NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | EXAMPLES | NOTES | AUTHOR | SEE ALSO | COLOPHON |
|
|
seccomp_load(3) libseccomp Documentation seccomp_load(3)
seccomp_load - Load the current seccomp filter into the kernel
#include <seccomp.h> typedef void * scmp_filter_ctx; int seccomp_load(scmp_filter_ctx ctx); Link with -lseccomp.
Loads the seccomp filter provided by ctx into the kernel; if the function succeeds the new seccomp filter will be active when the function returns. If seccomp_precompute(3) was called prior to attempting to load the seccomp filter, and no changes have been made to the filter, seccomp_load() can be considered to be async- signal-safe. As it is possible to have multiple stacked seccomp filters for a given task (defined as either a process or a thread), it is important to remember that each of the filters loaded for a given task are executed when a syscall is made and the "strictest" rule is the rule that is applied. In the case of seccomp, "strictest" is defined as the action with the lowest value (e.g. SCMP_ACT_KILL is "stricter" than SCMP_ACT_ALLOW).
Returns zero on success or one of the following error codes on failure: -ECANCELED There was a system failure beyond the control of the library. -EFAULT Internal libseccomp failure. -EINVAL Invalid input, either the context or architecture token is invalid. -ENOMEM The library was unable to allocate enough memory. -ESRCH Unable to load the filter due to thread issues. If the SCMP_FLTATR_API_SYSRAWRC filter attribute is non-zero then additional error codes may be returned to the caller; these additional error codes are the negative errno values returned by the system. Unfortunately libseccomp can make no guarantees about these return values.
#include <seccomp.h> int main(int argc, char *argv[]) { int rc = -1; scmp_filter_ctx ctx; ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) goto out; /* ... */ rc = seccomp_load(ctx); if (rc < 0) goto out; /* ... */ out: seccomp_release(ctx); return -rc; }
While the seccomp filter can be generated independent of the kernel, kernel support is required to load and enforce the seccomp filter generated by libseccomp. The libseccomp project site, with more information and the source code repository, can be found at https://github.com/seccomp/libseccomp. This tool, as well as the libseccomp library, is currently under development, please report any bugs at the project site or directly to the author.
Paul Moore <[email protected]>
seccomp_init(3), seccomp_reset(3), seccomp_release(3), seccomp_rule_add(3), seccomp_rule_add_exact(3) seccomp_precompute(3) signal-safety(7)
This page is part of the libseccomp (high-level API to the Linux
Kernel's seccomp filter) project. Information about the project
can be found at ⟨https://github.com/seccomp/libseccomp⟩. If you
have a bug report for this manual page, see
⟨https://groups.google.com/d/forum/libseccomp⟩. This page was
obtained from the project's upstream Git repository
⟨https://github.com/seccomp/libseccomp⟩ on 2024-06-14. (At that
time, the date of the most recent commit that was found in the
repository was 2024-04-18.) If you discover any rendering
problems in this HTML version of the page, or you believe there
is a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
[email protected]
[email protected] 30 May 2020 seccomp_load(3)
Pages that refer to this page: seccomp(2), seccomp_attr_set(3), seccomp_precompute(3), seccomp_rule_add(3)