Crate libseccomp[][src]

Expand description

Native Rust crate for libseccomp library

This is a high-level safe API for libseccomp on Linux.

Examples

use libseccomp::*;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut filter = ScmpFilterContext::new_filter(ScmpAction::Allow)?;
    filter.add_arch(ScmpArch::Native)?;

    let syscall = get_syscall_from_name("getuid", None)?;

    filter.add_rule(ScmpAction::Errno(1), syscall, None)?;
    filter.load()?;

    Ok(())
}
use libc;
use libseccomp::*;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut filter = ScmpFilterContext::new_filter(ScmpAction::Allow)?;
    filter.add_arch(ScmpArch::X8664)?;

    let syscall = get_syscall_from_name("dup2", Some(ScmpArch::X8664))?;

    let cmp = ScmpArgCompare::new(0, ScmpCompareOp::Equal, 1, None);
    filter.add_rule(ScmpAction::Errno(libc::EPERM as u32), syscall, Some(&[cmp]))?;
    filter.load()?;

    Ok(())
}

Modules

error
notify

Structs

ScmpArgCompare

ScmpArgCompare represents a rule in a libseccomp filter context

ScmpData
ScmpFilterContext

ScmpFilterContext represents a filter context in libseccomp.

ScmpVersion

ScmpVersion represents the version information of the currently loaded libseccomp library

Enums

ScmpAction

ScmpAction represents an action to be taken on a filter rule match in libseccomp

ScmpArch

ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a per-architecture basis.

ScmpCompareOp

ScmpCompareOp represents a comparison operator which can be used in a filter rule

ScmpFilterAttr

ScmpFilterArttr represents filter attributes

Functions

get_api

get_api returns the API level supported by the system.

get_library_version

get_library_version returns the version information of the currently loaded libseccomp library.

get_native_arch

get_native_arch returns ScmpArch representing the native kernel architecture.

get_syscall_from_name

get_syscall_from_name returns the number of a syscall by name for a given architecture’s ABI.

get_syscall_name_from_arch

get_syscall_name_from_arch retrieves the name of a syscall from its number for a given architecture.

set_api

set_api forcibly sets the API level. General use of this function is strongly discouraged.