Crate libscmp[−][src]
Expand description
libscmp
provides a friendly wrapper over the libseccomp
C library.
Here’s a simple example:
use libscmp::{Filter, Action, Arg, resolve_syscall_name}; // Allow all syscalls by default let mut filter = Filter::new(Action::Allow).unwrap(); // Block `setpriority(PRIO_PROCESS, ...)` filter .add_rule_exact( Action::Errno(libc::EPERM), resolve_syscall_name("setpriority").unwrap(), &[Arg::new_eq(0, libc::PRIO_PROCESS as u64)], ) .unwrap(); // Load the filter into the kernel filter.load().unwrap(); // Now `setpriority(PRIO_PROCESS, 0, 0)` should fail assert_eq!(unsafe { libc::setpriority(libc::PRIO_PROCESS, 0, 0) }, -1); assert_eq!(std::io::Error::last_os_error().raw_os_error(), Some(libc::EPERM));
Structs
Arg | Represents a syscall argument comparison, used in a filter rule. |
Error | Represents an error that could occur when interacting with |
Filter | Represents a syscall filter. |
NotifRespFlags | Represents the flags that can be set on a |
Notification | Represents a seccomp notification. |
NotificationResponse | Represents a response to a seccomp notification. |
ParseArchError | Represents an error when parsing an |
Enums
Action | Specifies an action to be taken, either as the default action for a filter or when a rule matches. |
Arch | An architecture supported by |
Cmp | Represents a comparison type that can be used in an |
Flag | Represents a boolean flag that can be set on a filter. |
Functions
api_get | Get the “API level” supported by the running kernel. |
api_set | Force the API level used by libseccomp (do not use unless you know what you’re doing). |
libseccomp_version | Get the version of the currently loaded |
notify_id_valid | Check if the given notification ID is still valid. |
reset_global_state | Reset |
resolve_syscall_name | Look up the number of the syscall with the given name on the native architecture. |
resolve_syscall_name_arch | Look up the number of the syscall with the given name on the given architecture. |
resolve_syscall_name_rewrite | Look up the number of the syscall with the given name on the given architecture, modifying the syscall number for multiplexed syscalls. |
resolve_syscall_num | Look up the name of a syscall given the architecture and the syscall number. |
Type Definitions
Result |