include/linux/seccomp.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 #ifndef _LINUX_SECCOMP_H
0003 #define _LINUX_SECCOMP_H
0004
0005 #include <uapi/linux/seccomp.h>
0006
0007 #define SECCOMP_FILTER_FLAG_MASK    (SECCOMP_FILTER_FLAG_TSYNC | \
0008                      SECCOMP_FILTER_FLAG_LOG | \
0009                      SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
0010                      SECCOMP_FILTER_FLAG_NEW_LISTENER | \
0011                      SECCOMP_FILTER_FLAG_TSYNC_ESRCH | \
0012                      SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV)
0013
0014 /* sizeof() the first published struct seccomp_notif_addfd */
0015 #define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24
0016 #define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0
0017
0018 #ifdef CONFIG_SECCOMP
0019
0020 #include <linux/thread_info.h>
0021 #include <linux/atomic.h>
0022 #include <asm/seccomp.h>
0023
0024 struct seccomp_filter;
0025 /**
0026  * struct seccomp - the state of a seccomp'ed process
0027  *
0028  * @mode:  indicates one of the valid values above for controlled
0029  *         system calls available to a process.
0030  * @filter: must always point to a valid seccomp-filter or NULL as it is
0031  *          accessed without locking during system call entry.
0032  *
0033  *          @filter must only be accessed from the context of current as there
0034  *          is no read locking.
0035  */
0036 struct seccomp {
0037     int mode;
0038     atomic_t filter_count;
0039     struct seccomp_filter *filter;
0040 };
0041
0042 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
0043 extern int __secure_computing(const struct seccomp_data *sd);
0044 static inline int secure_computing(void)
0045 {
0046     if (unlikely(test_syscall_work(SECCOMP)))
0047         return  __secure_computing(NULL);
0048     return 0;
0049 }
0050 #else
0051 extern void secure_computing_strict(int this_syscall);
0052 #endif
0053
0054 extern long prctl_get_seccomp(void);
0055 extern long prctl_set_seccomp(unsigned long, void __user *);
0056
0057 static inline int seccomp_mode(struct seccomp *s)
0058 {
0059     return s->mode;
0060 }
0061
0062 #else /* CONFIG_SECCOMP */
0063
0064 #include <linux/errno.h>
0065
0066 struct seccomp { };
0067 struct seccomp_filter { };
0068 struct seccomp_data;
0069
0070 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
0071 static inline int secure_computing(void) { return 0; }
0072 static inline int __secure_computing(const struct seccomp_data *sd) { return 0; }
0073 #else
0074 static inline void secure_computing_strict(int this_syscall) { return; }
0075 #endif
0076
0077 static inline long prctl_get_seccomp(void)
0078 {
0079     return -EINVAL;
0080 }
0081
0082 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
0083 {
0084     return -EINVAL;
0085 }
0086
0087 static inline int seccomp_mode(struct seccomp *s)
0088 {
0089     return SECCOMP_MODE_DISABLED;
0090 }
0091 #endif /* CONFIG_SECCOMP */
0092
0093 #ifdef CONFIG_SECCOMP_FILTER
0094 extern void seccomp_filter_release(struct task_struct *tsk);
0095 extern void get_seccomp_filter(struct task_struct *tsk);
0096 #else  /* CONFIG_SECCOMP_FILTER */
0097 static inline void seccomp_filter_release(struct task_struct *tsk)
0098 {
0099     return;
0100 }
0101 static inline void get_seccomp_filter(struct task_struct *tsk)
0102 {
0103     return;
0104 }
0105 #endif /* CONFIG_SECCOMP_FILTER */
0106
0107 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
0108 extern long seccomp_get_filter(struct task_struct *task,
0109                    unsigned long filter_off, void __user *data);
0110 extern long seccomp_get_metadata(struct task_struct *task,
0111                  unsigned long filter_off, void __user *data);
0112 #else
0113 static inline long seccomp_get_filter(struct task_struct *task,
0114                       unsigned long n, void __user *data)
0115 {
0116     return -EINVAL;
0117 }
0118 static inline long seccomp_get_metadata(struct task_struct *task,
0119                     unsigned long filter_off,
0120                     void __user *data)
0121 {
0122     return -EINVAL;
0123 }
0124 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
0125
0126 #ifdef CONFIG_SECCOMP_CACHE_DEBUG
0127 struct seq_file;
0128
0129 int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns,
0130                struct pid *pid, struct task_struct *task);
0131 #endif
0132 #endif /* _LINUX_SECCOMP_H */