Provided by: libseccomp-dev_2.3.3-3ubuntu2_amd64 bug

NAME

       seccomp_init, seccomp_reset - Initialize the seccomp filter state

SYNOPSIS

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       scmp_filter_ctx seccomp_init(uint32_t def_action);
       int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);

       Link with -lseccomp.

DESCRIPTION

       The  seccomp_init()  and  seccomp_reset()  functions  (re)initialize  the internal seccomp
       filter state, prepares it for use, and sets the default action  based  on  the  def_action
       parameter.   The  seccomp_init()  function  must  be  called  before  any other libseccomp
       functions as the rest of  the  library  API  will  fail  if  the  filter  context  is  not
       initialized  properly.   The seccomp_reset() function releases the existing filter context
       state before reinitializing it and can only be called after a call to  seccomp_init()  has
       succeeded.

       When  the  caller  is  finished  configuring the seccomp filter and has loaded it into the
       kernel, the caller should call seccomp_release(3) to release all  of  the  filter  context
       state.

       Valid def_action values are as follows:

       SCMP_ACT_KILL
              The  thread  will  be  terminated by the kernel with SIGSYS when it calls a syscall
              that does not match any of the configured seccomp filter rules.   The  thread  will
              not be able to catch the signal.

       SCMP_ACT_TRAP
              The thread will be sent a SIGSYS signal when it calls a syscall that does not match
              any of the configured seccomp filter rules.  It  may  catch  this  and  change  its
              behavior accordingly.  When using SA_SIGINFO with sigaction(2), si_code will be set
              to SYS_SECCOMP, si_syscall will be set to the syscall that failed  the  rules,  and
              si_arch will be set to the AUDIT_ARCH for the active ABI.

       SCMP_ACT_ERRNO(uint16_t errno)
              The  thread  will receive a return value of errno when it calls a syscall that does
              not match any of the configured seccomp filter rules.

       SCMP_ACT_TRACE(uint16_t msg_num)
              If  the  thread  is  being  traced  and   the   tracing   process   specified   the
              PTRACE_O_TRACESECCOMP  option in the call to ptrace(2), the tracing process will be
              notified, via PTRACE_EVENT_SECCOMP, and  the  value  provided  in  msg_num  can  be
              retrieved using the PTRACE_GETEVENTMSG option.

       SCMP_ACT_LOG
              The seccomp filter will have no effect on the thread calling the syscall if it does
              not match any of the configured seccomp  filter  rules  but  the  syscall  will  be
              logged.

       SCMP_ACT_ALLOW
              The seccomp filter will have no effect on the thread calling the syscall if it does
              not match any of the configured seccomp filter rules.

RETURN VALUE

       The seccomp_init() function returns a filter context on success,  NULL  on  failure.   The
       seccomp_reset() function returns zero on success, negative errno values on failure.

EXAMPLES

       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            rc = seccomp_reset(ctx, SCMP_ACT_KILL);
            if (rc < 0)
                 goto out;

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES

       While  the  seccomp  filter  can be generated independent of the kernel, kernel support is
       required to load and enforce the seccomp filter generated by libseccomp.

       The libseccomp project site, with more information and the source code repository, can  be
       found  at  https://github.com/seccomp/libseccomp.   This  tool,  as well as the libseccomp
       library, is currently under development, please report any bugs at  the  project  site  or
       directly to the author.

AUTHOR

       Paul Moore <paul@paul-moore.com>

SEE ALSO

       seccomp_release(3)