Expand description
libscmp
provides a friendly wrapper over the libseccomp
C library.
Here’s a simple example:
use libscmp::{Filter, Action, Arg, resolve_syscall_name};
// Allow all syscalls by default
let mut filter = Filter::new(Action::Allow).unwrap();
// Block `setpriority(PRIO_PROCESS, ...)`
filter
.add_rule_exact(
Action::Errno(libc::EPERM),
resolve_syscall_name("setpriority").unwrap(),
&[Arg::new_eq(0, libc::PRIO_PROCESS as u64)],
)
.unwrap();
// Load the filter into the kernel
filter.load().unwrap();
// Now `setpriority(PRIO_PROCESS, 0, 0)` should fail
assert_eq!(unsafe { libc::setpriority(libc::PRIO_PROCESS, 0, 0) }, -1);
assert_eq!(std::io::Error::last_os_error().raw_os_error(), Some(libc::EPERM));
Structs§
- Represents a syscall argument comparison, used in a filter rule.
- Represents an error that could occur when interacting with
libseccomp
. - Represents a syscall filter.
- Notif
Resp Flags libseccomp-2-5
Represents the flags that can be set on aNotificationResponse
. - Notification
libseccomp-2-5
Represents a seccomp notification. - Notification
Response libseccomp-2-5
Represents a response to a seccomp notification. - Represents an error when parsing an
Arch
from a string.
Enums§
- Specifies an action to be taken, either as the default action for a filter or when a rule matches.
- An architecture supported by
libseccomp
. - Represents a comparison type that can be used in an
Arg
. - Represents a boolean flag that can be set on a filter.
Functions§
- api_get
libseccomp-2-4
Get the “API level” supported by the running kernel. - api_set
libseccomp-2-4
Force the API level used by libseccomp (do not use unless you know what you’re doing). - Get the version of the currently loaded
libseccomp
library. - notify_
id_ valid libseccomp-2-5
Check if the given notification ID is still valid. - Reset
libseccomp
’s global state. - Look up the number of the syscall with the given name on the native architecture.
- Look up the number of the syscall with the given name on the given architecture.
- Look up the number of the syscall with the given name on the given architecture, modifying the syscall number for multiplexed syscalls.
- Look up the name of a syscall given the architecture and the syscall number.