diff options
Diffstat (limited to 'doc/man/man3/seccomp_attr_set.3')
-rw-r--r-- | doc/man/man3/seccomp_attr_set.3 | 202 |
1 files changed, 202 insertions, 0 deletions
diff --git a/doc/man/man3/seccomp_attr_set.3 b/doc/man/man3/seccomp_attr_set.3 new file mode 100644 index 0000000..4341abc --- /dev/null +++ b/doc/man/man3/seccomp_attr_set.3 @@ -0,0 +1,202 @@ +.TH "seccomp_attr_set" 3 "06 June 2020" "paul@paul-moore.com" "libseccomp Documentation" +.\" ////////////////////////////////////////////////////////////////////////// +.SH NAME +.\" ////////////////////////////////////////////////////////////////////////// +seccomp_attr_set, seccomp_attr_get \- Manage the seccomp filter attributes +.\" ////////////////////////////////////////////////////////////////////////// +.SH SYNOPSIS +.\" ////////////////////////////////////////////////////////////////////////// +.nf +.B #include <seccomp.h> +.sp +.B typedef void * scmp_filter_ctx; +.B enum scmp_filter_attr; +.sp +.BI "int seccomp_attr_set(scmp_filter_ctx " ctx "," +.BI " enum scmp_filter_attr " attr ", uint32_t " value ");" +.BI "int seccomp_attr_get(scmp_filter_ctx " ctx "," +.BI " enum scmp_filter_attr " attr ", uint32_t *" value ");" +.sp +Link with \fI\-lseccomp\fP. +.fi +.\" ////////////////////////////////////////////////////////////////////////// +.SH DESCRIPTION +.\" ////////////////////////////////////////////////////////////////////////// +.P +The +.BR seccomp_attr_set () +function sets the different seccomp filter attributes while the +.BR seccomp_attr_get () +function fetches the filter attributes. The seccomp filter attributes are +tunable values that affect how the library behaves when generating and loading +the seccomp filter into the kernel. The attributes are reset to their default +values whenever the filter is initialized or reset via +.BR seccomp_init (3) +or +.BR seccomp_reset (3). +.P +The filter context +.I ctx +is the value returned by the call to +.BR seccomp_init (3). +.P +Valid +.I attr +values are as follows: +.TP +.B SCMP_FLTATR_ACT_DEFAULT +The default filter action as specified in the call to +.BR seccomp_init (3) +or +.BR seccomp_reset (3). +This attribute is read-only. +.TP +.B SCMP_FLTATR_ACT_BADARCH +The filter action taken when the loaded filter does not match the architecture +of the executing application. Defaults to the +.B SCMP_ACT_KILL +action. +.TP +.B SCMP_FLTATR_CTL_NNP +A flag to specify if the NO_NEW_PRIVS functionality should be enabled before +loading the seccomp filter into the kernel. Setting this to off +.RI ( value +== 0) results in no action, meaning that loading the seccomp filter into the +kernel will fail if CAP_SYS_ADMIN is missing and NO_NEW_PRIVS has not been +externally set. Defaults to on +.RI ( value +== 1). +.TP +.B SCMP_FLTATR_CTL_TSYNC +A flag to specify if the kernel should attempt to synchronize the filters +across all threads on +.BR seccomp_load (3). +If the kernel is unable to synchronize all of the thread then the load +operation will fail. This flag is only available on Linux Kernel 3.17 or +greater; attempting to enable this flag on earlier kernels will result in an +error being returned. Defaults to off +.RI ( value +== 0). +.TP +.B SCMP_FLTATR_API_TSKIP +A flag to specify if libseccomp should allow filter rules to be created for +the -1 syscall. The -1 syscall value can be used by tracer programs to skip +specific syscall invocations, see +.BR seccomp (2) +for more information. Defaults to off +.RI ( value +== 0). +.TP +.B SCMP_FLTATR_CTL_LOG +A flag to specify if the kernel should log all filter actions taken except for +the +.BR SCMP_ACT_ALLOW +action. Defaults to off +.RI ( value +== 0). +.TP +.B SCMP_FLTATR_CTL_SSB +A flag to disable Speculative Store Bypass mitigations for this filter. +Defaults to off +.RI ( value +== 0). +.TP +.B SCMP_FLTATR_CTL_OPTIMIZE +A flag to specify the optimization level of the seccomp filter. By default +libseccomp generates a set of sequential \'if\' statements for each rule in +the filter. +.BR seccomp_syscall_priority (3) +can be used to prioritize the order for the default cause. The binary tree +optimization sorts by syscall numbers and generates consistent +.BR O(log\ n) +filter traversal for every rule in the filter. The binary tree may be +advantageous for large filters. Note that +.BR seccomp_syscall_priority (3) +is ignored when SCMP_FLTATR_CTL_OPTIMIZE == 2. +.RS +.P +The different optimization levels are described below: +.TP +.B 0 +Reserved value, not currently used. +.TP +.B 1 +Rules sorted by priority and complexity (DEFAULT). +.TP +.B 2 +Binary tree sorted by syscall number. +.RE +.TP +.B SCMP_FLTATR_API_SYSRAWRC +A flag to specify if libseccomp should pass system error codes back to the +caller instead of the default -ECANCELED. Defaults to off +.RI ( value +== 0). +.\" ////////////////////////////////////////////////////////////////////////// +.SH RETURN VALUE +.\" ////////////////////////////////////////////////////////////////////////// +Returns zero on success or one of the following error codes on +failure: +.TP +.B -EACCES +Setting the attribute with the given value is not allowed. +.TP +.B -EEXIST +The attribute does not exist. +.TP +.B -EINVAL +Invalid input, either the context or architecture token is invalid. +.TP +.B -EOPNOTSUPP +The library doesn't support the particular operation. +.\" ////////////////////////////////////////////////////////////////////////// +.SH EXAMPLES +.\" ////////////////////////////////////////////////////////////////////////// +.nf +#include <seccomp.h> + +int main(int argc, char *argv[]) +{ + int rc = \-1; + scmp_filter_ctx ctx; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + goto out; + + /* ... */ + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_TRAP); + if (rc < 0) + goto out; + + /* ... */ + +out: + seccomp_release(ctx); + return \-rc; +} +.fi +.\" ////////////////////////////////////////////////////////////////////////// +.SH NOTES +.\" ////////////////////////////////////////////////////////////////////////// +.P +While the seccomp filter can be generated independent of the kernel, kernel +support is required to load and enforce the seccomp filter generated by +libseccomp. +.P +The libseccomp project site, with more information and the source code +repository, can be found at https://github.com/seccomp/libseccomp. This tool, +as well as the libseccomp library, is currently under development, please +report any bugs at the project site or directly to the author. +.\" ////////////////////////////////////////////////////////////////////////// +.SH AUTHOR +.\" ////////////////////////////////////////////////////////////////////////// +Paul Moore <paul@paul-moore.com> +.\" ////////////////////////////////////////////////////////////////////////// +.SH SEE ALSO +.\" ////////////////////////////////////////////////////////////////////////// +.BR seccomp_init (3), +.BR seccomp_reset (3), +.BR seccomp_load (3), +.BR seccomp (2) |