PR_SET_SECCOMP - set the secure computing mode

Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls. The more recent seccomp(2) system call provides a superset of the functionality of PR_SET_SECCOMP, and is the preferred interface for new applications. The seccomp mode is selected via mode. The seccomp constants are defined in <linux/seccomp.h>. The following values can be specified: SECCOMP_MODE_STRICT (since Linux 2.6.23) See the description of SECCOMP_SET_MODE_STRICT in seccomp(2). This operation is available only if the kernel is configured with CONFIG_SECCOMP enabled. SECCOMP_MODE_FILTER (since Linux 3.5) The allowed system calls are defined by a pointer to a Berkeley Packet Filter passed in filter. It can be designed to filter arbitrary system calls and system call arguments. See the description of SECCOMP_SET_MODE_FILTER in seccomp(2). This operation is available only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.

EACCESmode is SECCOMP_MODE_FILTER, but the process does not have the CAP_SYS_ADMIN capability or has not set the no_new_privs attribute (see PR_SET_NO_NEW_PRIVS(2const)). EFAULTmode is SECCOMP_MODE_FILTER, and filter is an invalid address. EINVALmode is not a valid value. EINVAL The kernel was not configured with CONFIG_SECCOMP. EINVALmode is SECCOMP_MODE_FILTER, and the kernel was not configured with CONFIG_SECCOMP_FILTER.

Linux 2.6.23.

Standard C library (libc, -lc)

PR_SET_SECCOMP - set the secure computing mode

On success, 0 is returned. On error, -1 is returned, and errno is set to indicate the error.

prctl(2), PR_GET_SECCOMP(2const), seccomp(2) Linux man-pages 6.9.1 2024-06-02 PR_SET_SECCOMP(2const)

Linux.

#include<linux/prctl.h> /* Definition of PR_* constants */ #include<sys/prctl.h>[[deprecated]]intprctl(PR_SET_SECCOMP,longmode,...);[[deprecated]]intprctl(PR_SET_SECCOMP,SECCOMP_MODE_STRICT);[[deprecated]]intprctl(PR_SET_SECCOMP,SECCOMP_MODE_FILTER,structsock_fprog*filter);