Provided by: libseccomp-dev_2.4.1-0ubuntu0.19.10.3_amd64 bug

NAME

       seccomp_init, seccomp_reset - Initialize the seccomp filter state

SYNOPSIS

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       scmp_filter_ctx seccomp_init(uint32_t def_action);
       int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);

       Link with -lseccomp.

DESCRIPTION

       The  seccomp_init()  and  seccomp_reset()  functions  (re)initialize  the internal seccomp
       filter state, prepares it for use, and sets the default action  based  on  the  def_action
       parameter.   The  seccomp_init()  function  must  be  called  before  any other libseccomp
       functions as the rest of  the  library  API  will  fail  if  the  filter  context  is  not
       initialized  properly.   The seccomp_reset() function releases the existing filter context
       state before reinitializing it and can only be called after a call to  seccomp_init()  has
       succeeded.

       When  the  caller  is  finished  configuring the seccomp filter and has loaded it into the
       kernel, the caller should call seccomp_release(3) to release all  of  the  filter  context
       state.

       Valid def_action values are as follows:

       SCMP_ACT_KILL
              The  thread  will  be  terminated by the kernel with SIGSYS when it calls a syscall
              that does not match any of the configured seccomp filter rules.   The  thread  will
              not be able to catch the signal.

       SCMP_ACT_KILL_PROCESS
              The  entire  process  will  be terminated by the kernel with SIGSYS when it calls a
              syscall that does not match any of the configured seccomp filter rules.

       SCMP_ACT_TRAP
              The thread will be sent a SIGSYS signal when it calls a syscall that does not match
              any  of  the  configured  seccomp  filter  rules.  It may catch this and change its
              behavior accordingly.  When using SA_SIGINFO with sigaction(2), si_code will be set
              to  SYS_SECCOMP,  si_syscall  will be set to the syscall that failed the rules, and
              si_arch will be set to the AUDIT_ARCH for the active ABI.

       SCMP_ACT_ERRNO(uint16_t errno)
              The thread will receive a return value of errno when it calls a syscall  that  does
              not match any of the configured seccomp filter rules.

       SCMP_ACT_TRACE(uint16_t msg_num)
              If   the   thread   is   being   traced  and  the  tracing  process  specified  the
              PTRACE_O_TRACESECCOMP option in the call to ptrace(2), the tracing process will  be
              notified,  via  PTRACE_EVENT_SECCOMP,  and  the  value  provided  in msg_num can be
              retrieved using the PTRACE_GETEVENTMSG option.

       SCMP_ACT_LOG
              The seccomp filter will have no effect on the thread calling the syscall if it does
              not  match  any  of  the  configured  seccomp  filter rules but the syscall will be
              logged.

       SCMP_ACT_ALLOW
              The seccomp filter will have no effect on the thread calling the syscall if it does
              not match any of the configured seccomp filter rules.

RETURN VALUE

       The  seccomp_init()  function  returns  a filter context on success, NULL on failure.  The
       seccomp_reset() function returns zero on success, negative errno values on failure.

EXAMPLES

       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            rc = seccomp_reset(ctx, SCMP_ACT_KILL);
            if (rc < 0)
                 goto out;

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES

       While the seccomp filter can be generated independent of the  kernel,  kernel  support  is
       required to load and enforce the seccomp filter generated by libseccomp.

       The  libseccomp project site, with more information and the source code repository, can be
       found at https://github.com/seccomp/libseccomp.  This tool,  as  well  as  the  libseccomp
       library,  is  currently  under  development, please report any bugs at the project site or
       directly to the author.

AUTHOR

       Paul Moore <paul@paul-moore.com>

SEE ALSO

       seccomp_release(3)