seccomp_init(3)           libseccomp Documentation           seccomp_init(3)

NAME         top

       seccomp_init, seccomp_reset - Initialize the seccomp filter state

SYNOPSIS         top

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       scmp_filter_ctx seccomp_init(uint32_t def_action);
       int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action);

       Link with -lseccomp.

DESCRIPTION         top

       The seccomp_init() and seccomp_reset() functions (re)initialize the
       internal seccomp filter state, prepares it for use, and sets the
       default action based on the def_action parameter.  The seccomp_init()
       function must be called before any other libseccomp functions as the
       rest of the library API will fail if the filter context is not
       initialized properly.  The seccomp_reset() function releases the
       existing filter context state before reinitializing it and can only
       be called after a call to seccomp_init() has succeeded.

       When the caller is finished configuring the seccomp filter and has
       loaded it into the kernel, the caller should call seccomp_release(3)
       to release all of the filter context state.

       Valid def_action values are as follows:

              The thread will be terminated by the kernel with SIGSYS when
              it calls a syscall that does not match any of the configured
              seccomp filter rules.  The thread will not be able to catch
              the signal.

              The thread will be sent a SIGSYS signal when it calls a
              syscall that does not match any of the configured seccomp
              filter rules.  It may catch this and change its behavior
              accordingly.  When using SA_SIGINFO with sigaction(2), si_code
              will be set to SYS_SECCOMP, si_syscall will be set to the
              syscall that failed the rules, and si_arch will be set to the
              AUDIT_ARCH for the active ABI.

       SCMP_ACT_ERRNO(uint16_t errno)
              The thread will receive a return value of errno when it calls
              a syscall that does not match any of the configured seccomp
              filter rules.

       SCMP_ACT_TRACE(uint16_t msg_num)
              If the thread is being traced and the tracing process
              specified the PTRACE_O_TRACESECCOMP option in the call to
              ptrace(2), the tracing process will be notified, via
              PTRACE_EVENT_SECCOMP, and the value provided in msg_num can be
              retrieved using the PTRACE_GETEVENTMSG option.

              The seccomp filter will have no effect on the thread calling
              the syscall if it does not match any of the configured seccomp
              filter rules.

RETURN VALUE         top

       The seccomp_init() function returns a filter context on success, NULL
       on failure.  The seccomp_reset() function returns zero on success,
       negative errno values on failure.

EXAMPLES         top

       #include <seccomp.h>

       int main(int argc, char *argv[])
            int rc = -1;
            scmp_filter_ctx ctx;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            /* ... */

            rc = seccomp_reset(ctx, SCMP_ACT_KILL);
            if (rc < 0)
                 goto out;

            /* ... */

            return -rc;

NOTES         top

       While the seccomp filter can be generated independent of the kernel,
       kernel support is required to load and enforce the seccomp filter
       generated by libseccomp.

       The libseccomp project site, with more information and the source
       code repository, can be found at  This tool, as well as the
       libseccomp library, is currently under development, please report any
       bugs at the project site or directly to the author.

AUTHOR         top

       Paul Moore <>

SEE ALSO         top


COLOPHON         top

       This page is part of the libseccomp (high-level API to the Linux
       Kernel's seccomp filter) project.  Information about the project can
       be found at ⟨⟩.  If you have a
       bug report for this manual page, see 
       ⟨⟩.  This page was
       obtained from the project's upstream Git repository 
       ⟨⟩ on 2017-09-15.  If you dis‐
       cover any rendering problems in this HTML version of the page, or you
       believe there is a better or more up-to-date source for the page, or
       you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail
       to             25 July 2012                 seccomp_init(3)

Pages that refer to this page: seccomp(2)seccomp_arch_add(3)seccomp_attr_set(3)seccomp_export_bpf(3)seccomp_load(3)seccomp_merge(3)seccomp_release(3)seccomp_rule_add(3)