Crate libseccomp[−][src]
Expand description
Native Rust crate for libseccomp library
This is a high-level safe API for libseccomp
on Linux.
Examples
use libseccomp::*; fn main() -> Result<(), Box<dyn std::error::Error>> { let mut filter = ScmpFilterContext::new_filter(ScmpAction::Allow)?; filter.add_arch(ScmpArch::Native)?; let syscall = get_syscall_from_name("getuid", None)?; filter.add_rule(ScmpAction::Errno(1), syscall, None)?; filter.load()?; Ok(()) }
use libc; use libseccomp::*; fn main() -> Result<(), Box<dyn std::error::Error>> { let mut filter = ScmpFilterContext::new_filter(ScmpAction::Allow)?; filter.add_arch(ScmpArch::X8664)?; let syscall = get_syscall_from_name("dup2", Some(ScmpArch::X8664))?; let cmp = ScmpArgCompare::new(0, ScmpCompareOp::Equal, 1, None); filter.add_rule(ScmpAction::Errno(libc::EPERM as u32), syscall, Some(&[cmp]))?; filter.load()?; Ok(()) }
Modules
error | |
notify |
Structs
ScmpArgCompare | ScmpArgCompare represents a rule in a libseccomp filter context |
ScmpData | |
ScmpFilterContext | ScmpFilterContext represents a filter context in libseccomp. |
ScmpVersion | ScmpVersion represents the version information of the currently loaded libseccomp library |
Enums
ScmpAction | ScmpAction represents an action to be taken on a filter rule match in libseccomp |
ScmpArch | ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a per-architecture basis. |
ScmpCompareOp | ScmpCompareOp represents a comparison operator which can be used in a filter rule |
ScmpFilterAttr | ScmpFilterArttr represents filter attributes |
Functions
get_api | get_api returns the API level supported by the system. |
get_library_version | get_library_version returns the version information of the currently loaded libseccomp library. |
get_native_arch | get_native_arch returns ScmpArch representing the native kernel architecture. |
get_syscall_from_name | get_syscall_from_name returns the number of a syscall by name for a given architecture’s ABI. |
get_syscall_name_from_arch | get_syscall_name_from_arch retrieves the name of a syscall from its number for a given architecture. |
set_api | set_api forcibly sets the API level. General use of this function is strongly discouraged. |