man7.org > Linux > man-pages

Linux/UNIX system programming training

seccomp_transaction_start(3) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | EXAMPLES | NOTES | AUTHOR | SEE ALSO | COLOPHON 

seccomp_...ion_start(3)  libseccomp Documentation seccomp_...ion_start(3)

NAME         top

       seccomp_transaction_start, seccomp_transaction_commit,
       seccomp_transaction_reject - Manage seccomp filter transactions

SYNOPSIS         top

       #include <seccomp.h>

       typedef void * scmp_filter_ctx;

       int seccomp_transaction_start(scmp_filter_ctx ctx);
       int seccomp_transaction_commit(scmp_filter_ctx ctx);
       void seccomp_transaction_reject(scmp_filter_ctx ctx);

       Link with -lseccomp.

DESCRIPTION         top

       The seccomp_transaction_start() function starts a new seccomp
       filter transaction that the caller can use to perform any number
       of filter modifications which can then be committed to the filter
       using seccomp_transaction_commit() or rejected using
       seccomp_transaction_reject().  It is important to note that
       transactions only affect the seccomp filter state while it is
       being managed by libseccomp; seccomp filters which have been
       loaded into the kernel can not be modified, only new seccomp
       filters can be added on top of the existing loaded filter stack.

       Finishing, or committing, a transaction is optional, although it
       is encouraged.  At any point in time, regardless of the
       transaction state, the seccomp filter is determined by all of the
       libseccomp operations performed on the filter up to that point.
       Committing a transaction simply flushes the transaction rollback
       marker of the current transaction making the filter changes
       permanent; rejecting a transaction rolls the filter state back to
       immediately before the transaction was started.

       Transactions can be nested arbitrarily deep with the
       seccomp_transaction_commit() and seccomp_transaction_reject()
       functions always operating on the deepest, or more recently
       started transaction.  A nested set of filter modifications, even
       if committed, is still subject to rejection by shallower, or older
       transactions that have yet to be committed or rejected.

RETURN VALUE         top

       The seccomp_transaction_start() and seccomp_transaction_commit()
       functions return zero on success or one of the following error
       codes on failure:

       -ENOMEM
              The library was unable to allocate enough memory.

EXAMPLES         top

       #include <seccomp.h>

       int libseccomp_generate(scmp_filter_ctx *ctx)
       {
            int rc;

            rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
            if (rc)
                 return rc;
            rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
            if (rc)
                 return rc;
            rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
            if (rc)
                 return rc;

            return 0;
       }

       int main(int argc, char *argv[])
       {
            int rc = -1;
            scmp_filter_ctx ctx;

            ctx = seccomp_init(SCMP_ACT_KILL);
            if (ctx == NULL)
                 goto out;

            rc = seccomp_transaction_start(ctx)
            if (rc)
                 goto out;
            rc = libseccomp_generate(ctx);
            if (rc == 0) {
                 rc = seccomp_transaction_commit(ctx);
                 if (rc)
                      goto out;
            } else
                 seccomp_transaction_reject(ctx);

            /* ... */

       out:
            seccomp_release(ctx);
            return -rc;
       }

NOTES         top

       While the seccomp filter can be generated independent of the
       kernel, kernel support is required to load and enforce the seccomp
       filter generated by libseccomp.

       The libseccomp project site, with more information and the source
       code repository, can be found at
       https://github.com/seccomp/libseccomp.  This tool, as well as the
       libseccomp library, is currently under development, please report
       any bugs at the project site or directly to the author.

AUTHOR         top

       Paul Moore <paul@paul-moore.com>

SEE ALSO         top

       seccomp_init(3),

COLOPHON         top

       This page is part of the libseccomp (high-level API to the Linux
       Kernel's seccomp filter) project.  Information about the project
       can be found at ⟨https://github.com/seccomp/libseccomp⟩.  If you
       have a bug report for this manual page, see
       ⟨https://groups.google.com/d/forum/libseccomp⟩.  This page was
       obtained from the project's upstream Git repository
       ⟨https://github.com/seccomp/libseccomp⟩ on 2025-02-02.  (At that
       time, the date of the most recent commit that was found in the
       repository was 2025-01-27.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       man-pages@man7.org

paul@paul-moore.com         21 September 2023     seccomp_...ion_start(3)

HTML rendering created 2025-02-02 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI