diff options
Diffstat (limited to 'doc/man/man3/seccomp_syscall_priority.3')
| -rw-r--r-- | doc/man/man3/seccomp_syscall_priority.3 | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/doc/man/man3/seccomp_syscall_priority.3 b/doc/man/man3/seccomp_syscall_priority.3 new file mode 100644 index 0000000..5621b85 --- /dev/null +++ b/doc/man/man3/seccomp_syscall_priority.3 @@ -0,0 +1,126 @@ +.TH "seccomp_syscall_priority" 3 "30 May 2020" "paul@paul-moore.com" "libseccomp Documentation" +.\" ////////////////////////////////////////////////////////////////////////// +.SH NAME +.\" ////////////////////////////////////////////////////////////////////////// +seccomp_syscall_priority \- Prioritize syscalls in the seccomp filter +.\" ////////////////////////////////////////////////////////////////////////// +.SH SYNOPSIS +.\" ////////////////////////////////////////////////////////////////////////// +.nf +.B #include <seccomp.h> +.sp +.B typedef void * scmp_filter_ctx; +.sp +.BI "int SCMP_SYS(" syscall_name ");" +.sp +.BI "int seccomp_syscall_priority(scmp_filter_ctx " ctx "," +.BI " int " syscall ", uint8_t " priority ");" +.sp +Link with \fI\-lseccomp\fP. +.fi +.\" ////////////////////////////////////////////////////////////////////////// +.SH DESCRIPTION +.\" ////////////////////////////////////////////////////////////////////////// +.P +The +.BR seccomp_syscall_priority () +function provides a priority hint to the seccomp filter generator in libseccomp +such that higher priority syscalls are placed earlier in the seccomp filter code +so that they incur less overhead at the expense of lower priority syscalls. A +syscall's priority can be set regardless of if any rules currently exist for +that syscall; the library will remember the priority and it will be assigned to +the syscall if and when a rule for that syscall is created. +.P +While it is possible to specify the +.I syscall +value directly using the standard +.B __NR_syscall +values, in order to ensure proper operation across multiple architectures it +is highly recommended to use the +.BR SCMP_SYS () +macro instead. See the EXAMPLES section below. +.P +The +.I priority +parameter takes an 8-bit value ranging from 0 \- 255; a higher value represents +a higher priority. +.P +The filter context +.I ctx +is the value returned by the call to +.BR seccomp_init (). +.\" ////////////////////////////////////////////////////////////////////////// +.SH RETURN VALUE +.\" ////////////////////////////////////////////////////////////////////////// +The +.BR SCMP_SYS () +macro returns a value suitable for use as the +.I syscall +value in +.BR seccomp_syscall_priority (). +.P +The +.BR seccomp_syscall_priority () +function returns zero on success or one of the following error codes on +failure: +.TP +.B -EDOM +Architecture specific failure. +.TP +.B -EFAULT +Internal libseccomp failure. +.TP +.B -EINVAL +Invalid input, either the context or architecture token is invalid. +.TP +.B -ENOMEM +The library was unable to allocate enough memory. +.\" ////////////////////////////////////////////////////////////////////////// +.SH EXAMPLES +.\" ////////////////////////////////////////////////////////////////////////// +.nf +#include <seccomp.h> + +int main(int argc, char *argv[]) +{ + int rc = \-1; + scmp_filter_ctx ctx; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + goto out; + + /* ... */ + + rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200); + if (rc < 0) + goto out; + + /* ... */ + +out: + seccomp_release(ctx); + return \-rc; +} +.fi +.\" ////////////////////////////////////////////////////////////////////////// +.SH NOTES +.\" ////////////////////////////////////////////////////////////////////////// +.P +While the seccomp filter can be generated independent of the kernel, kernel +support is required to load and enforce the seccomp filter generated by +libseccomp. +.P +The libseccomp project site, with more information and the source code +repository, can be found at https://github.com/seccomp/libseccomp. This tool, +as well as the libseccomp library, is currently under development, please +report any bugs at the project site or directly to the author. +.\" ////////////////////////////////////////////////////////////////////////// +.SH AUTHOR +.\" ////////////////////////////////////////////////////////////////////////// +Paul Moore <paul@paul-moore.com> +.\" ////////////////////////////////////////////////////////////////////////// +.SH SEE ALSO +.\" ////////////////////////////////////////////////////////////////////////// +.BR seccomp_rule_add (3), +.BR seccomp_rule_add_exact (3) |