Expand description
libscmp provides a friendly wrapper over the libseccomp C library.
Here’s a simple example:
use libscmp::{Filter, Action, Arg, resolve_syscall_name};
// Allow all syscalls by default
let mut filter = Filter::new(Action::Allow).unwrap();
// Block `setpriority(PRIO_PROCESS, ...)`
filter
.add_rule_exact(
Action::Errno(libc::EPERM),
resolve_syscall_name("setpriority").unwrap(),
&[Arg::new_eq(0, libc::PRIO_PROCESS as u64)],
)
.unwrap();
// Load the filter into the kernel
filter.load().unwrap();
// Now `setpriority(PRIO_PROCESS, 0, 0)` should fail
assert_eq!(unsafe { libc::setpriority(libc::PRIO_PROCESS, 0, 0) }, -1);
assert_eq!(std::io::Error::last_os_error().raw_os_error(), Some(libc::EPERM));Structs§
- Arg
- Represents a syscall argument comparison, used in a filter rule.
- Error
- Represents an error that could occur when interacting with
libseccomp. - Filter
- Represents a syscall filter.
- Notif
Resp Flags libseccomp-2-5 - Represents the flags that can be set on a
NotificationResponse. - Notification
libseccomp-2-5 - Represents a seccomp notification.
- Notification
Response libseccomp-2-5 - Represents a response to a seccomp notification.
- Parse
Arch Error - Represents an error when parsing an
Archfrom a string.
Enums§
- Action
- Specifies an action to be taken, either as the default action for a filter or when a rule matches.
- Arch
- An architecture supported by
libseccomp. - Cmp
- Represents a comparison type that can be used in an
Arg. - Flag
- Represents a boolean flag that can be set on a filter.
Functions§
- api_get
libseccomp-2-4 - Get the “API level” supported by the running kernel.
- api_set
libseccomp-2-4 - Force the API level used by libseccomp (do not use unless you know what you’re doing).
- libseccomp_
version - Get the version of the currently loaded
libseccomplibrary. - notify_
id_ valid libseccomp-2-5 - Check if the given notification ID is still valid.
- reset_
global_ state - Reset
libseccomp’s global state. - resolve_
syscall_ name - Look up the number of the syscall with the given name on the native architecture.
- resolve_
syscall_ name_ arch - Look up the number of the syscall with the given name on the given architecture.
- resolve_
syscall_ name_ rewrite - Look up the number of the syscall with the given name on the given architecture, modifying the syscall number for multiplexed syscalls.
- resolve_
syscall_ num - Look up the name of a syscall given the architecture and the syscall number.