Struct libscmp::Filter

pub struct Filter { /* fields omitted */ }

Represents a syscall filter.

Implementations

impl Filter

pub fn new(def_action: Action) -> Result<Self>

Create a new seccomp filter with the given default action.

pub fn reset(&mut self, def_action: Action) -> Result<()>

Re-initialize this seccomp filter with the given default action.

pub fn merge(&mut self, other: Self) -> Result<()>

Merge another seccomp filter into this one.

See seccomp_merge(3) for more details.

pub fn load(&mut self) -> Result<()>

Load the syscall filter rules into the kernel.

pub fn export_bpf(&self, fd: RawFd) -> Result<()>

Export this filter as BPF (Berkeley Packet Filter) code to the file with the specified file descriptor.

See seccomp_export_bpf(3) for more details.

pub fn export_pfc(&self, fd: RawFd) -> Result<()>

Export this filter as PFC (Pseudo Filter Code) code to the file with the specified file descriptor.

See seccomp_export_pfc(3) for more details.

pub fn add_arch(&mut self, arch: Arch) -> Result<()>

Add the given architecture to the filter,

See seccomp_arch_add(3) for details.

pub fn remove_arch(&mut self, arch: Arch) -> Result<()>

Remove the given architecture from the filter,

See seccomp_arch_remove(3) for details.

pub fn has_arch(&self, arch: Arch) -> Result<bool>

Check if the given architecture has been added to the filter.

See seccomp_arch_exist(3) for details.

pub fn syscall_priority(&mut self, syscall: c_int, priority: u8) -> Result<()>

Prioritize the given syscall in this filter.

This provides a hint to the seccomp filter generator that the given syscall should be prioritized and placed earlier in the filter code. Higher priority values represent higher priorities.

See seccomp_syscall_priority(3) for details.

pub fn add_rule(
    &mut self,
    action: Action,
    syscall: c_int,
    args: &[Arg]
) -> Result<()>

Add a new rule to this filter.

action specifies the action to take if the filter matches, syscall specifies the system call number which should be matched against, and args is a list of syscall argument comparisons to use to match the syscall's arguments.

This function may alter the rule slightly depending on architecture-specific semantics. To add the rule with no changes, see add_rule_exact().

pub fn add_rule_exact(
    &mut self,
    action: Action,
    syscall: c_int,
    args: &[Arg]
) -> Result<()>

Add a new rule to this filter, without any per-architecture modifications.

Other than the lack of per-architecture modifications, this is exactly equivalent to add_rule().

pub fn get_default_action(&mut self) -> Result<Action>

Get the default filter action (as set when the filter was created or reset).

pub fn get_badarch_action(&mut self) -> Result<Action>

Get the action taken when the loaded filter does not match the application's architecture (defaults to KillThread).

pub fn set_badarch_action(&mut self, act: Action) -> Result<()>

Set the action taken when the loaded filter does not match the application's architecture.

pub fn get_flag(&mut self, flag: Flag) -> Result<bool>

Get the value of the given flag in this filter.

See Flag for more details.

pub fn set_flag(&mut self, flag: Flag, val: bool) -> Result<()>

Set the value of the given flag in this filter.

See Flag for more details.

pub fn get_optimize_level(&mut self) -> Result<u32>

Get the current optimization level of the filter.

See seccomp_attr_get(3) for more information.

Note: This only works on libseccomp v2.5.0+.

pub fn set_optimize_level(&mut self, level: u32) -> Result<()>

Set the optimization level of the filter.

See seccomp_attr_get(3) for more information.

Note: This only works on libseccomp v2.5.0+.

Trait Implementations

impl Debug for Filter

pub fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Drop for Filter

pub fn drop(&mut self)

Executes the destructor for this type.