Struct Filter

pub struct Filter { /* private fields */ }

Expand description

Represents a syscall filter.

Implementations§

impl Filter

pub fn new(def_action: Action) -> Result<Self>

Create a new seccomp filter with the given default action.

pub fn reset(&mut self, def_action: Action) -> Result<()>

Re-initialize this seccomp filter with the given default action.

pub fn merge(&mut self, other: Self) -> Result<()>

Merge another seccomp filter into this one.

See seccomp_merge(3) for more details.

pub fn load(&mut self) -> Result<()>

Load the syscall filter rules into the kernel.

pub fn export_bpf(&self, fd: RawFd) -> Result<()>

Export this filter as BPF (Berkeley Packet Filter) code to the file with the specified file descriptor.

See seccomp_export_bpf(3) for more details.

pub fn export_pfc(&self, fd: RawFd) -> Result<()>

Export this filter as PFC (Pseudo Filter Code) code to the file with the specified file descriptor.

See seccomp_export_pfc(3) for more details.

pub fn add_arch(&mut self, arch: Arch) -> Result<()>

Add the given architecture to the filter,

See seccomp_arch_add(3) for details.

pub fn remove_arch(&mut self, arch: Arch) -> Result<()>

Remove the given architecture from the filter,

See seccomp_arch_remove(3) for details.

pub fn has_arch(&self, arch: Arch) -> Result<bool>

Check if the given architecture has been added to the filter.

See seccomp_arch_exist(3) for details.

pub fn syscall_priority(&mut self, syscall: c_int, priority: u8) -> Result<()>

Prioritize the given syscall in this filter.

This provides a hint to the seccomp filter generator that the given syscall should be prioritized and placed earlier in the filter code. Higher priority values represent higher priorities.

See seccomp_syscall_priority(3) for details.

pub fn add_rule( &mut self, action: Action, syscall: c_int, args: &[Arg], ) -> Result<()>

Add a new rule to this filter.

action specifies the action to take if the filter matches, syscall specifies the system call number which should be matched against, and args is a list of syscall argument comparisons to use to match the syscall’s arguments.

This function may alter the rule slightly depending on architecture-specific semantics. To add the rule with no changes, see add_rule_exact().

pub fn add_rule_exact( &mut self, action: Action, syscall: c_int, args: &[Arg], ) -> Result<()>

Add a new rule to this filter, without any per-architecture modifications.

Other than the lack of per-architecture modifications, this is exactly equivalent to add_rule().

pub fn get_default_action(&self) -> Result<Action>

Get the default filter action (as set when the filter was created or reset).

pub fn get_badarch_action(&self) -> Result<Action>

Get the action taken when the loaded filter does not match the application’s architecture (defaults to KillThread).

pub fn set_badarch_action(&mut self, act: Action) -> Result<()>

Set the action taken when the loaded filter does not match the application’s architecture.

pub fn get_flag(&self, flag: Flag) -> Result<bool>

Get the value of the given flag in this filter.

See Flag for more details.

pub fn set_flag(&mut self, flag: Flag, val: bool) -> Result<()>

Set the value of the given flag in this filter.

See Flag for more details.

pub fn get_optimize_level(&self) -> Result<u32>

Get the current optimization level of the filter.

See seccomp_attr_get(3) for more information.

Note: This only works on libseccomp v2.5.0+.

pub fn set_optimize_level(&mut self, level: u32) -> Result<()>

Set the optimization level of the filter.

See seccomp_attr_get(3) for more information.

Note: This only works on libseccomp v2.5.0+.

pub fn get_notify_fd(&self) -> Result<RawFd>

Available on crate feature libseccomp-2-5 only.

Get the notification file descriptor of the filter after it has been loaded.

pub fn receive_notify(&self) -> Result<Notification>

Available on crate feature libseccomp-2-5 only.

Receive a seccomp notification from the notification file descriptor of this filter.

pub fn respond_notify(&self, response: &mut NotificationResponse) -> Result<()>

Available on crate feature libseccomp-2-5 only.

Send a seccomp notification response along the notification file descriptor of this filter.

Trait Implementations§

impl Debug for Filter

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

impl Drop for Filter

fn drop(&mut self)

Executes the destructor for this type. Read more

Auto Trait Implementations§

impl Freeze for Filter

impl RefUnwindSafe for Filter

impl !Send for Filter

impl !Sync for Filter

impl Unpin for Filter

impl UnwindSafe for Filter

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.