www.LinuxHowtos.org howtos, tips&tricks and tutorials for linux

from small one page howto to huge articles all in one place

Other .linuxhowtos.org sites:gentoo.linuxhowtos.org

Last additions:

using iotop to find disk usage hogs

words:

887

views:

210187

userrating:

May 25th. 2007:

Words

486

Views

259164

why adblockers are bad

Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

words:

161

views:

150528

userrating:

April, 26th. 2006:

Words

Views

107889

New subdomain: toolsntoys.linuxhowtos.org

You are here: manpages

seccomp_load

Section: libseccomp Documentation (3)
Updated: 30 May 2020
Index Return to Main Contents

NAME

seccomp_load - Load the current seccomp filter into the kernel

SYNOPSIS

#include <seccomp.h>

typedef void * scmp_filter_ctx;

int seccomp_load(scmp_filter_ctx ctx);

Link with -lseccomp.

DESCRIPTION

Loads the seccomp filter provided by ctx into the kernel; if the function succeeds the new seccomp filter will be active when the function returns. If seccomp_precompute(3) was called prior to attempting to load the seccomp filter, and no changes have been made to the filter, seccomp_load() can be considered to be asyn-signa-safe. As it is possible to have multiple stacked seccomp filters for a given task (defined as either a process or a thread), it is important to remember that each of the filters loaded for a given task are executed when a syscall is made and the "strictest" rule is the rule that is applied. In the case of seccomp, "strictest" is defined as the action with the lowest value (e.g. SCMP_ACT_KILL is "stricter" than SCMP_ACT_ALLOW).

RETURN VALUE

Returns zero on success or one of the following error codes on failure:

-ECANCELED: There was a system failure beyond the control of the library.
-EFAULT: Internal libseccomp failure.
-EINVAL: Invalid input, either the context or architecture token is invalid.
-ENOMEM: The library was unable to allocate enough memory.
-ESRCH: Unable to load the filter due to thread issues. If the SCMP_FLTATR_API_SYSRAWRC filter attribute is no-zero then additional error codes may be returned to the caller; these additional error codes are the negative errno values returned by the system. Unfortunately libseccomp can make no guarantees about these return values.

EXAMPLES

#include <seccomp.h>

int main(int argc, char *argv[])
{
        int rc = -1;
        scmp_filter_ctx ctx;

        ctx = seccomp_init(SCMP_ACT_KILL);
        if (ctx == NULL)
                goto out;

        /* ... */

        rc = seccomp_load(ctx);
        if (rc < 0)
                goto out;

        /* ... */

out:
        seccomp_release(ctx);
        return -rc;
}

NOTES

While the seccomp filter can be generated independent of the kernel, kernel support is required to load and enforce the seccomp filter generated by libseccomp. The libseccomp project site, with more information and the source code repository, can be found at https://github.com/seccomp/libseccomp. This tool, as well as the libseccomp library, is currently under development, please report any bugs at the project site or directly to the author.