OpenSuSE Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help 
x SuSE Linux 13.1-RELEASE x
x SuSE Linux 13.1-RELEASEx
seccomp_load(3)            libseccomp Documentation            seccomp_load(3)

NAME
       seccomp_load - Load the current seccomp filter into the kernel

SYNOPSIS
       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       int seccomp_load(scmp_filter_ctx ctx);

       Link with -lseccomp.

DESCRIPTION
       Loads  the seccomp filter provided by ctx into the kernel; if the func-
       tion succeeds the new seccomp filter will be active when  the  function
       returns.

       As  it is possible to have multiple stacked seccomp filters for a given
       task (defined as either a process or a thread), it is important to  re-
       member  that  each  of the filters loaded for a given task are executed
       when a syscall is made and the "strictest" rule is the rule that is ap-
       plied.   In  the  case of seccomp, "strictest" is defined as the action
       with  the  lowest  value  (e.g.   SCMP_ACT_KILL  is   "stricter"   than
       SCMP_ACT_ALLOW).

RETURN VALUE
       Returns zero on success or one of the following error codes on failure:

       -ECANCELED
              There was a system failure beyond the control of the library.

       -EFAULT
              Internal libseccomp failure.

       -EINVAL
              Invalid  input,  either the context or architecture token is in-
              valid.

       -ENOMEM
              The library was unable to allocate enough memory.

       -ESRCH Unable to load the filter due to thread issues.

       If the SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then addi-
       tional  error codes may be returned to the caller; these additional er-
       ror codes are the negative errno values returned by the system.  Unfor-
       tunately libseccomp can make no guarantees about these return values.

EXAMPLES
       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            rc = seccomp_load(ctx);
            if (rc < 0)
                 goto out;

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES
       While  the  seccomp  filter can be generated independent of the kernel,
       kernel support is required to load and enforce the seccomp filter  gen-
       erated by libseccomp.

       The  libseccomp project site, with more information and the source code
       repository,  can  be  found  at  https://github.com/seccomp/libseccomp.
       This tool, as well as the libseccomp library, is currently under devel-
       opment, please report any bugs at the project site or directly  to  the
       author.

AUTHOR
       Paul Moore <paul@paul-moore.com>

SEE ALSO
       seccomp_init(3),     seccomp_reset(3),     seccomp_release(3),     sec-
       comp_rule_add(3), seccomp_rule_add_exact(3)

paul@paul-moore.com               30 May 2020                  seccomp_load(3)

Want to link to this manual page? Use this URL:
<http://star2.abcm.com/cgi-bin/bsdi-man?query=seccomp_load&sektion=3&manpath=>

home | help