HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |SYNOPSIS |DESCRIPTION |RETURN VALUE |EXAMPLES |NOTES |AUTHOR |SEE ALSO |COLOPHON | |
seccomp_init(3) libseccomp Documentationseccomp_init(3)seccomp_init, seccomp_reset - Initialize the seccomp filter state
#include <seccomp.h>typedef void * scmp_filter_ctx;scmp_filter_ctx seccomp_init(uint32_tdef_action);int seccomp_reset(scmp_filter_ctxctx, uint32_tdef_action); Link with-lseccomp.
Theseccomp_init() andseccomp_reset() functions (re)initialize the internal seccomp filter state, prepares it for use, and sets the default action based on thedef_action parameter. Theseccomp_init() function must be called before any other libseccomp functions as the rest of the library API will fail if the filter context is not initialized properly. Theseccomp_reset() function releases the existing filter context state before reinitializing it and can only be called after a call toseccomp_init() has succeeded. Ifseccomp_reset() is called with a NULL filter, it resets the library's global task state, including any notification file descriptors retrieved byseccomp_notify_fd(3). Normally this is not needed, but it may be required to continue using the library after afork() orclone() call to ensure the API level and user notification state is properly reset. When the caller is finished configuring the seccomp filter and has loaded it into the kernel, the caller should callseccomp_release(3) to release all of the filter context state. Validdef_action values are as follows:SCMP_ACT_KILL The thread will be terminated by the kernel with SIGSYS when it calls a syscall that does not match any of the configured seccomp filter rules. The thread will not be able to catch the signal.SCMP_ACT_KILL_PROCESS The entire process will be terminated by the kernel with SIGSYS when it calls a syscall that does not match any of the configured seccomp filter rules.SCMP_ACT_TRAP The thread will be sent a SIGSYS signal when it calls a syscall that does not match any of the configured seccomp filter rules. It may catch this and change its behavior accordingly. When using SA_SIGINFO withsigaction(2), si_code will be set to SYS_SECCOMP, si_syscall will be set to the syscall that failed the rules, and si_arch will be set to the AUDIT_ARCH for the active ABI.SCMP_ACT_ERRNO(uint16_t errno) The thread will receive a return value oferrno when it calls a syscall that does not match any of the configured seccomp filter rules.SCMP_ACT_TRACE(uint16_t msg_num) If the thread is being traced and the tracing process specified thePTRACE_O_TRACESECCOMPoption in the call toptrace(2), the tracing process will be notified, viaPTRACE_EVENT_SECCOMP, and the value provided inmsg_num can be retrieved using thePTRACE_GETEVENTMSGoption.SCMP_ACT_LOG The seccomp filter will have no effect on the thread calling the syscall if it does not match any of the configured seccomp filter rules but the syscall will be logged.SCMP_ACT_ALLOW The seccomp filter will have no effect on the thread calling the syscall if it does not match any of the configured seccomp filter rules.
Theseccomp_init() function returns a filter context on success, NULL on failure. Theseccomp_reset() function returns zero on success or one of the following error codes on failure:-EINVAL Invalid input, either the context or action is invalid.-ENOMEM The library was unable to allocate enough memory.
#include <seccomp.h> int main(int argc, char *argv[]) { int rc = -1; scmp_filter_ctx ctx; ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) goto out; /* ... */ rc = seccomp_reset(ctx, SCMP_ACT_KILL); if (rc < 0) goto out; /* ... */ out: seccomp_release(ctx); return -rc; }While the seccomp filter can be generated independent of the kernel, kernel support is required to load and enforce the seccomp filter generated by libseccomp. The libseccomp project site, with more information and the source code repository, can be found athttps://github.com/seccomp/libseccomp. This tool, as well as the libseccomp library, is currently under development, please report any bugs at the project site or directly to the author.
Paul Moore <paul@paul-moore.com>
seccomp_release(3)
This page is part of thelibseccomp (high-level API to the Linux Kernel's seccomp filter) project. Information about the project can be found at ⟨https://github.com/seccomp/libseccomp⟩. If you have a bug report for this manual page, see ⟨https://groups.google.com/d/forum/libseccomp⟩. This page was obtained from the project's upstream Git repository ⟨https://github.com/seccomp/libseccomp⟩ on 2025-08-11. (At that time, the date of the most recent commit that was found in the repository was 2025-05-09.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgpaul@paul-moore.com 30 May 2020seccomp_init(3)Pages that refer to this page:seccomp(2), seccomp_arch_add(3), seccomp_attr_set(3), seccomp_export_bpf(3), seccomp_load(3), seccomp_merge(3), seccomp_release(3), seccomp_rule_add(3), seccomp_transaction_start(3)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |