seccomp-bpf.h

  1 /*
  2  * seccomp example for x86 (32-bit and 64-bit) with BPF macros
  3  *
  4  * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
  5  * Authors:
  6  *  Will Drewry <wad@chromium.org>
  7  *  Kees Cook <keescook@chromium.org>
  8  *
  9  * Use of this source code is governed by a BSD-style license that can be
 10  * found in the LICENSE file.
 11  */
 12 #ifndef _SECCOMP_BPF_H_
 13 #define _SECCOMP_BPF_H_
 14 
 15 #define _GNU_SOURCE 1
 16 #include <stdio.h>
 17 #include <stddef.h>
 18 #include <stdlib.h>
 19 #include <errno.h>
 20 #include <signal.h>
 21 #include <string.h>
 22 #include <unistd.h>
 23 #include <endian.h>
 24 
 25 #include <sys/prctl.h>
 26 #ifndef PR_SET_NO_NEW_PRIVS
 27 # define PR_SET_NO_NEW_PRIVS 38
 28 #endif
 29 
 30 #include <linux/unistd.h>
 31 #include <linux/audit.h>
 32 #include <linux/filter.h>
 33 
 34 #ifdef HAVE_LINUX_SECCOMP_H
 35 # include <linux/seccomp.h>
 36 #endif
 37 
 38 #ifndef SECCOMP_MODE_FILTER
 39 #define SECCOMP_MODE_FILTER     2 /* uses user-supplied filter. */
 40 #define SECCOMP_RET_KILL        0x00000000U /* kill the task immediately */
 41 #define SECCOMP_RET_TRAP        0x00030000U /* disallow and force a SIGSYS */
 42 #define SECCOMP_RET_ERRNO       0x00050000U /* returns an errno */
 43 #define SECCOMP_RET_LOG         0x00070000U
 44 #define SECCOMP_RET_LOGALLOW    0x7ffc0000U
 45 #define SECCOMP_RET_TRACE       0x7ff00000U /* pass to a tracer or disallow */
 46 #define SECCOMP_RET_ALLOW       0x7fff0000U /* allow */
 47 #define SECCOMP_RET_KILLPROCESS 0x80000000U
 48 #define SECCOMP_RET_ERROR(x)    (SECCOMP_RET_ERRNO | ((x) & 0x0000ffffU))
 49 #define SECCOMP_RET_LOGGER(x)   (SECCOMP_RET_LOG | ((x) & 0x0000ffffU))
 50 
 51 struct seccomp_data {
 52     int nr;
 53     __u32 arch;
 54     __u64 instruction_pointer;
 55     __u64 args[6];
 56 };
 57 #endif
 58 
 59 #ifndef SYS_SECCOMP
 60 # define SYS_SECCOMP 1
 61 #endif
 62 
 63 #define syscall_nr (offsetof(struct seccomp_data, nr))
 64 #define arch_nr (offsetof(struct seccomp_data, arch))
 65 #define syscall_arg(x) (offsetof(struct seccomp_data, args[x]))
 66 
 67 #if defined(__aarch64__)
 68 # define REG_SYSCALL    regs.regs[8]
 69 # define ARCH_NR        AUDIT_ARCH_AARCH64
 70 #elif defined(__amd64__)
 71 # define REG_SYSCALL    REG_RAX
 72 # define ARCH_NR        AUDIT_ARCH_X86_64
 73 #elif defined(__arm__) && (defined(__ARM_EABI__) || defined(__thumb__))
 74 # define REG_SYSCALL    regs.uregs[7]
 75 # if __BYTE_ORDER == __LITTLE_ENDIAN
 76 #  define ARCH_NR       AUDIT_ARCH_ARM
 77 # else
 78 #  define ARCH_NR       AUDIT_ARCH_ARMEB
 79 # endif
 80 #elif defined(__i386__)
 81 # define REG_SYSCALL    REG_EAX
 82 # define ARCH_NR        AUDIT_ARCH_I386
 83 #elif defined(__mips__)
 84 # define REG_SYSCALL    regs[2]
 85 # if __BYTE_ORDER == __LITTLE_ENDIAN
 86 #  define ARCH_NR       AUDIT_ARCH_MIPSEL
 87 # else
 88 #  define ARCH_NR       AUDIT_ARCH_MIPS
 89 # endif
 90 #elif defined(__PPC__)
 91 # define REG_SYSCALL    regs.gpr[0]
 92 # define ARCH_NR        AUDIT_ARCH_PPC
 93 #else
 94 # warning "Platform does not support seccomp filter yet"
 95 # define REG_SYSCALL    0
 96 # define ARCH_NR        0
 97 #endif
 98 
 99 #endif /* _SECCOMP_BPF_H_ */
100
This page was automatically generated by LXR 0.3.1. • OpenWrt
OpenWrt.org Cross Reference

Sources/procd/jail/seccomp-bpf.h
