Struct seccompiler::SeccompFilter [−][src]
pub struct SeccompFilter { /* fields omitted */ }
Expand description
Filter containing rules assigned to syscall numbers.
Implementations
pub fn new(
rules: BTreeMap<i64, Vec<SeccompRule>>,
mismatch_action: SeccompAction,
match_action: SeccompAction,
target_arch: TargetArch
) -> Result<Self, Error>
pub fn new(
rules: BTreeMap<i64, Vec<SeccompRule>>,
mismatch_action: SeccompAction,
match_action: SeccompAction,
target_arch: TargetArch
) -> Result<Self, Error>
Creates a new filter with a set of rules, an on-match and default action.
Arguments
rules
- Map containing syscall numbers and their respectiveSeccompRule
s.mismatch_action
-SeccompAction
taken for all syscalls that do not match any rule.match_action
-SeccompAction
taken for system calls that match the filter.target_arch
- Target architecture of the generated BPF filter.
Example
use std::convert::TryInto;
use seccompiler::{
SeccompAction, SeccompCmpArgLen, SeccompCmpOp, SeccompCondition, SeccompFilter,
SeccompRule,
};
let filter = SeccompFilter::new(
vec![
(libc::SYS_accept4, vec![]),
(
libc::SYS_fcntl,
vec![
SeccompRule::new(vec![
SeccompCondition::new(
1,
SeccompCmpArgLen::Dword,
SeccompCmpOp::Eq,
libc::F_SETFD as u64,
).unwrap(),
SeccompCondition::new(
2,
SeccompCmpArgLen::Dword,
SeccompCmpOp::Eq,
libc::FD_CLOEXEC as u64,
).unwrap(),
]).unwrap(),
SeccompRule::new(vec![SeccompCondition::new(
1,
SeccompCmpArgLen::Dword,
SeccompCmpOp::Eq,
libc::F_GETFD as u64,
).unwrap()]).unwrap(),
],
),
]
.into_iter()
.collect(),
SeccompAction::Trap,
SeccompAction::Allow,
std::env::consts::ARCH.try_into().unwrap(),
);
Trait Implementations
This method tests for self
and other
values to be equal, and is used
by ==
. Read more
This method tests for !=
.
Auto Trait Implementations
impl RefUnwindSafe for SeccompFilter
impl Send for SeccompFilter
impl Sync for SeccompFilter
impl Unpin for SeccompFilter
impl UnwindSafe for SeccompFilter
Blanket Implementations
Mutably borrows from an owned value. Read more