seccomp.h (3582B)
1/* SPDX-License-Identifier: GPL-2.0 */ 2#ifndef _LINUX_SECCOMP_H 3#define _LINUX_SECCOMP_H 4 5#include <uapi/linux/seccomp.h> 6 7#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ 8 SECCOMP_FILTER_FLAG_LOG | \ 9 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ 10 SECCOMP_FILTER_FLAG_NEW_LISTENER | \ 11 SECCOMP_FILTER_FLAG_TSYNC_ESRCH | \ 12 SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV) 13 14/* sizeof() the first published struct seccomp_notif_addfd */ 15#define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24 16#define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0 17 18#ifdef CONFIG_SECCOMP 19 20#include <linux/thread_info.h> 21#include <linux/atomic.h> 22#include <asm/seccomp.h> 23 24struct seccomp_filter; 25/** 26 * struct seccomp - the state of a seccomp'ed process 27 * 28 * @mode: indicates one of the valid values above for controlled 29 * system calls available to a process. 30 * @filter: must always point to a valid seccomp-filter or NULL as it is 31 * accessed without locking during system call entry. 32 * 33 * @filter must only be accessed from the context of current as there 34 * is no read locking. 35 */ 36struct seccomp { 37 int mode; 38 atomic_t filter_count; 39 struct seccomp_filter *filter; 40}; 41 42#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 43extern int __secure_computing(const struct seccomp_data *sd); 44static inline int secure_computing(void) 45{ 46 if (unlikely(test_syscall_work(SECCOMP))) 47 return __secure_computing(NULL); 48 return 0; 49} 50#else 51extern void secure_computing_strict(int this_syscall); 52#endif 53 54extern long prctl_get_seccomp(void); 55extern long prctl_set_seccomp(unsigned long, void __user *); 56 57static inline int seccomp_mode(struct seccomp *s) 58{ 59 return s->mode; 60} 61 62#else /* CONFIG_SECCOMP */ 63 64#include <linux/errno.h> 65 66struct seccomp { }; 67struct seccomp_filter { }; 68struct seccomp_data; 69 70#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 71static inline int secure_computing(void) { return 0; } 72static inline int __secure_computing(const struct seccomp_data *sd) { return 0; } 73#else 74static inline void secure_computing_strict(int this_syscall) { return; } 75#endif 76 77static inline long prctl_get_seccomp(void) 78{ 79 return -EINVAL; 80} 81 82static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3) 83{ 84 return -EINVAL; 85} 86 87static inline int seccomp_mode(struct seccomp *s) 88{ 89 return SECCOMP_MODE_DISABLED; 90} 91#endif /* CONFIG_SECCOMP */ 92 93#ifdef CONFIG_SECCOMP_FILTER 94extern void seccomp_filter_release(struct task_struct *tsk); 95extern void get_seccomp_filter(struct task_struct *tsk); 96#else /* CONFIG_SECCOMP_FILTER */ 97static inline void seccomp_filter_release(struct task_struct *tsk) 98{ 99 return; 100} 101static inline void get_seccomp_filter(struct task_struct *tsk) 102{ 103 return; 104} 105#endif /* CONFIG_SECCOMP_FILTER */ 106 107#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) 108extern long seccomp_get_filter(struct task_struct *task, 109 unsigned long filter_off, void __user *data); 110extern long seccomp_get_metadata(struct task_struct *task, 111 unsigned long filter_off, void __user *data); 112#else 113static inline long seccomp_get_filter(struct task_struct *task, 114 unsigned long n, void __user *data) 115{ 116 return -EINVAL; 117} 118static inline long seccomp_get_metadata(struct task_struct *task, 119 unsigned long filter_off, 120 void __user *data) 121{ 122 return -EINVAL; 123} 124#endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */ 125 126#ifdef CONFIG_SECCOMP_CACHE_DEBUG 127struct seq_file; 128 129int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns, 130 struct pid *pid, struct task_struct *task); 131#endif 132#endif /* _LINUX_SECCOMP_H */