Back to home page

OSCL-LXR
 
 

     

0001 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
0002 #ifndef _UAPI_LINUX_SECCOMP_H
0003 #define _UAPI_LINUX_SECCOMP_H
0004 
0005 #include <linux/compiler.h>
0006 #include <linux/types.h>
0007 
0008 
0009 /* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
0010 #define SECCOMP_MODE_DISABLED   0 /* seccomp is not in use. */
0011 #define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
0012 #define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
0013 
0014 /* Valid operations for seccomp syscall. */
0015 #define SECCOMP_SET_MODE_STRICT     0
0016 #define SECCOMP_SET_MODE_FILTER     1
0017 #define SECCOMP_GET_ACTION_AVAIL    2
0018 #define SECCOMP_GET_NOTIF_SIZES     3
0019 
0020 /* Valid flags for SECCOMP_SET_MODE_FILTER */
0021 #define SECCOMP_FILTER_FLAG_TSYNC       (1UL << 0)
0022 #define SECCOMP_FILTER_FLAG_LOG         (1UL << 1)
0023 #define SECCOMP_FILTER_FLAG_SPEC_ALLOW      (1UL << 2)
0024 #define SECCOMP_FILTER_FLAG_NEW_LISTENER    (1UL << 3)
0025 #define SECCOMP_FILTER_FLAG_TSYNC_ESRCH     (1UL << 4)
0026 /* Received notifications wait in killable state (only respond to fatal signals) */
0027 #define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV  (1UL << 5)
0028 
0029 /*
0030  * All BPF programs must return a 32-bit value.
0031  * The bottom 16-bits are for optional return data.
0032  * The upper 16-bits are ordered from least permissive values to most,
0033  * as a signed value (so 0x8000000 is negative).
0034  *
0035  * The ordering ensures that a min_t() over composed return values always
0036  * selects the least permissive choice.
0037  */
0038 #define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */
0039 #define SECCOMP_RET_KILL_THREAD  0x00000000U /* kill the thread */
0040 #define SECCOMP_RET_KILL     SECCOMP_RET_KILL_THREAD
0041 #define SECCOMP_RET_TRAP     0x00030000U /* disallow and force a SIGSYS */
0042 #define SECCOMP_RET_ERRNO    0x00050000U /* returns an errno */
0043 #define SECCOMP_RET_USER_NOTIF   0x7fc00000U /* notifies userspace */
0044 #define SECCOMP_RET_TRACE    0x7ff00000U /* pass to a tracer or disallow */
0045 #define SECCOMP_RET_LOG      0x7ffc0000U /* allow after logging */
0046 #define SECCOMP_RET_ALLOW    0x7fff0000U /* allow */
0047 
0048 /* Masks for the return value sections. */
0049 #define SECCOMP_RET_ACTION_FULL 0xffff0000U
0050 #define SECCOMP_RET_ACTION  0x7fff0000U
0051 #define SECCOMP_RET_DATA    0x0000ffffU
0052 
0053 /**
0054  * struct seccomp_data - the format the BPF program executes over.
0055  * @nr: the system call number
0056  * @arch: indicates system call convention as an AUDIT_ARCH_* value
0057  *        as defined in <linux/audit.h>.
0058  * @instruction_pointer: at the time of the system call.
0059  * @args: up to 6 system call arguments always stored as 64-bit values
0060  *        regardless of the architecture.
0061  */
0062 struct seccomp_data {
0063     int nr;
0064     __u32 arch;
0065     __u64 instruction_pointer;
0066     __u64 args[6];
0067 };
0068 
0069 struct seccomp_notif_sizes {
0070     __u16 seccomp_notif;
0071     __u16 seccomp_notif_resp;
0072     __u16 seccomp_data;
0073 };
0074 
0075 struct seccomp_notif {
0076     __u64 id;
0077     __u32 pid;
0078     __u32 flags;
0079     struct seccomp_data data;
0080 };
0081 
0082 /*
0083  * Valid flags for struct seccomp_notif_resp
0084  *
0085  * Note, the SECCOMP_USER_NOTIF_FLAG_CONTINUE flag must be used with caution!
0086  * If set by the process supervising the syscalls of another process the
0087  * syscall will continue. This is problematic because of an inherent TOCTOU.
0088  * An attacker can exploit the time while the supervised process is waiting on
0089  * a response from the supervising process to rewrite syscall arguments which
0090  * are passed as pointers of the intercepted syscall.
0091  * It should be absolutely clear that this means that the seccomp notifier
0092  * _cannot_ be used to implement a security policy! It should only ever be used
0093  * in scenarios where a more privileged process supervises the syscalls of a
0094  * lesser privileged process to get around kernel-enforced security
0095  * restrictions when the privileged process deems this safe. In other words,
0096  * in order to continue a syscall the supervising process should be sure that
0097  * another security mechanism or the kernel itself will sufficiently block
0098  * syscalls if arguments are rewritten to something unsafe.
0099  *
0100  * Similar precautions should be applied when stacking SECCOMP_RET_USER_NOTIF
0101  * or SECCOMP_RET_TRACE. For SECCOMP_RET_USER_NOTIF filters acting on the
0102  * same syscall, the most recently added filter takes precedence. This means
0103  * that the new SECCOMP_RET_USER_NOTIF filter can override any
0104  * SECCOMP_IOCTL_NOTIF_SEND from earlier filters, essentially allowing all
0105  * such filtered syscalls to be executed by sending the response
0106  * SECCOMP_USER_NOTIF_FLAG_CONTINUE. Note that SECCOMP_RET_TRACE can equally
0107  * be overriden by SECCOMP_USER_NOTIF_FLAG_CONTINUE.
0108  */
0109 #define SECCOMP_USER_NOTIF_FLAG_CONTINUE (1UL << 0)
0110 
0111 struct seccomp_notif_resp {
0112     __u64 id;
0113     __s64 val;
0114     __s32 error;
0115     __u32 flags;
0116 };
0117 
0118 /* valid flags for seccomp_notif_addfd */
0119 #define SECCOMP_ADDFD_FLAG_SETFD    (1UL << 0) /* Specify remote fd */
0120 #define SECCOMP_ADDFD_FLAG_SEND     (1UL << 1) /* Addfd and return it, atomically */
0121 
0122 /**
0123  * struct seccomp_notif_addfd
0124  * @id: The ID of the seccomp notification
0125  * @flags: SECCOMP_ADDFD_FLAG_*
0126  * @srcfd: The local fd number
0127  * @newfd: Optional remote FD number if SETFD option is set, otherwise 0.
0128  * @newfd_flags: The O_* flags the remote FD should have applied
0129  */
0130 struct seccomp_notif_addfd {
0131     __u64 id;
0132     __u32 flags;
0133     __u32 srcfd;
0134     __u32 newfd;
0135     __u32 newfd_flags;
0136 };
0137 
0138 #define SECCOMP_IOC_MAGIC       '!'
0139 #define SECCOMP_IO(nr)          _IO(SECCOMP_IOC_MAGIC, nr)
0140 #define SECCOMP_IOR(nr, type)       _IOR(SECCOMP_IOC_MAGIC, nr, type)
0141 #define SECCOMP_IOW(nr, type)       _IOW(SECCOMP_IOC_MAGIC, nr, type)
0142 #define SECCOMP_IOWR(nr, type)      _IOWR(SECCOMP_IOC_MAGIC, nr, type)
0143 
0144 /* Flags for seccomp notification fd ioctl. */
0145 #define SECCOMP_IOCTL_NOTIF_RECV    SECCOMP_IOWR(0, struct seccomp_notif)
0146 #define SECCOMP_IOCTL_NOTIF_SEND    SECCOMP_IOWR(1, \
0147                         struct seccomp_notif_resp)
0148 #define SECCOMP_IOCTL_NOTIF_ID_VALID    SECCOMP_IOW(2, __u64)
0149 /* On success, the return value is the remote process's added fd number */
0150 #define SECCOMP_IOCTL_NOTIF_ADDFD   SECCOMP_IOW(3, \
0151                         struct seccomp_notif_addfd)
0152 
0153 #endif /* _UAPI_LINUX_SECCOMP_H */
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!