DOKK / manpages / debian 11 / libseccomp-dev / seccomp_init.3.en
seccomp_init(3) libseccomp Documentation seccomp_init(3)

seccomp_init, seccomp_reset - Initialize the seccomp filter state

#include <seccomp.h>

typedef void * scmp_filter_ctx;

scmp_filter_ctx seccomp_init(uint32_t def_action);
int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);

Link with -lseccomp.

The seccomp_init() and seccomp_reset() functions (re)initialize the internal seccomp filter state, prepares it for use, and sets the default action based on the def_action parameter. The seccomp_init() function must be called before any other libseccomp functions as the rest of the library API will fail if the filter context is not initialized properly. The seccomp_reset() function releases the existing filter context state before reinitializing it and can only be called after a call to seccomp_init() has succeeded. If seccomp_reset() is called with a NULL filter, it resets the library's global task state, including any notification file descriptors retrieved by seccomp_notify_fd(3). Normally this is not needed, but it may be required to continue using the library after a fork() or clone() call to ensure the API level and user notification state is properly reset.

When the caller is finished configuring the seccomp filter and has loaded it into the kernel, the caller should call seccomp_release(3) to release all of the filter context state.

Valid def_action values are as follows:

The thread will be terminated by the kernel with SIGSYS when it calls a syscall that does not match any of the configured seccomp filter rules. The thread will not be able to catch the signal.
The entire process will be terminated by the kernel with SIGSYS when it calls a syscall that does not match any of the configured seccomp filter rules.
The thread will be sent a SIGSYS signal when it calls a syscall that does not match any of the configured seccomp filter rules. It may catch this and change its behavior accordingly. When using SA_SIGINFO with sigaction(2), si_code will be set to SYS_SECCOMP, si_syscall will be set to the syscall that failed the rules, and si_arch will be set to the AUDIT_ARCH for the active ABI.
The thread will receive a return value of errno when it calls a syscall that does not match any of the configured seccomp filter rules.
If the thread is being traced and the tracing process specified the PTRACE_O_TRACESECCOMP option in the call to ptrace(2), the tracing process will be notified, via PTRACE_EVENT_SECCOMP, and the value provided in msg_num can be retrieved using the PTRACE_GETEVENTMSG option.
The seccomp filter will have no effect on the thread calling the syscall if it does not match any of the configured seccomp filter rules but the syscall will be logged.
The seccomp filter will have no effect on the thread calling the syscall if it does not match any of the configured seccomp filter rules.

The seccomp_init() function returns a filter context on success, NULL on failure. The seccomp_reset() function returns zero on success or one of the following error codes on failure:

Invalid input, either the context or action is invalid.
The library was unable to allocate enough memory.

#include <seccomp.h>
int main(int argc, char *argv[])
{
	int rc = -1;
	scmp_filter_ctx ctx;
	ctx = seccomp_init(SCMP_ACT_KILL);
	if (ctx == NULL)
		goto out;
	/* ... */
	rc = seccomp_reset(ctx, SCMP_ACT_KILL);
	if (rc < 0)
		goto out;
	/* ... */
out:
	seccomp_release(ctx);
	return -rc;
}

While the seccomp filter can be generated independent of the kernel, kernel support is required to load and enforce the seccomp filter generated by libseccomp.

The libseccomp project site, with more information and the source code repository, can be found at https://github.com/seccomp/libseccomp. This tool, as well as the libseccomp library, is currently under development, please report any bugs at the project site or directly to the author.

Paul Moore <paul@paul-moore.com>

seccomp_release(3)

30 May 2020 paul@paul-moore.com