NAME

       seccomp_init, seccomp_reset - Initialize the seccomp filter state

SYNOPSIS

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       scmp_filter_ctx seccomp_init(uint32_t def_action);
       int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);

       Link with -lseccomp.

DESCRIPTION

       The  seccomp_init()  and  seccomp_reset()  functions  (re)initialize  the internal seccomp
       filter state, prepares it for use, and sets the default action  based  on  the  def_action
       parameter.   The  seccomp_init()  function  must  be  called  before  any other libseccomp
       functions as the rest of  the  library  API  will  fail  if  the  filter  context  is  not
       initialized  properly.   The seccomp_reset() function releases the existing filter context
       state before reinitializing it and can only be called after a call to  seccomp_init()  has
       succeeded.

       When  the  caller  is  finished  configuring the seccomp filter and has loaded it into the
       kernel, the caller should call seccomp_release(3) to release all  of  the  filter  context
       state.

       Valid def_action values are as follows:

       SCMP_ACT_KILL
              The  process  will  be  killed  by the kernel when it calls a syscall that does not
              match any of the configured seccomp filter rules.

       SCMP_ACT_TRAP
              The process will throw a SIGSYS signal when it calls a syscall that does not  match
              any of the configured seccomp filter rules.

       SCMP_ACT_ERRNO(uint16_t errno)
              The  process will receive a return value of errno when it calls a syscall that does
              not match any of the configured seccomp filter rules.

       SCMP_ACT_TRACE(uint16_t msg_num)
              If  the  process  is  being  traced  and  the   tracing   process   specified   the
              PTRACE_O_TRACESECCOMP  option in the call to ptrace(2), the tracing process will be
              notified, via PTRACE_EVENT_SECCOMP , and the  value  provided  in  msg_num  can  be
              retrieved using the PTRACE_GETEVENTMSG option.

       SCMP_ACT_ALLOW
              The  seccomp  filter  will  have no effect on the process calling the syscall if it
              does not match any of the configured seccomp filter rules.

RETURN VALUE

       The seccomp_init() function returns a filter context on success,  NULL  on  failure.   The
       seccomp_reset() function returns zero on success, negative errno values on failure.

EXAMPLES

       #include <seccomp.h>

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            rc = seccomp_reset(ctx, SCMP_ACT_KILL);
            if (rc < 0)
                 goto out;

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES

       While  the  seccomp  filter  can be generated independent of the kernel, kernel support is
       required to load and enforce the seccomp filter generated by libseccomp.

       The libseccomp project site, with more information and the source code repository, can  be
       found  at  http://libseccomp.sf.net.   This library is currently under development, please
       report any bugs at the project site or directly to the author.

AUTHOR

       Paul Moore <paul@paul-moore.com>

SEE ALSO

       seccomp_release(3)