x SuSE Linux 13.1-RELEASE x
x SuSE Linux 13.1-RELEASEx
seccomp_syscall_priority(3)libseccomp Documentationseccomp_syscall_priority(3)
NAME
seccomp_syscall_priority - Prioritize syscalls in the seccomp filter
SYNOPSIS
#include <seccomp.h>
typedef void * scmp_filter_ctx;
int SCMP_SYS(syscall_name);
int seccomp_syscall_priority(scmp_filter_ctx ctx,
int syscall, uint8_t priority);
Link with -lseccomp.
DESCRIPTION
The seccomp_syscall_priority() function provides a priority hint to the
seccomp filter generator in libseccomp such that higher priority
syscalls are placed earlier in the seccomp filter code so that they in-
cur less overhead at the expense of lower priority syscalls. A
syscall's priority can be set regardless of if any rules currently ex-
ist for that syscall; the library will remember the priority and it
will be assigned to the syscall if and when a rule for that syscall is
created.
While it is possible to specify the syscall value directly using the
standard __NR_syscall values, in order to ensure proper operation
across multiple architectures it is highly recommended to use the
SCMP_SYS() macro instead. See the EXAMPLES section below.
The priority parameter takes an 8-bit value ranging from 0 - 255; a
higher value represents a higher priority.
The filter context ctx is the value returned by the call to sec-
comp_init().
RETURN VALUE
The SCMP_SYS() macro returns a value suitable for use as the syscall
value in seccomp_syscall_priority().
The seccomp_syscall_priority() function returns zero on success or one
of the following error codes on failure:
-EDOM Architecture specific failure.
-EFAULT
Internal libseccomp failure.
-EINVAL
Invalid input, either the context or architecture token is in-
valid.
-ENOMEM
The library was unable to allocate enough memory.
EXAMPLES
#include <seccomp.h>
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
/* ... */
rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200);
if (rc < 0)
goto out;
/* ... */
out:
seccomp_release(ctx);
return -rc;
}
NOTES
While the seccomp filter can be generated independent of the kernel,
kernel support is required to load and enforce the seccomp filter gen-
erated by libseccomp.
The libseccomp project site, with more information and the source code
repository, can be found at https://github.com/seccomp/libseccomp.
This tool, as well as the libseccomp library, is currently under devel-
opment, please report any bugs at the project site or directly to the
author.
AUTHOR
Paul Moore <paul@paul-moore.com>
SEE ALSO
seccomp_rule_add(3), seccomp_rule_add_exact(3)
paul@paul-moore.com 30 May 2020 seccomp_syscall_priority(3)
Want to link to this manual page? Use this URL:
<http://star2.abcm.com/cgi-bin/bsdi-man?query=seccomp_syscall_priority&sektion=3&manpath=>