Stability	provisional
Portability	non-portable (requires Linux)
Safe Haskell	Safe
Language	Haskell2010

System.Linux.Seccomp

Description

This module provides partial bindings to libseccomp. It is very low level, modelled closely after the c library.

Missing:

arch support
name resolving for syscalls (we have an enum)

Simple example: The following kills all systemcalls other than opening a file for readonly:

ctx <- S.seccomp_init S.SCMP_ACT_KILL
_ <- S.seccomp_rule_add_array ctx S.SCMP_ACT_KILL S.SCopen [S.ArgCmp 1 S.MASQUED_EQ 0x3 0x1]
_ <- S.seccomp_load ctx
S.seccomp_release ctx

For debugging it's useful to dump a text representation of the filter context to stderr (file descriptor number 2):

S.seccomp_export_pfc ctx 2

Documentation

seccomp_init :: Action -> IO (Ptr CFilterCtx) Source

seccomp_reset :: Ptr CFilterCtx -> Action -> IO CInt Source

seccomp_rule_add_array :: Ptr CFilterCtx -> Action -> SysCall -> [ArgCmp] -> IO CInt Source

seccomp_load :: Ptr CFilterCtx -> IO CInt Source

seccomp_merge :: Ptr CFilterCtx -> Ptr CFilterCtx -> IO CInt Source

seccomp_export_pfc :: Ptr CFilterCtx -> Int -> IO CInt Source

seccomp_release :: Ptr CFilterCtx -> IO () Source

seccomp_syscall_priority :: Ptr CFilterCtx -> SysCall -> Word8 -> IO CInt Source

data Action Source

Constructors

SCMP_ACT_KILL
SCMP_ACT_TRAP
SCMP_ACT_ERRNO Int
SCMP_ACT_TRACE Int
SCMP_ACT_ALLOW

data SysCall Source

Constructors

SCsocket
SCbind
SCconnect
SClisten
SCaccept
SCgetsockname
SCgetpeername
SCsocketpair
SCsend
SCrecv
SCsendto
SCrecvfrom
SCshutdown
SCsetsockopt
SCgetsockopt
SCsendmsg
SCrecvmsg
SCaccept4
SCrecvmmsg
SCsendmmsg
SCsemop
SCsemget
SCsemctl
SCsemtimedop
SCmsgsnd
SCmsgrcv
SCmsgget
SCmsgctl
SCshmat
SCshmdt
SCshmget
SCshmctl
SCarch_prctl
SCbdflush
SCbreak
SCchown32
SCepoll_ctl_old
SCepoll_wait_old
SCfadvise64_64
SCfchown32
SCfcntl64
SCfstat64
SCfstatat64
SCfstatfs64
SCftime
SCftruncate64
SCgetegid32
SCgeteuid32
SCgetgid32
SCgetgroups32
SCgetresgid32
SCgetresuid32
SCgetuid32
SCgtty
SCidle
SCipc
SClchown32
SC_llseek
SClock
SClstat64
SCmmap2
SCmpx
SCnewfstatat
SC_newselect
SCnice
SColdfstat
SColdlstat
SColdolduname
SColdstat
SColduname
SCprof
SCprofil
SCreaddir
SCsecurity
SCsendfile64
SCsetfsgid32
SCsetfsuid32
SCsetgid32
SCsetgroups32
SCsetregid32
SCsetresgid32
SCsetresuid32
SCsetreuid32
SCsetuid32
SCsgetmask
SCsigaction
SCsignal
SCsigpending
SCsigprocmask
SCsigreturn
SCsigsuspend
SCsocketcall
SCssetmask
SCstat64
SCstatfs64
SCstime
SCstty
SCtruncate64
SCtuxcall
SCugetrlimit
SCulimit
SCumount
SCvm86
SCvm86old
SCwaitpid
SCcreate_module
SCget_kernel_syms
SCget_thread_area
SCnfsservctl
SCquery_module
SCset_thread_area
SC_sysctl
SCuselib
SCvserver
SCarm_fadvise64_64
SCarm_sync_file_range
SCpciconfig_iobase
SCpciconfig_read
SCpciconfig_write
SCsync_file_range2
SCsyscall
SCafs_syscall
SCfadvise64
SCgetpmsg
SCioperm
SCiopl
SCmigrate_pages
SCmodify_ldt
SCputpmsg
SCsync_file_range
SCselect
SCvfork
SCcachectl
SCcacheflush
SCsysmips
SCtimerfd
SCtime
SCgetrandom
SCmemfd_create
SCkexec_file_load
SCsysfs
SColdwait4
SCaccess
SCalarm
SCchmod
SCchown
SCcreat
SCdup2
SCepoll_create
SCepoll_wait
SCeventfd
SCfork
SCfutimesat
SCgetdents
SCgetpgrp
SCinotify_init
SClchown
SClink
SClstat
SCmkdir
SCmknod
SCopen
SCpause
SCpipe
SCpoll
SCreadlink
SCrename
SCrmdir
SCsignalfd
SCstat
SCsymlink
SCunlink
SCustat
SCutime
SCutimes
SCgetrlimit
SCmmap
SCbreakpoint
SCset_tls
SCusr26
SCusr32

data ArgCmp Source

Constructors

ArgCmp
Fields argCmpPos :: Int argCmpOp :: ArgCmpOp argCmpDatumA :: Int argCmpDatumB :: Int

Instances

Storable ArgCmp Source

data ArgCmpOp Source

Constructors

NE
LT
LE
EQ
GE
GT
MASQUED_EQ