HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |SYNOPSIS |DESCRIPTION |RETURN VALUE |EXAMPLES |NOTES |AUTHOR |SEE ALSO |COLOPHON | |
seccomp_s..._priority(3) libseccomp Documentationseccomp_s..._priority(3)seccomp_syscall_priority - Prioritize syscalls in the seccomp filter
#include <seccomp.h>typedef void * scmp_filter_ctx;int SCMP_SYS(syscall_name);int seccomp_syscall_priority(scmp_filter_ctxctx,intsyscall, uint8_tpriority); Link with-lseccomp.
Theseccomp_syscall_priority() function provides a priority hint to the seccomp filter generator in libseccomp such that higher priority syscalls are placed earlier in the seccomp filter code so that they incur less overhead at the expense of lower priority syscalls. A syscall's priority can be set regardless of if any rules currently exist for that syscall; the library will remember the priority and it will be assigned to the syscall if and when a rule for that syscall is created. While it is possible to specify thesyscall value directly using the standard__NR_syscallvalues, in order to ensure proper operation across multiple architectures it is highly recommended to use theSCMP_SYS() macro instead. See the EXAMPLES section below. Thepriority parameter takes an 8-bit value ranging from 0 - 255; a higher value represents a higher priority. The filter contextctx is the value returned by the call toseccomp_init().
TheSCMP_SYS() macro returns a value suitable for use as thesyscall value inseccomp_syscall_priority(). Theseccomp_syscall_priority() function returns zero on success or one of the following error codes on failure:-EDOMArchitecture specific failure.-EFAULT Internal libseccomp failure.-EINVAL Invalid input, either the context or architecture token is invalid.-ENOMEM The library was unable to allocate enough memory.
#include <seccomp.h> int main(int argc, char *argv[]) { int rc = -1; scmp_filter_ctx ctx; ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) goto out; /* ... */ rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 200); if (rc < 0) goto out; /* ... */ out: seccomp_release(ctx); return -rc; }While the seccomp filter can be generated independent of the kernel, kernel support is required to load and enforce the seccomp filter generated by libseccomp. The libseccomp project site, with more information and the source code repository, can be found athttps://github.com/seccomp/libseccomp. This tool, as well as the libseccomp library, is currently under development, please report any bugs at the project site or directly to the author.
Paul Moore <paul@paul-moore.com>
seccomp_rule_add(3),seccomp_rule_add_exact(3)
This page is part of thelibseccomp (high-level API to the Linux Kernel's seccomp filter) project. Information about the project can be found at ⟨https://github.com/seccomp/libseccomp⟩. If you have a bug report for this manual page, see ⟨https://groups.google.com/d/forum/libseccomp⟩. This page was obtained from the project's upstream Git repository ⟨https://github.com/seccomp/libseccomp⟩ on 2025-08-11. (At that time, the date of the most recent commit that was found in the repository was 2025-05-09.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgpaul@paul-moore.com 30 May 2020seccomp_s..._priority(3)Pages that refer to this page:seccomp_attr_set(3), seccomp_rule_add(3)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |