projects / linux-block.git / blame
| Commit | Line | Data |
|---|---|---|
| b2441318 | 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
| 1da177e4 LT |
2 | #ifndef _LINUX_SECCOMP_H |
| 3 | #define _LINUX_SECCOMP_H | |
| 4 | ||
| 607ca46e | 5 | #include <uapi/linux/seccomp.h> |
| e2cfabdf | 6 | |
| 6a21cc50 TA |
7 | #define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ |
| 8 | SECCOMP_FILTER_FLAG_LOG | \ | |
| 9 | SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ | |
| 51891498 TA |
10 | SECCOMP_FILTER_FLAG_NEW_LISTENER | \ |
| 11 | SECCOMP_FILTER_FLAG_TSYNC_ESRCH) | |
| c2e1f2e3 | 12 | |
| 7cf97b12 SD |
13 | /* sizeof() the first published struct seccomp_notif_addfd */ |
| 14 | #define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24 | |
| 15 | #define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0 | |
| 16 | ||
| 1da177e4 LT |
17 | #ifdef CONFIG_SECCOMP |
| 18 | ||
| 1da177e4 | 19 | #include <linux/thread_info.h> |
| c818c03b | 20 | #include <linux/atomic.h> |
| 1da177e4 LT |
21 | #include <asm/seccomp.h> |
| 22 | ||
| e2cfabdf WD |
23 | struct seccomp_filter; |
| 24 | /** | |
| 25 | * struct seccomp - the state of a seccomp'ed process | |
| 26 | * | |
| 27 | * @mode: indicates one of the valid values above for controlled | |
| 28 | * system calls available to a process. | |
| dbd95212 KC |
29 | * @filter: must always point to a valid seccomp-filter or NULL as it is |
| 30 | * accessed without locking during system call entry. | |
| e2cfabdf WD |
31 | * |
| 32 | * @filter must only be accessed from the context of current as there | |
| dbd95212 | 33 | * is no read locking. |
| e2cfabdf | 34 | */ |
| 932ecebb WD |
35 | struct seccomp { |
| 36 | int mode; | |
| c818c03b | 37 | atomic_t filter_count; |
| e2cfabdf | 38 | struct seccomp_filter *filter; |
| 932ecebb | 39 | }; |
| 1da177e4 | 40 | |
| a4412fc9 | 41 | #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER |
| 2f275de5 | 42 | extern int __secure_computing(const struct seccomp_data *sd); |
| fefad9ef | 43 | static inline int secure_computing(void) |
| 1da177e4 | 44 | { |
| 23d67a54 | 45 | if (unlikely(test_syscall_work(SECCOMP))) |
| fefad9ef | 46 | return __secure_computing(NULL); |
| acf3b2c7 | 47 | return 0; |
| 1da177e4 | 48 | } |
| a4412fc9 AL |
49 | #else |
| 50 | extern void secure_computing_strict(int this_syscall); | |
| 51 | #endif | |
| e4da89d0 | 52 | |
| 1d9d02fe | 53 | extern long prctl_get_seccomp(void); |
| a5662e4d | 54 | extern long prctl_set_seccomp(unsigned long, void __user *); |
| 1d9d02fe | 55 | |
| 932ecebb | 56 | static inline int seccomp_mode(struct seccomp *s) |
| 5cec93c2 AL |
57 | { |
| 58 | return s->mode; | |
| 59 | } | |
| 60 | ||
| 1da177e4 LT |
61 | #else /* CONFIG_SECCOMP */ |
| 62 | ||
| 42a17ad2 RB |
63 | #include <linux/errno.h> |
| 64 | ||
| 932ecebb | 65 | struct seccomp { }; |
| e2cfabdf | 66 | struct seccomp_filter { }; |
| 3135f5b7 | 67 | struct seccomp_data; |
| 1da177e4 | 68 | |
| a4412fc9 | 69 | #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER |
| fefad9ef | 70 | static inline int secure_computing(void) { return 0; } |
| 3135f5b7 | 71 | static inline int __secure_computing(const struct seccomp_data *sd) { return 0; } |
| a4412fc9 | 72 | #else |
| e4da89d0 | 73 | static inline void secure_computing_strict(int this_syscall) { return; } |
| a4412fc9 | 74 | #endif |
| 1da177e4 | 75 | |
| 1d9d02fe AA |
76 | static inline long prctl_get_seccomp(void) |
| 77 | { | |
| 78 | return -EINVAL; | |
| 79 | } | |
| 80 | ||
| e2cfabdf | 81 | static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3) |
| 1d9d02fe AA |
82 | { |
| 83 | return -EINVAL; | |
| 84 | } | |
| 85 | ||
| 932ecebb | 86 | static inline int seccomp_mode(struct seccomp *s) |
| 5cec93c2 | 87 | { |
| 221272f9 | 88 | return SECCOMP_MODE_DISABLED; |
| 5cec93c2 | 89 | } |
| 1da177e4 LT |
90 | #endif /* CONFIG_SECCOMP */ |
| 91 | ||
| e2cfabdf | 92 | #ifdef CONFIG_SECCOMP_FILTER |
| 3a15fb6e | 93 | extern void seccomp_filter_release(struct task_struct *tsk); |
| e2cfabdf | 94 | extern void get_seccomp_filter(struct task_struct *tsk); |
| e2cfabdf | 95 | #else /* CONFIG_SECCOMP_FILTER */ |
| 3a15fb6e | 96 | static inline void seccomp_filter_release(struct task_struct *tsk) |
| e2cfabdf WD |
97 | { |
| 98 | return; | |
| 99 | } | |
| 100 | static inline void get_seccomp_filter(struct task_struct *tsk) | |
| 101 | { | |
| 102 | return; | |
| 103 | } | |
| 104 | #endif /* CONFIG_SECCOMP_FILTER */ | |
| f8e529ed TA |
105 | |
| 106 | #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) | |
| 107 | extern long seccomp_get_filter(struct task_struct *task, | |
| 108 | unsigned long filter_off, void __user *data); | |
| 26500475 TA |
109 | extern long seccomp_get_metadata(struct task_struct *task, |
| 110 | unsigned long filter_off, void __user *data); | |
| f8e529ed TA |
111 | #else |
| 112 | static inline long seccomp_get_filter(struct task_struct *task, | |
| 113 | unsigned long n, void __user *data) | |
| 114 | { | |
| 115 | return -EINVAL; | |
| 116 | } | |
| 26500475 TA |
117 | static inline long seccomp_get_metadata(struct task_struct *task, |
| 118 | unsigned long filter_off, | |
| 119 | void __user *data) | |
| 120 | { | |
| 121 | return -EINVAL; | |
| 122 | } | |
| f8e529ed | 123 | #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */ |
| 0d8315dd YZ |
124 | |
| 125 | #ifdef CONFIG_SECCOMP_CACHE_DEBUG | |
| 126 | struct seq_file; | |
| 127 | ||
| 128 | int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns, | |
| 129 | struct pid *pid, struct task_struct *task); | |
| 130 | #endif | |
| 1da177e4 | 131 | #endif /* _LINUX_SECCOMP_H */ |