8_t | priority | ||
) |
Set the priority of a given syscall
ctx | the filter context |
syscall | the syscall number |
priority | priority value, higher value == higher priority |
This function sets the priority of the given syscall; this value is used when generating the seccomp filter code such that higher priority syscalls will incur less filter code overhead than the lower priority syscalls in the filter. Returns zero on success, negative values on failure.
API int seccomp_syscall_resolve_name | ( | const char * | name | ) |
API int seccomp_syscall_resolve_name_arch | ( | uint32_t | arch_token, |
const char * | name | ||
) |
Resolve a syscall name to a number
arch_token | the architecture token, e.g. SCMP_ARCH_* |
name | the syscall name |
Resolve the given syscall name to the syscall number for the given architecture. Returns the syscall number on success, including negative pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure.
API int seccomp_syscall_resolve_name_rewrite | ( | uint32_t | arch_token, |
const char * | name | ||
) |
Resolve a syscall name to a number and perform any rewriting necessary
arch_token | the architecture token, e.g. SCMP_ARCH_* |
name | the syscall name |
Resolve the given syscall name to the syscall number for the given architecture and do any necessary syscall rewriting needed by the architecture. Returns the syscall number on success, including negative pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure.
API char* seccomp_syscall_resolve_num_arch | ( | uint32_t | arch_token, |
int | num | ||
) |
Resolve a syscall number to a name
arch_token | the architecture token, e.g. SCMP_ARCH_* |
num | the syscall number |
Resolve the given syscall number to the syscall name for the given architecture; it is up to the caller to free the returned string. Returns the syscall name on success, NULL on failure.
API const struct scmp_version* seccomp_version | ( | void | ) |
Query the library version information
This function returns a pointer to a populated scmp_version struct, the caller does not need to free the structure when finished.
const struct scmp_version library_version |