Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   seccomp_syscall_priority    ( 3 )

приоритет системным вызовам в фильтре seccomp (Prioritize syscalls in the seccomp filter)

Имя (Name)

seccomp_syscall_priority - Prioritize syscalls in the seccomp filter


Синопсис (Synopsis)

#include <seccomp.h>

typedef void * scmp_filter_ctx;

int SCMP_SYS(syscall_name);

int seccomp_syscall_priority(scmp_filter_ctx ctx, int syscall, uint8_t priority);

Link with -lseccomp.


Описание (Description)

The seccomp_syscall_priority() function provides a priority hint to the seccomp filter generator in libseccomp such that higher priority syscalls are placed earlier in the seccomp filter code so that they incur less overhead at the expense of lower priority syscalls. A syscall's priority can be set regardless of if any rules currently exist for that syscall; the library will remember the priority and it will be assigned to the syscall if and when a rule for that syscall is created.

While it is possible to specify the syscall value directly using the standard __NR_syscall values, in order to ensure proper operation across multiple architectures it is highly recommended to use the SCMP_SYS() macro instead. See the EXAMPLES section below.

The priority parameter takes an 8-bit value ranging from 0 - 255; a higher value represents a higher priority.

The filter context ctx is the value returned by the call to seccomp_init().


Возвращаемое значение (Return value)

The SCMP_SYS() macro returns a value suitable for use as the syscall value in seccomp_syscall_priority().

The seccomp_syscall_priority() function returns zero on success or one of the following error codes on failure:

-EDOM Architecture specific failure.

-EFAULT Internal libseccomp failure.

-EINVAL Invalid input, either the context or architecture token is invalid.

-ENOMEM The library was unable to allocate enough memory.


Примеры (Examples)

#include <seccomp.h>

int main(int argc, char *argv[]) { int rc = -1; scmp_filter_ctx ctx;

ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) goto out;

/* ... */

rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200); if (rc < 0) goto out;

/* ... */

out: seccomp_release(ctx); return -rc; }


Примечание (Note)

While the seccomp filter can be generated independent of the kernel, kernel support is required to load and enforce the seccomp filter generated by libseccomp.

The libseccomp project site, with more information and the source code repository, can be found at https://github.com/seccomp/libseccomp. This tool, as well as the libseccomp library, is currently under development, please report any bugs at the project site or directly to the author.