plucky (2) PR_SET_SECCOMP.2const.gz
NAME
PR_SET_SECCOMP - set the secure computing mode
LIBRARY
Standard C library (libc, -lc)
SYNOPSIS
#include <linux/prctl.h> /* Definition of PR_* constants */ #include <sys/prctl.h> [[deprecated]] int prctl(PR_SET_SECCOMP, long mode, ...); [[deprecated]] int prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); [[deprecated]] int prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, struct sock_fprog *filter);
DESCRIPTION
Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls. The
more recent seccomp(2) system call provides a superset of the functionality of PR_SET_SECCOMP, and is the
preferred interface for new applications.
The seccomp mode is selected via mode. The seccomp constants are defined in <linux/seccomp.h>. The
following values can be specified:
SECCOMP_MODE_STRICT (since Linux 2.6.23)
See the description of SECCOMP_SET_MODE_STRICT in seccomp(2).
This operation is available only if the kernel is configured with CONFIG_SECCOMP enabled.
SECCOMP_MODE_FILTER (since Linux 3.5)
The allowed system calls are defined by a pointer to a Berkeley Packet Filter passed in filter.
It can be designed to filter arbitrary system calls and system call arguments. See the
description of SECCOMP_SET_MODE_FILTER in seccomp(2).
This operation is available only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
RETURN VALUE
On success, 0 is returned. On error, -1 is returned, and errno is set to indicate the error.
ERRORS
EACCES mode is SECCOMP_MODE_FILTER, but the process does not have the CAP_SYS_ADMIN capability or has not
set the no_new_privs attribute (see PR_SET_NO_NEW_PRIVS(2const)).
EFAULT mode is SECCOMP_MODE_FILTER, and filter is an invalid address.
EINVAL mode is not a valid value.
EINVAL The kernel was not configured with CONFIG_SECCOMP.
EINVAL mode is SECCOMP_MODE_FILTER, and the kernel was not configured with CONFIG_SECCOMP_FILTER.
STANDARDS
Linux.
HISTORY
Linux 2.6.23.
SEE ALSO
prctl(2), PR_GET_SECCOMP(2const), seccomp(2)