| seccomp_rule_add.3 | seccomp_rule_add.3 | |||
|---|---|---|---|---|
| seccomp_rule_add(3) libseccomp Documentation seccomp_rule_add (3) | seccomp_rule_add(3) libseccomp Documentation seccomp_rule_add (3) | |||
| NAME | NAME | |||
| seccomp_rule_add, seccomp_rule_add_exact - Add a seccomp filter rule | seccomp_rule_add, seccomp_rule_add_exact - Add a seccomp filter rule | |||
| SYNOPSIS | SYNOPSIS | |||
| #include <seccomp.h> | #include <seccomp.h> | |||
| typedef void * scmp_filter_ctx; | ||||
| int SCMP_SYS(syscall_name); | int SCMP_SYS(syscall_name); | |||
| struct scmp_arg_cmp SCMP_CMP(unsigned int arg, | struct scmp_arg_cmp SCMP_CMP(unsigned int arg, | |||
| enum scmp_compare op, ...); | enum scmp_compare op, ...); | |||
| struct scmp_arg_cmp SCMP_A0(enum scmp_compare op, ...); | struct scmp_arg_cmp SCMP_A0(enum scmp_compare op, ...); | |||
| struct scmp_arg_cmp SCMP_A1(enum scmp_compare op, ...); | struct scmp_arg_cmp SCMP_A1(enum scmp_compare op, ...); | |||
| struct scmp_arg_cmp SCMP_A2(enum scmp_compare op, ...); | struct scmp_arg_cmp SCMP_A2(enum scmp_compare op, ...); | |||
| struct scmp_arg_cmp SCMP_A3(enum scmp_compare op, ...); | struct scmp_arg_cmp SCMP_A3(enum scmp_compare op, ...); | |||
| struct scmp_arg_cmp SCMP_A4(enum scmp_compare op, ...); | struct scmp_arg_cmp SCMP_A4(enum scmp_compare op, ...); | |||
| struct scmp_arg_cmp SCMP_A5(enum scmp_compare op, ...); | struct scmp_arg_cmp SCMP_A5(enum scmp_compare op, ...); | |||
| int seccomp_rule_add(uint32_t action, | int seccomp_rule_add(scmp_filter_ctx ctx, uint32_t action, | |||
| int syscall, unsigned int arg_cnt, ...); | int syscall, unsigned int arg_cnt, ...); | |||
| int seccomp_rule_add_exact(uint32_t action, | int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, | |||
| int syscall, unsigned int arg_cnt, ...); | int syscall, unsigned int arg_cnt, ...); | |||
| DESCRIPTION | DESCRIPTION | |||
| The seccomp_rule_add() and seccomp_rule_add_exact() functions add a new | The seccomp_rule_add() and seccomp_rule_add_exact() functions add a new | |||
| filter rule to the current seccomp filter. The seccomp_rule_ad d() | filter rule to the current seccomp filter. The seccomp_rule_ad d() | |||
| function will make a "best effort" to add the rule as specified, but | function will make a "best effort" to add the rule as specified, but | |||
| may alter the rule slightly due to architecture specifics, e.g. soc ket | may alter the rule slightly due to architecture specifics, e.g. soc ket | |||
| and ipc functions on x86. The seccomp_rule_add_exact() function w ill | and ipc functions on x86. The seccomp_rule_add_exact() function w ill | |||
| attempt to add the rule exactly as specified so it may behave diff er‐ | attempt to add the rule exactly as specified so it may behave diff er‐ | |||
| ently on different architectures. While it does not guarantee a ex act | ently on different architectures. While it does not guarantee a ex act | |||
| skipping to change at line 51 | skipping to change at line 53 | |||
| SCMP_CMP() macro allows the caller to specify an arbitrary argum ent | SCMP_CMP() macro allows the caller to specify an arbitrary argum ent | |||
| along with the comparison operator, mask, and datum values where the | along with the comparison operator, mask, and datum values where the | |||
| SCMP_A{0-5}() macros are specific to a certain argument. See the EX AM‐ | SCMP_A{0-5}() macros are specific to a certain argument. See the EX AM‐ | |||
| PLES section below. | PLES section below. | |||
| While it is possible to specify the syscall value directly using the | While it is possible to specify the syscall value directly using the | |||
| standard __NR_syscall values, in order to ensure proper operat ion | standard __NR_syscall values, in order to ensure proper operat ion | |||
| across multiple architectures it is highly recommended to use the | across multiple architectures it is highly recommended to use the | |||
| SCMP_SYS() macro instead. See the EXAMPLES section below. | SCMP_SYS() macro instead. See the EXAMPLES section below. | |||
| The filter context ctx is the value returned by the call to s | ||||
| ec‐ | ||||
| comp_init(3). | ||||
| Valid action values are as follows: | Valid action values are as follows: | |||
| SCMP_ACT_KILL | SCMP_ACT_KILL | |||
| The process will be killed by the kernel when it calls a sysc all | The process will be killed by the kernel when it calls a sysc all | |||
| that does not match any of the configured seccomp filter rule s. | that does not match any of the configured seccomp filter rule s. | |||
| SCMP_ACT_TRAP | SCMP_ACT_TRAP | |||
| The process will throw a SIGSYS signal when it calls a sysc all | The process will throw a SIGSYS signal when it calls a sysc all | |||
| that does not match any of the configured seccomp filter rule s. | that does not match any of the configured seccomp filter rule s. | |||
| SCMP_ACT_ERRNO(uint16_t errno) | SCMP_ACT_ERRNO(uint16_t errno) | |||
| The process will receive a return value of errno when it call s a | The process will receive a return value of errno when it call s a | |||
| syscall that does not match any of the configured seccomp fil ter | syscall that does not match any of the configured seccomp fil ter | |||
| rules. | rules. | |||
| SCMP_ACT_TRACE(uint16_t msg_num) | SCMP_ACT_TRACE(uint16_t msg_num) | |||
| If the process is being traced and the tracing process specif ied | If the process is being traced and the tracing process specif ied | |||
| the PTRACE_O_TRACESECCOMP option in the call to ptrace(2), the | the PTRACE_O_TRACESECCOMP option in the call to ptrace(2), the | |||
| tracing process will be notified, via PTRACE_EVENT_SECCOMP , and | tracing process will be notified, via PTRACE_EVENT_SECCOMP , and | |||
| the value provided in msg_num can be retrieved using the | the value provided in msg_num can be retrieved using the | |||
| PTRACE_GETEVENTMSG option. | PTRACE_GETEVENTMSG option. | |||
| SCMP_ACT_ALLOW | SCMP_ACT_ALLOW | |||
| The seccomp filter will have no effect on the process call | The seccomp filter will have no effect on the process call | |||
| ing | ing | |||
| the syscall if it does not match any of the configured secc | the syscall if it does not match any of the configured secc | |||
| omp | omp | |||
| filter rules. | filter rules. | |||
| Valid comparison op values are as follows: | Valid comparison op values are as follows: | |||
| SCMP_CMP_NE | SCMP_CMP_NE | |||
| Matches when the argument value is not equal to the datum val ue, | Matches when the argument value is not equal to the datum val ue, | |||
| example: | example: | |||
| SCMP_CMP( arg , SCMP_CMP_NE , datum ) | SCMP_CMP( arg , SCMP_CMP_NE , datum ) | |||
| SCMP_CMP_LT | SCMP_CMP_LT | |||
| Matches when the argument value is less than the datum val ue, | Matches when the argument value is less than the datum val ue, | |||
| example: | example: | |||
| SCMP_CMP( arg , SCMP_CMP_LT , datum ) | SCMP_CMP( arg , SCMP_CMP_LT , datum ) | |||
| SCMP_CMP_LE | SCMP_CMP_LE | |||
| Matches when the argument value is less than or equal to the | Matches when the argument value is less than or equal to the | |||
| datum value, example: | datum value, example: | |||
| SCMP_CMP( arg , SCMP_CMP_LE , datum ) | SCMP_CMP( arg , SCMP_CMP_LE , datum ) | |||
| SCMP_CMP_EQ | SCMP_CMP_EQ | |||
| Matches when the argument value is equal to the datum val ue, | Matches when the argument value is equal to the datum val ue, | |||
| example: | example: | |||
| SCMP_CMP( arg , SCMP_CMP_EQ , datum ) | SCMP_CMP( arg , SCMP_CMP_EQ , datum ) | |||
| SCMP_CMP_GE | SCMP_CMP_GE | |||
| Matches when the argument value is greater than or equal to the | Matches when the argument value is greater than or equal to the | |||
| datum value, example: | datum value, example: | |||
| SCMP_CMP( arg , SCMP_CMP_GE , datum ) | SCMP_CMP( arg , SCMP_CMP_GE , datum ) | |||
| SCMP_CMP_GT | SCMP_CMP_GT | |||
| Matches when the argument value is greater than the datum val ue, | Matches when the argument value is greater than the datum val ue, | |||
| example: | example: | |||
| SCMP_CMP( arg , SCMP_CMP_GT , datum ) | SCMP_CMP( arg , SCMP_CMP_GT , datum ) | |||
| SCMP_CMP_MASKED_EQ | SCMP_CMP_MASKED_EQ | |||
| Matches when the masked argument value is equal to the mas ked | Matches when the masked argument value is equal to the mas ked | |||
| datum value, example: | datum value, example: | |||
| SCMP_CMP( arg , SCMP_CMP_MASKED_EQ , mask , datum ) | SCMP_CMP( arg , SCMP_CMP_MASKED_EQ , mask , datum ) | |||
| RETURN VALUE | RETURN VALUE | |||
| The seccomp_rule_add() and seccomp_rule_add_exact() functions ret urn | The seccomp_rule_add() and seccomp_rule_add_exact() functions ret urn | |||
| zero on success, negative errno values on failure. | zero on success, negative errno values on failure. | |||
| EXAMPLES | EXAMPLES | |||
| #include <fcntl.h> | #include <fcntl.h> | |||
| #include <seccomp.h> | #include <seccomp.h> | |||
| #include <sys/stat.h> | #include <sys/stat.h> | |||
| #include <sys/types.h> | #include <sys/types.h> | |||
| #define BUF_SIZE 256 | #define BUF_SIZE 256 | |||
| int main(int argc, char *argv[]) | int main(int argc, char *argv[]) | |||
| { | { | |||
| int rc; | int rc = -1; | |||
| scmp_filter_ctx ctx; | ||||
| int fd; | int fd; | |||
| unsigned char buf[BUF_SIZE]; | unsigned char buf[BUF_SIZE]; | |||
| rc = seccomp_init(SCMP_ACT_KILL); | ctx = seccomp_init(SCMP_ACT_KILL); | |||
| if (rc < 0) | if (ctx == NULL) | |||
| goto out; | goto out; | |||
| /* ... */ | /* ... */ | |||
| fd = open("file.txt", 0); | fd = open("file.txt", 0); | |||
| /* ... */ | /* ... */ | |||
| rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(close), 0); | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); | |||
| if (rc < 0) | if (rc < 0) | |||
| goto out; | goto out; | |||
| rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(read), 3, | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3, | |||
| SCMP_A0(SCMP_CMP_EQ, fd), | SCMP_A0(SCMP_CMP_EQ, fd), | |||
| SCMP_A1(SCMP_CMP_EQ, (scmp_datum_t)buf), | SCMP_A1(SCMP_CMP_EQ, (scmp_datum_t)buf), | |||
| SCMP_A2(SCMP_CMP_LE, BUF_SIZE)); | SCMP_A2(SCMP_CMP_LE, BUF_SIZE)); | |||
| if (rc < 0) | if (rc < 0) | |||
| goto out; | goto out; | |||
| rc = seccomp_rule_add(SCMP_ACT_ALLOW, SCMP_SYS(write), 1, | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, | |||
| SCMP_CMP(0, SCMP_CMP_EQ, fd)); | SCMP_CMP(0, SCMP_CMP_EQ, fd)); | |||
| if (rc < 0) | if (rc < 0) | |||
| goto out; | goto out; | |||
| rc = seccomp_load(); | rc = seccomp_load(ctx); | |||
| if (rc < 0) | if (rc < 0) | |||
| goto out; | goto out; | |||
| /* ... */ | /* ... */ | |||
| out: | out: | |||
| seccomp_release(); | seccomp_release(ctx); | |||
| return -rc; | return -rc; | |||
| } | } | |||
| NOTES | NOTES | |||
| While the seccomp filter can be generated independent of the kern | While the seccomp filter can be generated independent of the kern | |||
| el, | el, | |||
| kernel support is required to load and enforce the seccomp filter g | kernel support is required to load and enforce the seccomp filter g | |||
| en‐ | en‐ | |||
| erated by libseccomp. | erated by libseccomp. | |||
| The libseccomp project site, with more information and the source c | The libseccomp project site, with more information and the source c | |||
| ode | ode | |||
| repository, can be found at http://libseccomp.sf.net. This library | repository, can be found at http://libseccomp.sf.net. This library | |||
| is | is | |||
| currently under development, please report any bugs at the project s ite | currently under development, please report any bugs at the project s ite | |||
| or directly to the author. | or directly to the author. | |||
| AUTHOR | AUTHOR | |||
| Paul Moore <paul@paul-moore.com> | Paul Moore <paul@paul-moore.com> | |||
| SEE ALSO | SEE ALSO | |||
| seccomp_syscall_priority(3), seccomp_load(3) | seccomp_syscall_priority(3), seccomp_load(3) | |||
| paul@paul-moore.com 5 April 2012 seccomp_rule_add (3) | paul@paul-moore.com 25 July 2012 seccomp_rule_add (3) | |||
| End of changes. 24 change blocks. | ||||
| 31 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||