1 package Linux
::Seccomp
;
11 our @ISA = qw(Exporter);
18 syscall_resolve_name_arch
19 syscall_resolve_name_rewrite
20 syscall_resolve_num_arch
/ ],
52 SCMP_FLTATR_ACT_BADARCH
53 SCMP_FLTATR_ACT_DEFAULT
75 __NR_arm_sync_file_range
164 __NR_pciconfig_iobase
182 __NR_s390_pci_mmio_read
183 __NR_s390_pci_mmio_write
184 __NR_s390_runtime_instr
238 __NR_sync_file_range2
239 __NR_sys_debug_setcontext
272 __PNR_arm_fadvise64_64
273 __PNR_arm_sync_file_range
303 __PNR_get_kernel_syms
305 __PNR_get_thread_area
327 __PNR_kexec_file_load
362 __PNR_pciconfig_iobase
364 __PNR_pciconfig_write
380 __PNR_s390_pci_mmio_read
381 __PNR_s390_pci_mmio_write
382 __PNR_s390_runtime_instr
395 __PNR_set_thread_area
435 __PNR_sync_file_range
436 __PNR_sync_file_range2
437 __PNR_sys_debug_setcontext
463 $EXPORT_TAGS{all
} = [@
{$EXPORT_TAGS{functions
}}, @
{$EXPORT_TAGS{macros
}}];
464 our @EXPORT_OK = @
{$EXPORT_TAGS{all
}};
465 our @EXPORT = @
{$EXPORT_TAGS{macros
}};
475 ($constname = $AUTOLOAD) =~ s/.*:://;
476 croak
"&Linux::Seccomp::constant not defined" if $constname eq 'constant';
477 my ($error, $val) = constant
($constname);
478 if ($error) { croak
$error; }
481 *$AUTOLOAD = sub { $val };
488 XSLoader
::load
('Linux::Seccomp', $VERSION);
492 my ($ign, $def_action) = @_;
500 my %COMPARE_OP_TBL = (
501 '!=' => SCMP_CMP_NE
(),
503 '<' => SCMP_CMP_LT
(),
505 '<=' => SCMP_CMP_LE
(),
507 '==' => SCMP_CMP_EQ
(),
509 '>=' => SCMP_CMP_GE
(),
511 '>' => SCMP_CMP_GT
(),
513 '=~' => SCMP_CMP_MASKED_EQ
(),
514 me
=> SCMP_CMP_MASKED_EQ
(),
516 SCMP_CMP_NE
() => SCMP_CMP_NE
(),
517 SCMP_CMP_LT
() => SCMP_CMP_LT
(),
518 SCMP_CMP_LE
() => SCMP_CMP_LE
(),
519 SCMP_CMP_EQ
() => SCMP_CMP_EQ
(),
520 SCMP_CMP_GE
() => SCMP_CMP_GE
(),
521 SCMP_CMP_GT
() => SCMP_CMP_GT
(),
522 SCMP_CMP_MASKED_EQ
() => SCMP_CMP_MASKED_EQ
(),
525 sub _mangle_rule_add_args
{
528 $_->[1] = $COMPARE_OP_TBL{$op} or croak
"No mapping for compare operator '$op'";
535 rule_add_array
(shift, shift, shift, _mangle_rule_add_args
(@_));
539 rule_add_exact_array
(shift, shift, shift, _mangle_rule_add_args
(@_));
549 Linux::Seccomp - Interface to libseccomp Linux syscall filtering library
553 use Linux::Seccomp ':all';
554 my $ctx = Linux::Seccomp->new(SCMP_ACT_ALLOW);
555 # Block writes to STDERR
556 $ctx->rule_add(SCMP_ACT_KILL, syscall_resolve_name('write'), [0, '==', 2]);
559 print STDOUT "Hello world!\n"; # works
560 print STDERR "Goodbye world!\n"; # Killed
561 print STDOUT "Hello again world!\n"; # never reached
565 Secure Computing (seccomp) is Linux's system call filtering mechanism.
566 This system can operate in two modes: I<strict>, where only a very
567 small number of system calls are allowed and the more modern I<filter>
568 (or seccomp mode 2) which permits advanced filtering of system calls.
569 This module is only concerned with the latter.
571 Linux::Seccomp is a Perl interface to the
572 L<libseccomp|https://github.com/seccomp/libseccomp> library which
573 provides a simple way to use seccomp mode 2.
575 It should be mentioned that this module is not production-ready at the
576 moment -- work needs to be done to port the libseccomp testsuite and
577 the documentation needs to be improved.
579 Basic usage of this module is straightforward: Create a filter using
580 the B<new> method, add rules to it using the B<rule_add> method
581 several times, and finally load the filter into the kernel using the
582 B<load> method. An example of this can be seen in the SYNOPSIS.
586 Most methods die on error.
590 =item I<$ctx> = Linux::Seccomp->B<new>(I<$def_action>>)
592 Creates a new C<Linux::Seccomp> filter, with the default action for
593 unhandled syscalls being I<$def_action>. Possible values for
600 The thread will be terminated by the kernel with SIGSYS when it calls
601 a syscall that does not match any of the configured seccomp filter
602 rules. The thread will not be able to catch the signal.
606 The thread will be sent a SIGSYS signal when it calls a syscall that
607 does not match any of the configured seccomp filter rules. It may
608 catch this and change its behavior accordingly. When using SA_SIGINFO
609 with L<sigaction(2)>, si_code will be set to SYS_SECCOMP, si_syscall
610 will be set to the syscall that failed the rules, and si_arch will be
611 set to the AUDIT_ARCH for the active ABI.
613 =item SCMP_ACT_ERRNO(I<$errno>)
615 The thread will receive a return value of I<$errno> when it calls a
616 syscall that does not match any of the configured seccomp filter
619 =item SCMP_ACT_TRACE(I<$msg_num>)
621 If the thread is being traced and the tracing process specified the
622 PTRACE_O_TRACESECCOMP option in the call to L<ptrace(2)>, the tracing
623 process will be notified, via PTRACE_EVENT_SECCOMP, and the value
624 provided in msg_num can be retrieved using the PTRACE_GETEVENTMSG
629 The seccomp filter will have no effect on the thread calling the
630 syscall if it does not match any of the configured seccomp filter
635 See L<seccomp_init(3)>.
637 =item I<$ctx>->B<rule_add>(I<$action>, I<$syscall>, I<@args>)
639 Adds a rule to the filter. If a system call with number I<$syscall>
640 whose arguments match I<@args> is called, I<$action> will be taken.
642 I<$action> can be any of the C<SCMP_ACT_*> macros listed above.
644 I<@args> is a list of 0 or more constraints on the arguments to the
645 syscall. Each constraint is an arrayref with 3 or 4 elements: C<[$arg,
646 $op, $datum_a, $datum_b]> where I<$arg> is the index of the argument
647 we are comparing. I<$op> is as follows:
655 Matches when the argument value is not equal to I<$datum_a>.
661 Matches when the argument value is less than I<$datum_a>.
667 Matches when the argument value is less than or equal to I<$datum_a>.
673 Matches when the argument value is equal to I<$datum_a>.
679 Matches when the argument value is greater than or equal to I<$datum_a>.
685 Matches when the argument value is greater than I<$datum_a>.
687 =item SCMP_CMP_MASKED_EQ
691 Matches when the argument value masked with I<$datum_a> is equal to I<$datum_b> masked with I<$datum_a>.
695 See L<seccomp_rule_add(3)>.
697 =item I<$ctx>->B<arch_add>(I<$arch_token>)
699 Add an architecture to the filter. The native architecture is added by
701 See L<seccomp_arch_add(3)>.
703 =item I<$ctx>->B<arch_exists>(I<$arch_token>)
705 Returns true if the given architecture is in the filter, false
707 See L<seccomp_arch_add(3).
709 =item I<$ctx>->B<arch_remove>(I<$arch_token>)
711 Removes an architecture from the filter.
712 See L<seccomp_arch_add(3).
714 =item I<$ctx>->B<attr_get>(I<$attr>)
716 Returns the value of an attribute. The attributes are:
720 =item SCMP_FLTATR_ACT_DEFAULT
722 The default filter action as specified in the call to B<new>. Read-only.
724 =item SCMP_FLTATR_ACT_BADARCH
726 The filter action taken when the loaded filter does not match the
727 architecture of the executing application. Defaults to SCMP_ACT_KILL.
729 =item SCMP_FLTATR_CTL_NNP
731 Specifies whether to turn on NO_NEW_PRIVS functionality when B<load>
732 is called. Defaults to 1 (on). If this flag is turned off then the
733 calling process must have CAP_SYS_ADMIN (or else the call to B<load>
736 =item SCMP_FLTATR_CTL_TSYNC
738 Specifies whether the kernel should synchronize the filters accross
739 all threads when B<load> is called. Defaults to 0 (off).
743 See L<seccomp_attr_get(3)>.
745 =item I<$ctx>->B<attr_set>(I<$attr>, I<$value>)
747 Sets an attribute to the given value. The attributes are the ones from
748 the list above except for SCMP_FLTATR_ACT_DEFAULT which is read-only.
749 See L<seccomp_attr_get(3)>.
751 =item I<$ctx>->B<export_bpf>(I<$fh>)
753 Writes the BPF (Berkeley Packet Filter) representation of the filter
754 to the given file handle.
755 See L<seccomp_export_bpf(3)>.
757 =item I<$ctx>->B<export_pfc>(I<$fh>)
759 Writes the PFC (Pseudo Filter Code) representation of the filter to
760 the given file handle.
761 See L<seccomp_export_bpf(3)>.
763 =item I<$ctx>->B<load>
765 Loads the filter into the kernel.
766 See L<seccomp_load(3)>.
772 None exported by default. These functions die on error.
778 Returns the arch token for the native architecture.
779 See L<seccomp_arch_add(3)>.
781 =item B<arch_resolve_name>(I<$arch_name>)
783 Returns the arch token for a named architecture.
784 See L<seccomp_arch_add(3)>.
786 =item B<syscall_resolve_name>(I<$name>)
788 Resolves a system call name to its number for the native architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall.
789 See L<seccomp_syscall_resolve_name(3)>.
791 =item B<syscall_resolve_name_arch>(I<$arch_token>, I<$name>)
793 Resolves a system call name to its number for a given architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall.
794 See L<seccomp_syscall_resolve_name(3)>.
796 =item B<syscall_resolve_name_rewrite>(I<$arch_token>, I<$name>)
798 Resolves a system call name to its number for a given architecture. A negative pseudo syscall number is returned if the architecture does not have the given syscall. In contrast to the previous function, this function tries to obtain the actual syscall number in cases where the previous function would return a pseudo syscall number.
799 See L<seccomp_syscall_resolve_name(3)>.
801 =item B<syscall_resolve_num_arch>(I<$arch_token>, I<$num>)
803 Returns the name of the system call with the given number on the given architecture.
804 See L<seccomp_syscall_resolve_name(3)>.
808 Returns the version of libseccomp as a three-element arrayref:
809 [$major_version, $minor_version, $micro_version].
815 All exported by default. Most of the SCMP_ constants were seen above.
816 Here is a list of all of them:
828 SCMP_ARCH_MIPSEL64N32
845 SCMP_FLTATR_ACT_BADARCH
846 SCMP_FLTATR_ACT_DEFAULT
848 SCMP_FLTATR_CTL_TSYNC
853 Besides the SCMP_ constants, the module also provides a long list of
854 __NR_syscall and __PNR_syscall constants that represent real and
855 pseudo syscall numbers for many common system calls. A full list can
856 be found in the source code of this module. See also the
857 B<syscall_resolve_name> family of functions above which is more
858 flexible than this set of constants.
862 L<https://github.com/seccomp/libseccomp>
866 Marius Gavrilescu, E<lt>marius@ieval.roE<gt>
868 =head1 COPYRIGHT AND LICENSE
870 Copyright (C) 2016 by Marius Gavrilescu
872 This library is free software; you can redistribute it and/or modify
873 it under the same terms as Perl itself, either Perl version 5.24.0 or,
874 at your option, any later version of Perl 5 you may have available.