SeccompRuleView¶
Overview¶
SeccompRuleView is a non-owning view of a seccomp BPF filter.
It is usually obtained from an owning SeccompRule:
auto rule = unwrap_or_die(builder.build());
unwrap_or_die(rule.view().apply());
SeccompRuleView does not manage the lifetime of the filter storage. It only
refers to an existing filter and provides the apply() operation.
For details about ownership and lifetime, see SeccompRule.
Synopsis¶
class SeccompRuleView
{
public:
[[nodiscard]] std::expected<void, int> apply() noexcept;
};
apply¶
[[nodiscard]] std::expected<void, int> apply() noexcept;
Applies the referenced seccomp filter to the current process.
After this function succeeds, the filter is active and cannot be removed by the process. Any syscall not allowed by the filter is handled according to the terminal action chosen when the rule was built.
Requirements¶
no_new_privs must be enabled before applying a seccomp filter, unless the
process has the required privileges. In typical unprivileged programs, call
set_no_new_privs() before apply().
The referenced filter storage must remain valid for the duration of the call.
When the view is created from SeccompRule::view(), this means the owning
SeccompRule must still be alive.
Returns¶
Returns an empty std::expected on success, or a positive errno value on
failure.
Example¶
auto rule = unwrap_or_die(builder.build());
unwrap_or_die(rule.view().apply());