]>
Commit | Line | Data |
---|---|---|
1 | package Linux::Seccomp; | |
2 | ||
3 | use 5.014000; | |
4 | use strict; | |
5 | use warnings; | |
6 | use Carp; | |
7 | ||
8 | require Exporter; | |
9 | use AutoLoader; | |
10 | ||
11 | our @ISA = qw(Exporter); | |
12 | ||
13 | our %EXPORT_TAGS = ( | |
14 | functions => [ | |
15 | qw/arch_native | |
16 | arch_resolve_name | |
17 | syscall_resolve_name | |
18 | syscall_resolve_name_arch | |
19 | syscall_resolve_name_rewrite | |
20 | syscall_resolve_num_arch | |
21 | version/ ], | |
22 | ||
23 | macros => [ | |
24 | qw/SCMP_ACT_ALLOW | |
25 | SCMP_ACT_ERRNO | |
26 | SCMP_ACT_KILL | |
27 | SCMP_ACT_TRACE | |
28 | SCMP_ACT_TRAP | |
29 | SCMP_ARCH_AARCH64 | |
30 | SCMP_ARCH_ARM | |
31 | SCMP_ARCH_MIPS | |
32 | SCMP_ARCH_MIPS64 | |
33 | SCMP_ARCH_MIPS64N32 | |
34 | SCMP_ARCH_MIPSEL | |
35 | SCMP_ARCH_MIPSEL64 | |
36 | SCMP_ARCH_MIPSEL64N32 | |
37 | SCMP_ARCH_NATIVE | |
38 | SCMP_ARCH_PPC | |
39 | SCMP_ARCH_PPC64 | |
40 | SCMP_ARCH_PPC64LE | |
41 | SCMP_ARCH_S390 | |
42 | SCMP_ARCH_S390X | |
43 | SCMP_ARCH_X32 | |
44 | SCMP_ARCH_X86 | |
45 | SCMP_ARCH_X86_64 | |
46 | SCMP_CMP_EQ | |
47 | SCMP_CMP_GE | |
48 | SCMP_CMP_GT | |
49 | SCMP_CMP_LE | |
50 | SCMP_CMP_LT | |
51 | SCMP_CMP_MASKED_EQ | |
52 | SCMP_CMP_NE | |
53 | SCMP_FLTATR_ACT_BADARCH | |
54 | SCMP_FLTATR_ACT_DEFAULT | |
55 | SCMP_FLTATR_CTL_NNP | |
56 | SCMP_FLTATR_CTL_TSYNC | |
57 | SCMP_VER_MAJOR | |
58 | SCMP_VER_MICRO | |
59 | SCMP_VER_MINOR | |
60 | _SCMP_CMP_MAX | |
61 | _SCMP_CMP_MIN | |
62 | _SCMP_FLTATR_MAX | |
63 | _SCMP_FLTATR_MIN | |
64 | __NR_SCMP_ERROR | |
65 | __NR_SCMP_UNDEF | |
66 | __NR__llseek | |
67 | __NR__newselect | |
68 | __NR__sysctl | |
69 | __NR_accept | |
70 | __NR_accept4 | |
71 | __NR_access | |
72 | __NR_afs_syscall | |
73 | __NR_alarm | |
74 | __NR_arch_prctl | |
75 | __NR_arm_fadvise64_64 | |
76 | __NR_arm_sync_file_range | |
77 | __NR_bdflush | |
78 | __NR_bind | |
79 | __NR_break | |
80 | __NR_breakpoint | |
81 | __NR_cachectl | |
82 | __NR_cacheflush | |
83 | __NR_chmod | |
84 | __NR_chown | |
85 | __NR_chown32 | |
86 | __NR_connect | |
87 | __NR_creat | |
88 | __NR_create_module | |
89 | __NR_dup2 | |
90 | __NR_epoll_create | |
91 | __NR_epoll_ctl_old | |
92 | __NR_epoll_wait | |
93 | __NR_epoll_wait_old | |
94 | __NR_eventfd | |
95 | __NR_fadvise64 | |
96 | __NR_fadvise64_64 | |
97 | __NR_fchown32 | |
98 | __NR_fcntl64 | |
99 | __NR_fork | |
100 | __NR_fstat64 | |
101 | __NR_fstatat64 | |
102 | __NR_fstatfs64 | |
103 | __NR_ftime | |
104 | __NR_ftruncate64 | |
105 | __NR_futimesat | |
106 | __NR_get_kernel_syms | |
107 | __NR_get_mempolicy | |
108 | __NR_get_thread_area | |
109 | __NR_getdents | |
110 | __NR_getegid32 | |
111 | __NR_geteuid32 | |
112 | __NR_getgid32 | |
113 | __NR_getgroups32 | |
114 | __NR_getpeername | |
115 | __NR_getpgrp | |
116 | __NR_getpmsg | |
117 | __NR_getrandom | |
118 | __NR_getresgid32 | |
119 | __NR_getresuid32 | |
120 | __NR_getrlimit | |
121 | __NR_getsockname | |
122 | __NR_getsockopt | |
123 | __NR_getuid32 | |
124 | __NR_gtty | |
125 | __NR_idle | |
126 | __NR_inotify_init | |
127 | __NR_ioperm | |
128 | __NR_iopl | |
129 | __NR_ipc | |
130 | __NR_kexec_file_load | |
131 | __NR_lchown | |
132 | __NR_lchown32 | |
133 | __NR_link | |
134 | __NR_listen | |
135 | __NR_lock | |
136 | __NR_lstat | |
137 | __NR_lstat64 | |
138 | __NR_mbind | |
139 | __NR_membarrier | |
140 | __NR_memfd_create | |
141 | __NR_migrate_pages | |
142 | __NR_mkdir | |
143 | __NR_mknod | |
144 | __NR_mmap | |
145 | __NR_mmap2 | |
146 | __NR_modify_ldt | |
147 | __NR_move_pages | |
148 | __NR_mpx | |
149 | __NR_msgctl | |
150 | __NR_msgget | |
151 | __NR_msgrcv | |
152 | __NR_msgsnd | |
153 | __NR_multiplexer | |
154 | __NR_newfstatat | |
155 | __NR_nfsservctl | |
156 | __NR_nice | |
157 | __NR_oldfstat | |
158 | __NR_oldlstat | |
159 | __NR_oldolduname | |
160 | __NR_oldstat | |
161 | __NR_olduname | |
162 | __NR_oldwait4 | |
163 | __NR_open | |
164 | __NR_pause | |
165 | __NR_pciconfig_iobase | |
166 | __NR_pciconfig_read | |
167 | __NR_pciconfig_write | |
168 | __NR_pipe | |
169 | __NR_poll | |
170 | __NR_prof | |
171 | __NR_profil | |
172 | __NR_putpmsg | |
173 | __NR_query_module | |
174 | __NR_readdir | |
175 | __NR_readlink | |
176 | __NR_recv | |
177 | __NR_recvfrom | |
178 | __NR_recvmmsg | |
179 | __NR_recvmsg | |
180 | __NR_rename | |
181 | __NR_rmdir | |
182 | __NR_rtas | |
183 | __NR_s390_pci_mmio_read | |
184 | __NR_s390_pci_mmio_write | |
185 | __NR_s390_runtime_instr | |
186 | __NR_security | |
187 | __NR_select | |
188 | __NR_semctl | |
189 | __NR_semget | |
190 | __NR_semop | |
191 | __NR_semtimedop | |
192 | __NR_send | |
193 | __NR_sendfile64 | |
194 | __NR_sendmmsg | |
195 | __NR_sendmsg | |
196 | __NR_sendto | |
197 | __NR_set_mempolicy | |
198 | __NR_set_thread_area | |
199 | __NR_set_tls | |
200 | __NR_setfsgid32 | |
201 | __NR_setfsuid32 | |
202 | __NR_setgid32 | |
203 | __NR_setgroups32 | |
204 | __NR_setregid32 | |
205 | __NR_setresgid32 | |
206 | __NR_setresuid32 | |
207 | __NR_setreuid32 | |
208 | __NR_setsockopt | |
209 | __NR_setuid32 | |
210 | __NR_sgetmask | |
211 | __NR_shmat | |
212 | __NR_shmctl | |
213 | __NR_shmdt | |
214 | __NR_shmget | |
215 | __NR_shutdown | |
216 | __NR_sigaction | |
217 | __NR_signal | |
218 | __NR_signalfd | |
219 | __NR_sigpending | |
220 | __NR_sigprocmask | |
221 | __NR_sigreturn | |
222 | __NR_sigsuspend | |
223 | __NR_socket | |
224 | __NR_socketcall | |
225 | __NR_socketpair | |
226 | __NR_spu_create | |
227 | __NR_spu_run | |
228 | __NR_ssetmask | |
229 | __NR_stat | |
230 | __NR_stat64 | |
231 | __NR_statfs64 | |
232 | __NR_stime | |
233 | __NR_stty | |
234 | __NR_subpage_prot | |
235 | __NR_swapcontext | |
236 | __NR_switch_endian | |
237 | __NR_symlink | |
238 | __NR_sync_file_range | |
239 | __NR_sync_file_range2 | |
240 | __NR_sys_debug_setcontext | |
241 | __NR_syscall | |
242 | __NR_sysfs | |
243 | __NR_sysmips | |
244 | __NR_time | |
245 | __NR_timerfd | |
246 | __NR_truncate64 | |
247 | __NR_tuxcall | |
248 | __NR_ugetrlimit | |
249 | __NR_ulimit | |
250 | __NR_umount | |
251 | __NR_unlink | |
252 | __NR_uselib | |
253 | __NR_userfaultfd | |
254 | __NR_usr26 | |
255 | __NR_usr32 | |
256 | __NR_ustat | |
257 | __NR_utime | |
258 | __NR_utimes | |
259 | __NR_vfork | |
260 | __NR_vm86 | |
261 | __NR_vm86old | |
262 | __NR_vserver | |
263 | __NR_waitpid | |
264 | __PNR__llseek | |
265 | __PNR__newselect | |
266 | __PNR__sysctl | |
267 | __PNR_accept | |
268 | __PNR_accept4 | |
269 | __PNR_access | |
270 | __PNR_afs_syscall | |
271 | __PNR_alarm | |
272 | __PNR_arch_prctl | |
273 | __PNR_arm_fadvise64_64 | |
274 | __PNR_arm_sync_file_range | |
275 | __PNR_bdflush | |
276 | __PNR_bind | |
277 | __PNR_break | |
278 | __PNR_breakpoint | |
279 | __PNR_cachectl | |
280 | __PNR_cacheflush | |
281 | __PNR_chmod | |
282 | __PNR_chown | |
283 | __PNR_chown32 | |
284 | __PNR_connect | |
285 | __PNR_creat | |
286 | __PNR_create_module | |
287 | __PNR_dup2 | |
288 | __PNR_epoll_create | |
289 | __PNR_epoll_ctl_old | |
290 | __PNR_epoll_wait | |
291 | __PNR_epoll_wait_old | |
292 | __PNR_eventfd | |
293 | __PNR_fadvise64 | |
294 | __PNR_fadvise64_64 | |
295 | __PNR_fchown32 | |
296 | __PNR_fcntl64 | |
297 | __PNR_fork | |
298 | __PNR_fstat64 | |
299 | __PNR_fstatat64 | |
300 | __PNR_fstatfs64 | |
301 | __PNR_ftime | |
302 | __PNR_ftruncate64 | |
303 | __PNR_futimesat | |
304 | __PNR_get_kernel_syms | |
305 | __PNR_get_mempolicy | |
306 | __PNR_get_thread_area | |
307 | __PNR_getdents | |
308 | __PNR_getegid32 | |
309 | __PNR_geteuid32 | |
310 | __PNR_getgid32 | |
311 | __PNR_getgroups32 | |
312 | __PNR_getpeername | |
313 | __PNR_getpgrp | |
314 | __PNR_getpmsg | |
315 | __PNR_getrandom | |
316 | __PNR_getresgid32 | |
317 | __PNR_getresuid32 | |
318 | __PNR_getrlimit | |
319 | __PNR_getsockname | |
320 | __PNR_getsockopt | |
321 | __PNR_getuid32 | |
322 | __PNR_gtty | |
323 | __PNR_idle | |
324 | __PNR_inotify_init | |
325 | __PNR_ioperm | |
326 | __PNR_iopl | |
327 | __PNR_ipc | |
328 | __PNR_kexec_file_load | |
329 | __PNR_lchown | |
330 | __PNR_lchown32 | |
331 | __PNR_link | |
332 | __PNR_listen | |
333 | __PNR_lock | |
334 | __PNR_lstat | |
335 | __PNR_lstat64 | |
336 | __PNR_mbind | |
337 | __PNR_membarrier | |
338 | __PNR_memfd_create | |
339 | __PNR_migrate_pages | |
340 | __PNR_mkdir | |
341 | __PNR_mknod | |
342 | __PNR_mmap | |
343 | __PNR_mmap2 | |
344 | __PNR_modify_ldt | |
345 | __PNR_move_pages | |
346 | __PNR_mpx | |
347 | __PNR_msgctl | |
348 | __PNR_msgget | |
349 | __PNR_msgrcv | |
350 | __PNR_msgsnd | |
351 | __PNR_multiplexer | |
352 | __PNR_newfstatat | |
353 | __PNR_nfsservctl | |
354 | __PNR_nice | |
355 | __PNR_oldfstat | |
356 | __PNR_oldlstat | |
357 | __PNR_oldolduname | |
358 | __PNR_oldstat | |
359 | __PNR_olduname | |
360 | __PNR_oldwait4 | |
361 | __PNR_open | |
362 | __PNR_pause | |
363 | __PNR_pciconfig_iobase | |
364 | __PNR_pciconfig_read | |
365 | __PNR_pciconfig_write | |
366 | __PNR_pipe | |
367 | __PNR_poll | |
368 | __PNR_prof | |
369 | __PNR_profil | |
370 | __PNR_putpmsg | |
371 | __PNR_query_module | |
372 | __PNR_readdir | |
373 | __PNR_readlink | |
374 | __PNR_recv | |
375 | __PNR_recvfrom | |
376 | __PNR_recvmmsg | |
377 | __PNR_recvmsg | |
378 | __PNR_rename | |
379 | __PNR_rmdir | |
380 | __PNR_rtas | |
381 | __PNR_s390_pci_mmio_read | |
382 | __PNR_s390_pci_mmio_write | |
383 | __PNR_s390_runtime_instr | |
384 | __PNR_security | |
385 | __PNR_select | |
386 | __PNR_semctl | |
387 | __PNR_semget | |
388 | __PNR_semop | |
389 | __PNR_semtimedop | |
390 | __PNR_send | |
391 | __PNR_sendfile64 | |
392 | __PNR_sendmmsg | |
393 | __PNR_sendmsg | |
394 | __PNR_sendto | |
395 | __PNR_set_mempolicy | |
396 | __PNR_set_thread_area | |
397 | __PNR_set_tls | |
398 | __PNR_setfsgid32 | |
399 | __PNR_setfsuid32 | |
400 | __PNR_setgid32 | |
401 | __PNR_setgroups32 | |
402 | __PNR_setregid32 | |
403 | __PNR_setresgid32 | |
404 | __PNR_setresuid32 | |
405 | __PNR_setreuid32 | |
406 | __PNR_setsockopt | |
407 | __PNR_setuid32 | |
408 | __PNR_sgetmask | |
409 | __PNR_shmat | |
410 | __PNR_shmctl | |
411 | __PNR_shmdt | |
412 | __PNR_shmget | |
413 | __PNR_shutdown | |
414 | __PNR_sigaction | |
415 | __PNR_signal | |
416 | __PNR_signalfd | |
417 | __PNR_sigpending | |
418 | __PNR_sigprocmask | |
419 | __PNR_sigreturn | |
420 | __PNR_sigsuspend | |
421 | __PNR_socket | |
422 | __PNR_socketcall | |
423 | __PNR_socketpair | |
424 | __PNR_spu_create | |
425 | __PNR_spu_run | |
426 | __PNR_ssetmask | |
427 | __PNR_stat | |
428 | __PNR_stat64 | |
429 | __PNR_statfs64 | |
430 | __PNR_stime | |
431 | __PNR_stty | |
432 | __PNR_subpage_prot | |
433 | __PNR_swapcontext | |
434 | __PNR_switch_endian | |
435 | __PNR_symlink | |
436 | __PNR_sync_file_range | |
437 | __PNR_sync_file_range2 | |
438 | __PNR_sys_debug_setcontext | |
439 | __PNR_syscall | |
440 | __PNR_sysfs | |
441 | __PNR_sysmips | |
442 | __PNR_time | |
443 | __PNR_timerfd | |
444 | __PNR_truncate64 | |
445 | __PNR_tuxcall | |
446 | __PNR_ugetrlimit | |
447 | __PNR_ulimit | |
448 | __PNR_umount | |
449 | __PNR_unlink | |
450 | __PNR_uselib | |
451 | __PNR_userfaultfd | |
452 | __PNR_usr26 | |
453 | __PNR_usr32 | |
454 | __PNR_ustat | |
455 | __PNR_utime | |
456 | __PNR_utimes | |
457 | __PNR_vfork | |
458 | __PNR_vm86 | |
459 | __PNR_vm86old | |
460 | __PNR_vserver | |
461 | __PNR_waitpid/] | |
462 | ); | |
463 | ||
464 | $EXPORT_TAGS{all} = [@{$EXPORT_TAGS{functions}}, @{$EXPORT_TAGS{macros}}]; | |
465 | our @EXPORT_OK = @{$EXPORT_TAGS{all}}; | |
466 | our @EXPORT = @{$EXPORT_TAGS{macros}}; | |
467 | ||
468 | our $VERSION; | |
469 | BEGIN{ | |
470 | $VERSION = '0.002001'; | |
471 | } | |
472 | ||
473 | sub AUTOLOAD { | |
474 | my $constname; | |
475 | our $AUTOLOAD; | |
476 | ($constname = $AUTOLOAD) =~ s/.*:://; | |
477 | croak "&Linux::Seccomp::constant not defined" if $constname eq 'constant'; | |
478 | my ($error, $val) = constant($constname); | |
479 | if ($error) { croak $error; } | |
480 | { | |
481 | no strict 'refs'; | |
482 | *$AUTOLOAD = sub { $val }; | |
483 | } | |
484 | goto &$AUTOLOAD; | |
485 | } | |
486 | ||
487 | BEGIN { | |
488 | require XSLoader; | |
489 | XSLoader::load('Linux::Seccomp', $VERSION); | |
490 | } | |
491 | ||
492 | sub new { | |
493 | my ($ign, $def_action) = @_; | |
494 | init $def_action | |
495 | } | |
496 | ||
497 | sub DESTROY { | |
498 | shift->release | |
499 | } | |
500 | ||
501 | my %COMPARE_OP_TBL = ( | |
502 | '!=' => SCMP_CMP_NE(), | |
503 | ne => SCMP_CMP_NE(), | |
504 | '<' => SCMP_CMP_LT(), | |
505 | lt => SCMP_CMP_LT(), | |
506 | '<=' => SCMP_CMP_LE(), | |
507 | le => SCMP_CMP_LE(), | |
508 | '==' => SCMP_CMP_EQ(), | |
509 | eq => SCMP_CMP_EQ(), | |
510 | '>=' => SCMP_CMP_GE(), | |
511 | ge => SCMP_CMP_GE(), | |
512 | '>' => SCMP_CMP_GT(), | |
513 | gt => SCMP_CMP_GT(), | |
514 | '=~' => SCMP_CMP_MASKED_EQ(), | |
515 | me => SCMP_CMP_MASKED_EQ(), | |
516 | ||
517 | SCMP_CMP_NE() => SCMP_CMP_NE(), | |
518 | SCMP_CMP_LT() => SCMP_CMP_LT(), | |
519 | SCMP_CMP_LE() => SCMP_CMP_LE(), | |
520 | SCMP_CMP_EQ() => SCMP_CMP_EQ(), | |
521 | SCMP_CMP_GE() => SCMP_CMP_GE(), | |
522 | SCMP_CMP_GT() => SCMP_CMP_GT(), | |
523 | SCMP_CMP_MASKED_EQ() => SCMP_CMP_MASKED_EQ(), | |
524 | ); | |
525 | ||
526 | sub _mangle_rule_add_args { | |
527 | my @args = map { | |
528 | my $op = $_->[1]; | |
529 | $_->[1] = $COMPARE_OP_TBL{$op} or croak "No mapping for compare operator '$op'"; | |
530 | make_arg_cmp (@$_) | |
531 | } @_; | |
532 | \@args | |
533 | } | |
534 | ||
535 | sub rule_add { | |
536 | rule_add_array (shift, shift, shift, _mangle_rule_add_args (@_)); | |
537 | } | |
538 | ||
539 | sub rule_add_exact { | |
540 | rule_add_exact_array (shift, shift, shift, _mangle_rule_add_args (@_)); | |
541 | } | |
542 | ||
543 | 1; | |
544 | __END__ | |
545 | ||
546 | =encoding utf-8 | |
547 | ||
548 | =head1 NAME | |
549 | ||
550 | Linux::Seccomp - Interface to libseccomp Linux syscall filtering library | |
551 | ||
552 | =head1 SYNOPSIS | |
553 | ||
554 | use Linux::Seccomp ':all'; | |
555 | my $ctx = Linux::Seccomp->new(SCMP_ACT_ALLOW); | |
556 | # Block writes to STDERR | |
557 | $ctx->rule_add(SCMP_ACT_KILL, syscall_resolve_name('write'), [0, '==', 2]); | |
558 | $ctx->load; | |
559 | $| = 1; | |
560 | print STDOUT "Hello world!\n"; # works | |
561 | print STDERR "Goodbye world!\n"; # Killed | |
562 | print STDOUT "Hello again world!\n"; # never reached | |
563 | ||
564 | =head1 DESCRIPTION | |
565 | ||
566 | Secure Computing (seccomp) is Linux's system call filtering mechanism. | |
567 | This system can operate in two modes: I<strict>, where only a very | |
568 | small number of system calls are allowed and the more modern I<filter> | |
569 | (or seccomp mode 2) which permits advanced filtering of system calls. | |
570 | This module is only concerned with the latter. | |
571 | ||
572 | Linux::Seccomp is a Perl interface to the | |
573 | L<libseccomp|https://github.com/seccomp/libseccomp> library which | |
574 | provides a simple way to use seccomp mode 2. | |
575 | ||
576 | It should be mentioned that this module is not production-ready at the | |
577 | moment -- work needs to be done to port the libseccomp testsuite and | |
578 | the documentation needs to be improved. | |
579 | ||
580 | Basic usage of this module is straightforward: Create a filter using | |
581 | the B<new> method, add rules to it using the B<rule_add> method | |
582 | several times, and finally load the filter into the kernel using the | |
583 | B<load> method. An example of this can be seen in the SYNOPSIS. | |
584 | ||
585 | =head1 METHODS | |
586 | ||
587 | Most methods die on error. | |
588 | ||
589 | =over | |
590 | ||
591 | =item I<$ctx> = Linux::Seccomp->B<new>(I<$def_action>) | |
592 | ||
593 | Creates a new C<Linux::Seccomp> filter, with the default action for | |
594 | unhandled syscalls being I<$def_action>. Possible values for | |
595 | I<$def_action> are: | |
596 | ||
597 | =over | |
598 | ||
599 | =item SCMP_ACT_KILL | |
600 | ||
601 | The thread will be terminated by the kernel with SIGSYS when it calls | |
602 | a syscall that does not match any of the configured seccomp filter | |
603 | rules. The thread will not be able to catch the signal. | |
604 | ||
605 | =item SCMP_ACT_TRAP | |
606 | ||
607 | The thread will be sent a SIGSYS signal when it calls a syscall that | |
608 | does not match any of the configured seccomp filter rules. It may | |
609 | catch this and change its behavior accordingly. When using SA_SIGINFO | |
610 | with L<sigaction(2)>, si_code will be set to SYS_SECCOMP, si_syscall | |
611 | will be set to the syscall that failed the rules, and si_arch will be | |
612 | set to the AUDIT_ARCH for the active ABI. | |
613 | ||
614 | =item SCMP_ACT_ERRNO(I<$errno>) | |
615 | ||
616 | The thread will receive a return value of I<$errno> when it calls a | |
617 | syscall that does not match any of the configured seccomp filter | |
618 | rules. | |
619 | ||
620 | =item SCMP_ACT_TRACE(I<$msg_num>) | |
621 | ||
622 | If the thread is being traced and the tracing process specified the | |
623 | PTRACE_O_TRACESECCOMP option in the call to L<ptrace(2)>, the tracing | |
624 | process will be notified, via PTRACE_EVENT_SECCOMP, and the value | |
625 | provided in msg_num can be retrieved using the PTRACE_GETEVENTMSG | |
626 | option. | |
627 | ||
628 | =item SCMP_ACT_ALLOW | |
629 | ||
630 | The seccomp filter will have no effect on the thread calling the | |
631 | syscall if it does not match any of the configured seccomp filter | |
632 | rules. | |
633 | ||
634 | =back | |
635 | ||
636 | See L<seccomp_init(3)>. | |
637 | ||
638 | =item I<$ctx>->B<rule_add>(I<$action>, I<$syscall>, I<@args>) | |
639 | ||
640 | Adds a rule to the filter. If a system call with number I<$syscall> | |
641 | whose arguments match I<@args> is called, I<$action> will be taken. | |
642 | ||
643 | I<$action> can be any of the C<SCMP_ACT_*> macros listed above. | |
644 | ||
645 | I<@args> is a list of 0 or more constraints on the arguments to the | |
646 | syscall. Each constraint is an arrayref with 3 or 4 elements: C<[$arg, | |
647 | $op, $datum_a, $datum_b]> where I<$arg> is the index of the argument | |
648 | we are comparing. I<$op> is as follows: | |
649 | ||
650 | =over | |
651 | ||
652 | =item SCMP_CMP_NE | |
653 | ||
654 | =item '!=' | |
655 | ||
656 | =item 'ne' | |
657 | ||
658 | Matches when the argument value is not equal to I<$datum_a>. | |
659 | ||
660 | =item SCMP_CMP_LT | |
661 | ||
662 | =item '<' | |
663 | ||
664 | =item 'lt' | |
665 | ||
666 | Matches when the argument value is less than I<$datum_a>. | |
667 | ||
668 | =item SCMP_CMP_LE | |
669 | ||
670 | =item '<=' | |
671 | ||
672 | =item 'le' | |
673 | ||
674 | Matches when the argument value is less than or equal to I<$datum_a>. | |
675 | ||
676 | =item SCMP_CMP_EQ | |
677 | ||
678 | =item '==' | |
679 | ||
680 | =item 'eq' | |
681 | ||
682 | Matches when the argument value is equal to I<$datum_a>. | |
683 | ||
684 | =item SCMP_CMP_GE | |
685 | ||
686 | =item '>=' | |
687 | ||
688 | =item 'ge' | |
689 | ||
690 | Matches when the argument value is greater than or equal to I<$datum_a>. | |
691 | ||
692 | =item SCMP_CMP_GT | |
693 | ||
694 | =item '>' | |
695 | ||
696 | =item 'gt' | |
697 | ||
698 | Matches when the argument value is greater than I<$datum_a>. | |
699 | ||
700 | =item SCMP_CMP_MASKED_EQ | |
701 | ||
702 | =item '=~' | |
703 | ||
704 | =item 'me' | |
705 | ||
706 | Matches when the argument value masked with I<$datum_a> is equal to I<$datum_b> masked with I<$datum_a>. | |
707 | ||
708 | =back | |
709 | ||
710 | See L<seccomp_rule_add(3)>. | |
711 | ||
712 | =item I<$ctx>->B<arch_add>(I<$arch_token>) | |
713 | ||
714 | Add an architecture to the filter. The native architecture is added by | |
715 | default. | |
716 | See L<seccomp_arch_add(3)>. | |
717 | ||
718 | =item I<$ctx>->B<arch_exists>(I<$arch_token>) | |
719 | ||
720 | Returns true if the given architecture is in the filter, false | |
721 | otherwise. | |
722 | See L<seccomp_arch_add(3)>. | |
723 | ||
724 | =item I<$ctx>->B<arch_remove>(I<$arch_token>) | |
725 | ||
726 | Removes an architecture from the filter. | |
727 | See L<seccomp_arch_add(3)>. | |
728 | ||
729 | =item I<$ctx>->B<attr_get>(I<$attr>) | |
730 | ||
731 | Returns the value of an attribute. The attributes are: | |
732 | ||
733 | =over | |
734 | ||
735 | =item SCMP_FLTATR_ACT_DEFAULT | |
736 | ||
737 | The default filter action as specified in the call to B<new>. Read-only. | |
738 | ||
739 | =item SCMP_FLTATR_ACT_BADARCH | |
740 | ||
741 | The filter action taken when the loaded filter does not match the | |
742 | architecture of the executing application. Defaults to SCMP_ACT_KILL. | |
743 | ||
744 | =item SCMP_FLTATR_CTL_NNP | |
745 | ||
746 | Specifies whether to turn on NO_NEW_PRIVS functionality when B<load> | |
747 | is called. Defaults to 1 (on). If this flag is turned off then the | |
748 | calling process must have CAP_SYS_ADMIN (or else the call to B<load> | |
749 | will fail). | |
750 | ||
751 | =item SCMP_FLTATR_CTL_TSYNC | |
752 | ||
753 | Specifies whether the kernel should synchronize the filters accross | |
754 | all threads when B<load> is called. Defaults to 0 (off). | |
755 | ||
756 | =back | |
757 | ||
758 | See L<seccomp_attr_get(3)>. | |
759 | ||
760 | =item I<$ctx>->B<attr_set>(I<$attr>, I<$value>) | |
761 | ||
762 | Sets an attribute to the given value. The attributes are the ones from | |
763 | the list above except for SCMP_FLTATR_ACT_DEFAULT which is read-only. | |
764 | See L<seccomp_attr_get(3)>. | |
765 | ||
766 | =item I<$ctx>->B<export_bpf>(I<$fh>) | |
767 | ||
768 | Writes the BPF (Berkeley Packet Filter) representation of the filter | |
769 | to the given file handle. | |
770 | See L<seccomp_export_bpf(3)>. | |
771 | ||
772 | =item I<$ctx>->B<export_pfc>(I<$fh>) | |
773 | ||
774 | Writes the PFC (Pseudo Filter Code) representation of the filter to | |
775 | the given file handle. | |
776 | See L<seccomp_export_bpf(3)>. | |
777 | ||
778 | =item I<$ctx>->B<load> | |
779 | ||
780 | Loads the filter into the kernel. | |
781 | See L<seccomp_load(3)>. | |
782 | ||
783 | =back | |
784 | ||
785 | =head1 FUNCTIONS | |
786 | ||
787 | None exported by default. These functions die on error. | |
788 | ||
789 | =over | |
790 | ||
791 | =item B<arch_native> | |
792 | ||
793 | Returns the arch token for the native architecture. | |
794 | See L<seccomp_arch_add(3)>. | |
795 | ||
796 | =item B<arch_resolve_name>(I<$arch_name>) | |
797 | ||
798 | Returns the arch token for a named architecture. | |
799 | See L<seccomp_arch_add(3)>. | |
800 | ||
801 | =item B<syscall_resolve_name>(I<$name>) | |
802 | ||
803 | Resolves a system call name to its number for the native architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall. | |
804 | See L<seccomp_syscall_resolve_name(3)>. | |
805 | ||
806 | =item B<syscall_resolve_name_arch>(I<$arch_token>, I<$name>) | |
807 | ||
808 | Resolves a system call name to its number for a given architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall. | |
809 | See L<seccomp_syscall_resolve_name(3)>. | |
810 | ||
811 | =item B<syscall_resolve_name_rewrite>(I<$arch_token>, I<$name>) | |
812 | ||
813 | Resolves a system call name to its number for a given architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall. In contrast to the previous function, this function tries to obtain the actual syscall number in cases where the previous function would return a pseudo syscall number. | |
814 | See L<seccomp_syscall_resolve_name(3)>. | |
815 | ||
816 | =item B<syscall_resolve_num_arch>(I<$arch_token>, I<$num>) | |
817 | ||
818 | Returns the name of the system call with the given number on the given architecture. | |
819 | See L<seccomp_syscall_resolve_name(3)>. | |
820 | ||
821 | =item B<version> | |
822 | ||
823 | Returns the version of libseccomp as a three-element arrayref: | |
824 | [$major_version, $minor_version, $micro_version]. | |
825 | ||
826 | =back | |
827 | ||
828 | =head1 CONSTANTS | |
829 | ||
830 | All exported by default. Most of the SCMP_ constants were seen above. | |
831 | Here is a list of all of them: | |
832 | ||
833 | SCMP_ACT_ALLOW | |
834 | SCMP_ACT_KILL | |
835 | SCMP_ACT_TRAP | |
836 | SCMP_ARCH_AARCH64 | |
837 | SCMP_ARCH_ARM | |
838 | SCMP_ARCH_MIPS | |
839 | SCMP_ARCH_MIPS64 | |
840 | SCMP_ARCH_MIPS64N32 | |
841 | SCMP_ARCH_MIPSEL | |
842 | SCMP_ARCH_MIPSEL64 | |
843 | SCMP_ARCH_MIPSEL64N32 | |
844 | SCMP_ARCH_NATIVE | |
845 | SCMP_ARCH_PPC | |
846 | SCMP_ARCH_PPC64 | |
847 | SCMP_ARCH_PPC64LE | |
848 | SCMP_ARCH_S390 | |
849 | SCMP_ARCH_S390X | |
850 | SCMP_ARCH_X32 | |
851 | SCMP_ARCH_X86 | |
852 | SCMP_ARCH_X86_64 | |
853 | SCMP_CMP_EQ | |
854 | SCMP_CMP_GE | |
855 | SCMP_CMP_GT | |
856 | SCMP_CMP_LE | |
857 | SCMP_CMP_LT | |
858 | SCMP_CMP_MASKED_EQ | |
859 | SCMP_CMP_NE | |
860 | SCMP_FLTATR_ACT_BADARCH | |
861 | SCMP_FLTATR_ACT_DEFAULT | |
862 | SCMP_FLTATR_CTL_NNP | |
863 | SCMP_FLTATR_CTL_TSYNC | |
864 | SCMP_VER_MAJOR | |
865 | SCMP_VER_MICRO | |
866 | SCMP_VER_MINOR | |
867 | ||
868 | Besides the SCMP_ constants, the module also provides a long list of | |
869 | __NR_syscall and __PNR_syscall constants that represent real and | |
870 | pseudo syscall numbers for many common system calls. A full list can | |
871 | be found in the source code of this module. See also the | |
872 | B<syscall_resolve_name> family of functions above which is more | |
873 | flexible than this set of constants. | |
874 | ||
875 | =head1 SEE ALSO | |
876 | ||
877 | L<https://github.com/seccomp/libseccomp> | |
878 | ||
879 | =head1 AUTHOR | |
880 | ||
881 | Marius Gavrilescu, E<lt>marius@ieval.roE<gt> | |
882 | ||
883 | =head1 COPYRIGHT AND LICENSE | |
884 | ||
885 | Copyright (C) 2016 by Marius Gavrilescu | |
886 | ||
887 | This library is free software; you can redistribute it and/or modify | |
888 | it under the same terms as Perl itself, either Perl version 5.24.0 or, | |
889 | at your option, any later version of Perl 5 you may have available. | |
890 | ||
891 | ||
892 | =cut |