plucky (2) PR_SET_SECCOMP.2const.gz

NAME
PR_SET_SECCOMP - set the secure computing mode
LIBRARY
Standard C library (libc, -lc)
SYNOPSIS
#include <linux/prctl.h> /* Definition of PR_* constants */ #include <sys/prctl.h> [[deprecated]] int prctl(PR_SET_SECCOMP, long mode, ...); [[deprecated]] int prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); [[deprecated]] int prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, struct sock_fprog *filter);
DESCRIPTION
Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls. The more recent seccomp(2) system call provides a superset of the functionality of PR_SET_SECCOMP, and is the preferred interface for new applications. The seccomp mode is selected via mode. The seccomp constants are defined in <linux/seccomp.h>. The following values can be specified: SECCOMP_MODE_STRICT (since Linux 2.6.23) See the description of SECCOMP_SET_MODE_STRICT in seccomp(2). This operation is available only if the kernel is configured with CONFIG_SECCOMP enabled. SECCOMP_MODE_FILTER (since Linux 3.5) The allowed system calls are defined by a pointer to a Berkeley Packet Filter passed in filter. It can be designed to filter arbitrary system calls and system call arguments. See the description of SECCOMP_SET_MODE_FILTER in seccomp(2). This operation is available only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
RETURN VALUE
On success, 0 is returned. On error, -1 is returned, and errno is set to indicate the error.
ERRORS
EACCES mode is SECCOMP_MODE_FILTER, but the process does not have the CAP_SYS_ADMIN capability or has not set the no_new_privs attribute (see PR_SET_NO_NEW_PRIVS(2const)). EFAULT mode is SECCOMP_MODE_FILTER, and filter is an invalid address. EINVAL mode is not a valid value. EINVAL The kernel was not configured with CONFIG_SECCOMP. EINVAL mode is SECCOMP_MODE_FILTER, and the kernel was not configured with CONFIG_SECCOMP_FILTER.
STANDARDS
Linux.
HISTORY
Linux 2.6.23.
SEE ALSO
prctl(2), PR_GET_SECCOMP(2const), seccomp(2)