Install Now
seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native - Manage seccomp filter
Contents
Description
The seccomp_arch_exist() function tests to see if a given architecture has been added to the seccomp
filter in ctx, where the seccomp_arch_add() and seccomp_arch_remove() add and remove, respectively,
architectures from the seccomp filter. In all three functions, the architecture values given in
arch_token should be the SCMP_ARCH_* defined constants; with the SCMP_ARCH_NATIVE constant always
referring to the native compiled architecture. The seccomp_arch_native() function returns the system's
architecture such that it will match one of the SCMP_ARCH_* constants. While the
seccomp_arch_resolve_name() function also returns a SCMP_ARCH_* constant, the returned token matches the
name of the architecture passed as an argument to the function.
When a seccomp filter is initialized with the call to seccomp_init(3) the native architecture is
automatically added to the filter.
While it is possible to remove all architectures from a filter, most of the libseccomp APIs will fail if
the filter does not contain at least one architecture.
When adding a new architecture to an existing filter, the existing rules will not be added to the new
architecture. However, rules added after adding the new architecture will be added to all of the
architectures in the filter.
Examples
#include <seccomp.h>
int main(int argc, char *argv[])
{
int rc = -1;
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == -EEXIST) {
rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
if (rc != 0)
goto out_all;
rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
if (rc != 0)
goto out_all;
}
/* ... */
out:
seccomp_release(ctx);
return -rc;
}
Name
seccomp_arch_add, seccomp_arch_remove, seccomp_arch_exist, seccomp_arch_native - Manage seccomp filter
architectures
Notes
While the seccomp filter can be generated independent of the kernel, kernel support is required to load
and enforce the seccomp filter generated by libseccomp.
The libseccomp project site, with more information and the source code repository, can be found at
https://github.com/seccomp/libseccomp. This tool, as well as the libseccomp library, is currently under
development, please report any bugs at the project site or directly to the author.
Return Value
The seccomp_arch_add(), seccomp_arch_remove(), and seccomp_arch_exist() functions return zero on success
or one of the following error codes on failure:
-EDOM Architecture specific failure.
-EEXIST
In the case of seccomp_arch_add() the architecture already exists and in the case of
seccomp_arch_remove() the architecture does not exist.
-EINVAL
Invalid input, either the context or architecture token is invalid.
-ENOMEM
The library was unable to allocate enough memory.
See Also
seccomp_init(3), seccomp_reset(3), seccomp_merge(3) paul@paul-moore.com 15 June 2020 seccomp_arch_add(3)
Synopsis
#include<seccomp.h>typedefvoid*scmp_filter_ctx;#defineSCMP_ARCH_NATIVE#defineSCMP_ARCH_X86#defineSCMP_ARCH_X86_64#defineSCMP_ARCH_X32#defineSCMP_ARCH_ARM#defineSCMP_ARCH_AARCH64#defineSCMP_ARCH_LOONGARCH64#defineSCMP_ARCH_M68K#defineSCMP_ARCH_MIPS#defineSCMP_ARCH_MIPS64#defineSCMP_ARCH_MIPS64N32#defineSCMP_ARCH_MIPSEL#defineSCMP_ARCH_MIPSEL64#defineSCMP_ARCH_MIPSEL64N32#defineSCMP_ARCH_PPC#defineSCMP_ARCH_PPC64#defineSCMP_ARCH_PPC64LE#defineSCMP_ARCH_S390#defineSCMP_ARCH_S390X#defineSCMP_ARCH_SH#defineSCMP_ARCH_SHEB#defineSCMP_ARCH_PARISC#defineSCMP_ARCH_PARISC64#defineSCMP_ARCH_RISCV64uint32_tseccomp_arch_resolve_name(constchar*arch_name);uint32_tseccomp_arch_native();intseccomp_arch_exist(constscmp_filter_ctxctx,uint32_tarch_token);intseccomp_arch_add(scmp_filter_ctxctx,uint32_tarch_token);intseccomp_arch_remove(scmp_filter_ctxctx,uint32_tarch_token);
Link with -lseccomp.
PNG Icons
