1 /* 2 * seccomp example for x86 (32-bit and 64-bit) with BPF macros 3 * 4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org> 5 * Authors: 6 * Will Drewry <wad@chromium.org> 7 * Kees Cook <keescook@chromium.org> 8 * 9 * Use of this source code is governed by a BSD-style license that can be 10 * found in the LICENSE file. 11 */ 12 #ifndef _SECCOMP_BPF_H_ 13 #define _SECCOMP_BPF_H_ 14 15 #define _GNU_SOURCE 1 16 #include <stdio.h> 17 #include <stddef.h> 18 #include <stdlib.h> 19 #include <errno.h> 20 #include <signal.h> 21 #include <string.h> 22 #include <unistd.h> 23 #include <endian.h> 24 25 #include <sys/prctl.h> 26 #ifndef PR_SET_NO_NEW_PRIVS 27 # define PR_SET_NO_NEW_PRIVS 38 28 #endif 29 30 #include <linux/unistd.h> 31 #include <linux/audit.h> 32 #include <linux/filter.h> 33 34 #ifdef HAVE_LINUX_SECCOMP_H 35 # include <linux/seccomp.h> 36 #endif 37 38 #ifndef SECCOMP_MODE_FILTER 39 #define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ 40 #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ 41 #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ 42 #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ 43 #define SECCOMP_RET_LOG 0x00070000U 44 #define SECCOMP_RET_LOGALLOW 0x7ffc0000U 45 #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ 46 #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ 47 #define SECCOMP_RET_KILLPROCESS 0x80000000U 48 #define SECCOMP_RET_ERROR(x) (SECCOMP_RET_ERRNO | ((x) & 0x0000ffffU)) 49 #define SECCOMP_RET_LOGGER(x) (SECCOMP_RET_LOG | ((x) & 0x0000ffffU)) 50 51 struct seccomp_data { 52 int nr; 53 __u32 arch; 54 __u64 instruction_pointer; 55 __u64 args[6]; 56 }; 57 #endif 58 59 #ifndef SYS_SECCOMP 60 # define SYS_SECCOMP 1 61 #endif 62 63 #define syscall_nr (offsetof(struct seccomp_data, nr)) 64 #define arch_nr (offsetof(struct seccomp_data, arch)) 65 #define syscall_arg(x) (offsetof(struct seccomp_data, args[x])) 66 67 #if defined(__aarch64__) 68 # define REG_SYSCALL regs.regs[8] 69 # define ARCH_NR AUDIT_ARCH_AARCH64 70 #elif defined(__amd64__) 71 # define REG_SYSCALL REG_RAX 72 # define ARCH_NR AUDIT_ARCH_X86_64 73 #elif defined(__arm__) && (defined(__ARM_EABI__) || defined(__thumb__)) 74 # define REG_SYSCALL regs.uregs[7] 75 # if __BYTE_ORDER == __LITTLE_ENDIAN 76 # define ARCH_NR AUDIT_ARCH_ARM 77 # else 78 # define ARCH_NR AUDIT_ARCH_ARMEB 79 # endif 80 #elif defined(__i386__) 81 # define REG_SYSCALL REG_EAX 82 # define ARCH_NR AUDIT_ARCH_I386 83 #elif defined(__mips__) 84 # define REG_SYSCALL regs[2] 85 # if __BYTE_ORDER == __LITTLE_ENDIAN 86 # define ARCH_NR AUDIT_ARCH_MIPSEL 87 # else 88 # define ARCH_NR AUDIT_ARCH_MIPS 89 # endif 90 #elif defined(__PPC__) 91 # define REG_SYSCALL regs.gpr[0] 92 # define ARCH_NR AUDIT_ARCH_PPC 93 #else 94 # warning "Platform does not support seccomp filter yet" 95 # define REG_SYSCALL 0 96 # define ARCH_NR 0 97 #endif 98 99 #endif /* _SECCOMP_BPF_H_ */ 100
This page was automatically generated by LXR 0.3.1. • OpenWrt