]>
Commit | Line | Data |
---|---|---|
8befd5cc MG |
1 | /** |
2 | * Seccomp System Interfaces | |
3 | * | |
4 | * Copyright (c) 2012 Red Hat <pmoore@redhat.com> | |
5 | * Author: Paul Moore <paul@paul-moore.com> | |
6 | */ | |
7 | ||
8 | /* | |
9 | * This library is free software; you can redistribute it and/or modify it | |
10 | * under the terms of version 2.1 of the GNU Lesser General Public License as | |
11 | * published by the Free Software Foundation. | |
12 | * | |
13 | * This library is distributed in the hope that it will be useful, but WITHOUT | |
14 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
15 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License | |
16 | * for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU Lesser General Public License | |
19 | * along with this library; if not, see <http://www.gnu.org/licenses>. | |
20 | */ | |
21 | ||
22 | #ifndef _SYSTEM_H | |
23 | #define _SYSTEM_H | |
24 | ||
25 | #include <linux/filter.h> | |
26 | #include <sys/prctl.h> | |
27 | ||
28 | #include "configure.h" | |
29 | ||
30 | /* NOTE: this was taken from the Linux Kernel sources */ | |
31 | #define MAX_ERRNO 4095 | |
32 | ||
33 | struct db_filter_col; | |
34 | ||
35 | #ifdef HAVE_LINUX_SECCOMP_H | |
36 | ||
37 | /* system header file */ | |
38 | #include <linux/seccomp.h> | |
39 | ||
40 | #else | |
41 | ||
42 | /* NOTE: the definitions below were taken from the Linux Kernel sources */ | |
43 | #include <linux/types.h> | |
44 | ||
45 | /* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */ | |
46 | #define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */ | |
47 | #define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */ | |
48 | #define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ | |
49 | ||
50 | /* | |
51 | * All BPF programs must return a 32-bit value. | |
52 | * The bottom 16-bits are for optional return data. | |
53 | * The upper 16-bits are ordered from least permissive values to most. | |
54 | * | |
55 | * The ordering ensures that a min_t() over composed return values always | |
56 | * selects the least permissive choice. | |
57 | */ | |
58 | #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ | |
59 | #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ | |
60 | #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ | |
61 | #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ | |
62 | #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ | |
63 | ||
64 | /* Masks for the return value sections. */ | |
65 | #define SECCOMP_RET_ACTION 0x7fff0000U | |
66 | #define SECCOMP_RET_DATA 0x0000ffffU | |
67 | ||
68 | /** | |
69 | * struct seccomp_data - the format the BPF program executes over. | |
70 | * @nr: the system call number | |
71 | * @arch: indicates system call convention as an AUDIT_ARCH_* value | |
72 | * as defined in <linux/audit.h>. | |
73 | * @instruction_pointer: at the time of the system call. | |
74 | * @args: up to 6 system call arguments always stored as 64-bit values | |
75 | * regardless of the architecture. | |
76 | */ | |
77 | struct seccomp_data { | |
78 | int nr; | |
79 | __u32 arch; | |
80 | __u64 instruction_pointer; | |
81 | __u64 args[6]; | |
82 | }; | |
83 | ||
84 | #endif /* HAVE_LINUX_SECCOMP_H */ | |
85 | ||
86 | /* rename some of the socket filter types to make more sense */ | |
87 | typedef struct sock_filter bpf_instr_raw; | |
88 | ||
89 | /* no new privs defintions */ | |
90 | #ifndef PR_SET_NO_NEW_PRIVS | |
91 | #define PR_SET_NO_NEW_PRIVS 38 | |
92 | #endif | |
93 | ||
94 | #ifndef PR_GET_NO_NEW_PRIVS | |
95 | #define PR_GET_NO_NEW_PRIVS 39 | |
96 | #endif | |
97 | ||
98 | /* operations for the seccomp() syscall */ | |
99 | #ifndef SECCOMP_SET_MODE_STRICT | |
100 | #define SECCOMP_SET_MODE_STRICT 0 | |
101 | #endif | |
102 | #ifndef SECCOMP_SET_MODE_FILTER | |
103 | #define SECCOMP_SET_MODE_FILTER 1 | |
104 | #endif | |
105 | ||
106 | /* flags for the seccomp() syscall */ | |
107 | #ifndef SECCOMP_FILTER_FLAG_TSYNC | |
108 | #define SECCOMP_FILTER_FLAG_TSYNC 1 | |
109 | #endif | |
110 | ||
111 | int sys_chk_seccomp_syscall(void); | |
112 | int sys_chk_seccomp_flag(int flag); | |
113 | ||
114 | int sys_filter_load(const struct db_filter_col *col); | |
115 | ||
116 | #endif |