Crate libscmp

Source
Expand description

libscmp provides a friendly wrapper over the libseccomp C library.

Here’s a simple example:

use libscmp::{Filter, Action, Arg, resolve_syscall_name};

// Allow all syscalls by default
let mut filter = Filter::new(Action::Allow).unwrap();

// Block `setpriority(PRIO_PROCESS, ...)`
filter
    .add_rule_exact(
        Action::Errno(libc::EPERM),
        resolve_syscall_name("setpriority").unwrap(),
        &[Arg::new_eq(0, libc::PRIO_PROCESS as u64)],
    )
    .unwrap();

// Load the filter into the kernel
filter.load().unwrap();

// Now `setpriority(PRIO_PROCESS, 0, 0)` should fail
assert_eq!(unsafe { libc::setpriority(libc::PRIO_PROCESS, 0, 0) }, -1);
assert_eq!(std::io::Error::last_os_error().raw_os_error(), Some(libc::EPERM));

Structs§

  • Represents a syscall argument comparison, used in a filter rule.
  • Represents an error that could occur when interacting with libseccomp.
  • Represents a syscall filter.
  • NotifRespFlagslibseccomp-2-5
    Represents the flags that can be set on a NotificationResponse.
  • Notificationlibseccomp-2-5
    Represents a seccomp notification.
  • NotificationResponselibseccomp-2-5
    Represents a response to a seccomp notification.
  • Represents an error when parsing an Arch from a string.

Enums§

  • Specifies an action to be taken, either as the default action for a filter or when a rule matches.
  • An architecture supported by libseccomp.
  • Represents a comparison type that can be used in an Arg.
  • Represents a boolean flag that can be set on a filter.

Functions§

  • api_getlibseccomp-2-4
    Get the “API level” supported by the running kernel.
  • api_setlibseccomp-2-4
    Force the API level used by libseccomp (do not use unless you know what you’re doing).
  • Get the version of the currently loaded libseccomp library.
  • notify_id_validlibseccomp-2-5
    Check if the given notification ID is still valid.
  • Reset libseccomp’s global state.
  • Look up the number of the syscall with the given name on the native architecture.
  • Look up the number of the syscall with the given name on the given architecture.
  • Look up the number of the syscall with the given name on the given architecture, modifying the syscall number for multiplexed syscalls.
  • Look up the name of a syscall given the architecture and the syscall number.

Type Aliases§