Crate libscmp[][src]

Expand description

libscmp provides a friendly wrapper over the libseccomp C library.

Here’s a simple example:

use libscmp::{Filter, Action, Arg, resolve_syscall_name};

// Allow all syscalls by default
let mut filter = Filter::new(Action::Allow).unwrap();

// Block `setpriority(PRIO_PROCESS, ...)`
filter
    .add_rule_exact(
        Action::Errno(libc::EPERM),
        resolve_syscall_name("setpriority").unwrap(),
        &[Arg::new_eq(0, libc::PRIO_PROCESS as u64)],
    )
    .unwrap();

// Load the filter into the kernel
filter.load().unwrap();

// Now `setpriority(PRIO_PROCESS, 0, 0)` should fail
assert_eq!(unsafe { libc::setpriority(libc::PRIO_PROCESS, 0, 0) }, -1);
assert_eq!(std::io::Error::last_os_error().raw_os_error(), Some(libc::EPERM));

Structs

Arg

Represents a syscall argument comparison, used in a filter rule.

Error

Represents an error that could occur when interacting with libseccomp.

Filter

Represents a syscall filter.

NotifRespFlags

Represents the flags that can be set on a NotificationResponse.

Notification

Represents a seccomp notification.

NotificationResponse

Represents a response to a seccomp notification.

ParseArchError

Represents an error when parsing an Arch from a string.

Enums

Action

Specifies an action to be taken, either as the default action for a filter or when a rule matches.

Arch

An architecture supported by libseccomp.

Cmp

Represents a comparison type that can be used in an Arg.

Flag

Represents a boolean flag that can be set on a filter.

Functions

api_get

Get the “API level” supported by the running kernel.

api_set

Force the API level used by libseccomp (do not use unless you know what you’re doing).

libseccomp_version

Get the version of the currently loaded libseccomp library.

notify_id_valid

Check if the given notification ID is still valid.

reset_global_state

Reset libseccomp’s global state.

resolve_syscall_name

Look up the number of the syscall with the given name on the native architecture.

resolve_syscall_name_arch

Look up the number of the syscall with the given name on the given architecture.

resolve_syscall_name_rewrite

Look up the number of the syscall with the given name on the given architecture, modifying the syscall number for multiplexed syscalls.

resolve_syscall_num

Look up the name of a syscall given the architecture and the syscall number.

Type Definitions

Result