Provided by: libseccomp-dev_2.5.3-2ubuntu2_amd64 bug

NAME

       seccomp_init, seccomp_reset - Initialize the seccomp filter state

SYNOPSIS

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       scmp_filter_ctx seccomp_init(uint32_t def_action);
       int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);

       Link with -lseccomp.

DESCRIPTION

       The  seccomp_init()  and  seccomp_reset()  functions  (re)initialize  the internal seccomp
       filter state, prepares it for use, and sets the default action  based  on  the  def_action
       parameter.   The  seccomp_init()  function  must  be  called  before  any other libseccomp
       functions as the rest of  the  library  API  will  fail  if  the  filter  context  is  not
       initialized  properly.   The seccomp_reset() function releases the existing filter context
       state before reinitializing it and can only be called after a call to  seccomp_init()  has
       succeeded.   If  seccomp_reset()  is  called  with  a NULL filter, it resets the library's
       global  task  state,  including   any   notification   file   descriptors   retrieved   by
       seccomp_notify_fd(3).   Normally  this  is  not needed, but it may be required to continue
       using the library after a fork() or  clone()  call  to  ensure  the  API  level  and  user
       notification state is properly reset.

       When  the  caller  is  finished  configuring the seccomp filter and has loaded it into the
       kernel, the caller should call seccomp_release(3) to release all  of  the  filter  context
       state.

       Valid def_action values are as follows:

       SCMP_ACT_KILL
              The  thread  will  be  terminated by the kernel with SIGSYS when it calls a syscall
              that does not match any of the configured seccomp filter rules.   The  thread  will
              not be able to catch the signal.

       SCMP_ACT_KILL_PROCESS
              The  entire  process  will  be terminated by the kernel with SIGSYS when it calls a
              syscall that does not match any of the configured seccomp filter rules.

       SCMP_ACT_TRAP
              The thread will be sent a SIGSYS signal when it calls a syscall that does not match
              any  of  the  configured  seccomp  filter  rules.  It may catch this and change its
              behavior accordingly.  When using SA_SIGINFO with sigaction(2), si_code will be set
              to  SYS_SECCOMP,  si_syscall  will be set to the syscall that failed the rules, and
              si_arch will be set to the AUDIT_ARCH for the active ABI.

       SCMP_ACT_ERRNO(uint16_t errno)
              The thread will receive a return value of errno when it calls a syscall  that  does
              not match any of the configured seccomp filter rules.

       SCMP_ACT_TRACE(uint16_t msg_num)
              If   the   thread   is   being   traced  and  the  tracing  process  specified  the
              PTRACE_O_TRACESECCOMP option in the call to ptrace(2), the tracing process will  be
              notified,  via  PTRACE_EVENT_SECCOMP,  and  the  value  provided  in msg_num can be
              retrieved using the PTRACE_GETEVENTMSG option.

       SCMP_ACT_LOG
              The seccomp filter will have no effect on the thread calling the syscall if it does
              not  match  any  of  the  configured  seccomp  filter rules but the syscall will be
              logged.

       SCMP_ACT_ALLOW
              The seccomp filter will have no effect on the thread calling the syscall if it does
              not match any of the configured seccomp filter rules.

RETURN VALUE

       The  seccomp_init()  function  returns  a filter context on success, NULL on failure.  The
       seccomp_reset() function returns zero on success or one of the following  error  codes  on
       failure:

       -EINVAL
              Invalid input, either the context or action is invalid.

       -ENOMEM
              The library was unable to allocate enough memory.

EXAMPLES

       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            rc = seccomp_reset(ctx, SCMP_ACT_KILL);
            if (rc < 0)
                 goto out;

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES

       While  the  seccomp  filter  can be generated independent of the kernel, kernel support is
       required to load and enforce the seccomp filter generated by libseccomp.

       The libseccomp project site, with more information and the source code repository, can  be
       found  at  https://github.com/seccomp/libseccomp.   This  tool,  as well as the libseccomp
       library, is currently under development, please report any bugs at  the  project  site  or
       directly to the author.

AUTHOR

       Paul Moore <paul@paul-moore.com>

SEE ALSO

       seccomp_release(3)