Crate libseccomp

Expand description

Rust Language Bindings for the libseccomp Library

The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel’s syscall filtering mechanism. The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers.

The libseccomp crate is a high-level safe API for the libseccomp library.

§Examples

use libseccomp::*;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut filter = ScmpFilterContext::new(ScmpAction::Allow)?;
    let syscall = ScmpSyscall::from_name("getuid")?;

    filter.add_arch(ScmpArch::X8664)?;
    filter.add_rule(ScmpAction::Errno(1), syscall)?;
    filter.set_ctl_log(true)?;
    filter.set_syscall_priority(syscall, 100)?;
    filter.load()?;

    Ok(())
}

The above example can be replaced with builder pattern.

use libseccomp::*;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let syscall = ScmpSyscall::from_name("getuid")?;

    ScmpFilterContext::new(ScmpAction::Allow)?
        .add_arch(ScmpArch::X8664)?
        .add_rule(ScmpAction::Errno(1), syscall)?
        .set_ctl_log(true)?
        .set_syscall_priority(syscall, 100)?
        .load()?;

    Ok(())
}

§Features

const-syscall: Allow creating of ScmpSyscall in a const-context.

Modules§

error: Errors

Macros§

scmp_cmp: A macro to create ScmpArgCompare in a more elegant way.

Structs§

ScmpArgCompare: Represents a rule in a libseccomp filter context.
ScmpFilterContext: Represents a filter context in the libseccomp.
ScmpNotifData: Describes the system call context that triggered a notification.
ScmpNotifReq: Represents a userspace notification request.
ScmpNotifResp: Represents a userspace notification response.
ScmpNotifRespFlags: Userspace notification response flags
ScmpSyscall: Represents a syscall number.
ScmpVersion: Represents the version information of the libseccomp library.

Enums§

ScmpAction: Represents an action to be taken on a filter rule match in the libseccomp.
ScmpArch: Represents a CPU architecture. Seccomp can restrict syscalls on a per-architecture basis.
ScmpCompareOp: Represents a comparison operator which can be used in a filter rule.
ScmpFilterAttr: Represents filter attributes.

Constants§

NOTIF_FLAG_CONTINUEDeprecated: Userspace notification response flag

Functions§

check_api: Checks that both the libseccomp API level and the libseccomp version being used are equal to or greater than the specified API level and version.
check_version: Checks that the libseccomp version being used is equal to or greater than the specified version.
get_api: Gets the API level supported by the system.
get_library_versionDeprecated: Deprecated alias for ScmpVersion::current().
get_syscall_from_nameDeprecated: Gets the number of a syscall by name for a given architecture’s ABI.
get_syscall_name_from_archDeprecated: Retrieves the name of a syscall from its number for a given architecture.
notify_id_valid: Checks if a userspace notification is still valid.
reset_global_state: Resets the libseccomp library’s global state.
set_api: Sets the API level forcibly.

Type Aliases§

RawSyscall: A raw syscall as used by the OS.
ScmpFd: Represents a file descriptor used for the userspace notification.

Crate libseccompCopy item path