seccomp_tiny/seccomp.rs
1use crate::abi::*;
2use core::marker::PhantomData;
3use sc::syscall;
4
5impl SockFilterProg<'_> {
6 /// Construct a new SockFilterProg from a SockFilter slice
7 ///
8 /// A [`SockFilterProg`] is part of the kernel's ABI that acts
9 /// like a wrapper around a &[SockFilter] slice. This
10 /// constructor accepts such a slice, and returns a
11 /// SockFilterProg which maintains a reference to that slice.
12 pub fn new<'a>(instructions: &'a [SockFilter]) -> SockFilterProg<'a> {
13 assert!(instructions.len() <= BPF_MAXINSNS);
14 SockFilterProg {
15 len: instructions.len() as u16,
16 filter: instructions.as_ptr(),
17 phantom: PhantomData
18 }
19 }
20}
21
22/// Try to activate a seccomp program, returning the error code on failure.
23///
24/// If you are looking for the slightly higher level version, see
25/// [`crate::ProgramBuffer::activate()`].
26///
27/// See the documentation for prctl's PR_SET_SECCOMP for detailed reasons
28/// why this may fail, and the error codes it may return.
29pub fn activate(program: &SockFilterProg) -> Result<(), isize> {
30 let ptr = program as *const SockFilterProg as usize;
31 match unsafe {
32 syscall!(PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
33 syscall!(PRCTL, PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ptr, 0, 0) as isize
34 } {
35 0 => Ok(()),
36 errno => Err(errno),
37 }
38}