Struct libseccomp::ScmpFilterContext

pub struct ScmpFilterContext { /* fields omitted */ }

ScmpFilterContext represents a filter context in libseccomp.

Implementations

impl ScmpFilterContext

pub fn new_filter(default_action: ScmpAction) -> Result<ScmpFilterContext>

new_filter creates and returns a new filter context.

Accepts a default action to be taken for syscalls which match no rules in the filter. Returns a reference to a valid filter context, or an error if the filter context could not be created or an invalid default action was given.

pub fn merge(&mut self, src: Self) -> Result<()>

merge merges two filters. In order to merge two seccomp filters, both filters must have the same attribute values and no overlapping architectures. If successful, the src seccomp filter is released and all internal memory associated with the filter is freed.

Accepts a seccomp filter in src that will be merged into the filter this is called on. Returns an error if merging the filters failed.

pub fn is_arch_present(&self, arch: ScmpArch) -> Result<bool>

is_arch_present checks if an architecture is present in a filter.

If a filter contains an architecture, it uses its default action for syscalls which do not match rules in it, and its rules can match syscalls for that ABI. If a filter does not contain an architecture, all syscalls made to that kernel ABI will fail with the filter’s default Bad Architecture Action (by default, killing the proc). Accepts an architecture constant. Returns true if the architecture is present in the filter, false otherwise, and an error on an invalid filter context, architecture constant, or an issue with the call to libseccomp

pub fn add_arch(&mut self, arch: ScmpArch) -> Result<()>

add_arch adds an architecture to the filter.

Accepts an architecture constant. Returns an architecture token, or an error with the call to libseccomp.

pub fn remove_arch(&mut self, arch: ScmpArch) -> Result<()>

remove_arch removes an architecture from the filter.

Accepts an architecture constant. Returns an error on invalid filter context or architecture token, or an issue with the call to libseccomp.

pub fn add_rule(
    &mut self,
    action: ScmpAction,
    syscall: i32,
    comparators: Option<&[ScmpArgCompare]>
) -> Result<()>

add_rule adds a single rule for an unconditional or conditional action on a syscall.

Accepts the number of the syscall the action and the conditions to be taken on the call being made. If the compartors is None, the function adds a single rule for an unconditional action. Returns an error if an issue was encountered adding the rule.

pub fn load(&self) -> Result<()>

load loads a filter context into the kernel.

Returns an error if the filter context is invalid or the syscall failed.

pub fn get_filter_attr(&self, attr: ScmpFilterAttr) -> Result<u32>

get_filter_attr gets a raw filter attribute

pub fn set_filter_attr(&self, attr: ScmpFilterAttr, value: u32) -> Result<()>

set_filter_attr sets a raw filter attribute

pub fn set_no_new_privs_bit(&self, state: bool) -> Result<()>

set_no_new_privs_bit sets the state of the No New Privileges bit, which will be applied on filter load, or an error if an issue was encountered setting the value. Filters with No New Privileges set to 0 can only be loaded if the process has the CAP_SYS_ADMIN capability.

pub fn export_pfc(&self, fd: File) -> Result<()>

export_pfc outputs PFC-formatted, human-readable dump of a filter context’s rules to a file.

Accepts file to write to (must be open for writing). Returns an error if writing to the file fails.

pub fn export_bpf(&self, fd: File) -> Result<()>

export_bpf outputs Berkeley Packet Filter-formatted, kernel-readable dump of a filter context’s rules to a file.

Accepts file to write to (must be open for writing). Returns an error if writing to the file fails.

pub fn reset(&mut self, action: ScmpAction) -> Result<()>

reset resets a filter context, removing all its existing state.

Accepts a new default action to be taken for syscalls which do not match. Returns an error if the filter or action provided are invalid.

Trait Implementations

impl Clone for ScmpFilterContext

fn clone(&self) -> ScmpFilterContext

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for ScmpFilterContext

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Drop for ScmpFilterContext

fn drop(&mut self)

drop releases a filter context, freeing its memory.

After calling this function, the given filter is no longer valid and cannot be used.