git.kernel.dk Git - linux-block.git/commit

author	Tyler Hicks <tyhicks@canonical.com>
	Fri, 11 Aug 2017 04:33:53 +0000 (04:33 +0000)
committer	Kees Cook <keescook@chromium.org>
	Mon, 14 Aug 2017 20:46:44 +0000 (13:46 -0700)
commit	d612b1fd8010d0d67b5287fe146b8b55bcbb8655
tree	cadcaeebf71ffa28aced54e9fc8b7c0ee42cc6d3	tree \| snapshot
parent	8e5f1ad116df6b0de65eac458d5e7c318d1c05af	commit \| diff

seccomp: Operation for checking if an action is available

Userspace code that needs to check if the kernel supports a given action
may not be able to use the /proc/sys/kernel/seccomp/actions_avail
sysctl. The process may be running in a sandbox and, therefore,
sufficient filesystem access may not be available. This patch adds an
operation to the seccomp(2) syscall that allows userspace code to ask
the kernel if a given action is available.

If the action is supported by the kernel, 0 is returned. If the action
is not supported by the kernel, -1 is returned with errno set to
-EOPNOTSUPP. If this check is attempted on a kernel that doesn't support
this new operation, -1 is returned with errno set to -EINVAL meaning
that userspace code will have the ability to differentiate between the
two error cases.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Kees Cook <keescook@chromium.org>

include/uapi/linux/seccomp.h		diff \| blob \| blame \| history
kernel/seccomp.c		diff \| blob \| blame \| history
tools/testing/selftests/seccomp/seccomp_bpf.c		diff \| blob \| blame \| history