Line data Source code
1 : /* SPDX-License-Identifier: GPL-2.0 */ 2 : #ifndef _LINUX_SECCOMP_H 3 : #define _LINUX_SECCOMP_H 4 : 5 : #include <uapi/linux/seccomp.h> 6 : 7 : #define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ 8 : SECCOMP_FILTER_FLAG_LOG | \ 9 : SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ 10 : SECCOMP_FILTER_FLAG_NEW_LISTENER | \ 11 : SECCOMP_FILTER_FLAG_TSYNC_ESRCH) 12 : 13 : /* sizeof() the first published struct seccomp_notif_addfd */ 14 : #define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24 15 : #define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0 16 : 17 : #ifdef CONFIG_SECCOMP 18 : 19 : #include <linux/thread_info.h> 20 : #include <linux/atomic.h> 21 : #include <asm/seccomp.h> 22 : 23 : struct seccomp_filter; 24 : /** 25 : * struct seccomp - the state of a seccomp'ed process 26 : * 27 : * @mode: indicates one of the valid values above for controlled 28 : * system calls available to a process. 29 : * @filter: must always point to a valid seccomp-filter or NULL as it is 30 : * accessed without locking during system call entry. 31 : * 32 : * @filter must only be accessed from the context of current as there 33 : * is no read locking. 34 : */ 35 : struct seccomp { 36 : int mode; 37 : atomic_t filter_count; 38 : struct seccomp_filter *filter; 39 : }; 40 : 41 : #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 42 : extern int __secure_computing(const struct seccomp_data *sd); 43 : static inline int secure_computing(void) 44 : { 45 : if (unlikely(test_syscall_work(SECCOMP))) 46 : return __secure_computing(NULL); 47 : return 0; 48 : } 49 : #else 50 : extern void secure_computing_strict(int this_syscall); 51 : #endif 52 : 53 : extern long prctl_get_seccomp(void); 54 : extern long prctl_set_seccomp(unsigned long, void __user *); 55 : 56 : static inline int seccomp_mode(struct seccomp *s) 57 : { 58 : return s->mode; 59 : } 60 : 61 : #else /* CONFIG_SECCOMP */ 62 : 63 : #include <linux/errno.h> 64 : 65 : struct seccomp { }; 66 : struct seccomp_filter { }; 67 : struct seccomp_data; 68 : 69 : #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 70 : static inline int secure_computing(void) { return 0; } 71 : static inline int __secure_computing(const struct seccomp_data *sd) { return 0; } 72 : #else 73 : static inline void secure_computing_strict(int this_syscall) { return; } 74 : #endif 75 : 76 : static inline long prctl_get_seccomp(void) 77 : { 78 : return -EINVAL; 79 : } 80 : 81 : static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3) 82 : { 83 : return -EINVAL; 84 : } 85 : 86 : static inline int seccomp_mode(struct seccomp *s) 87 : { 88 : return SECCOMP_MODE_DISABLED; 89 : } 90 : #endif /* CONFIG_SECCOMP */ 91 : 92 : #ifdef CONFIG_SECCOMP_FILTER 93 : extern void seccomp_filter_release(struct task_struct *tsk); 94 : extern void get_seccomp_filter(struct task_struct *tsk); 95 : #else /* CONFIG_SECCOMP_FILTER */ 96 0 : static inline void seccomp_filter_release(struct task_struct *tsk) 97 : { 98 0 : return; 99 : } 100 : static inline void get_seccomp_filter(struct task_struct *tsk) 101 : { 102 : return; 103 : } 104 : #endif /* CONFIG_SECCOMP_FILTER */ 105 : 106 : #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) 107 : extern long seccomp_get_filter(struct task_struct *task, 108 : unsigned long filter_off, void __user *data); 109 : extern long seccomp_get_metadata(struct task_struct *task, 110 : unsigned long filter_off, void __user *data); 111 : #else 112 0 : static inline long seccomp_get_filter(struct task_struct *task, 113 : unsigned long n, void __user *data) 114 : { 115 0 : return -EINVAL; 116 : } 117 0 : static inline long seccomp_get_metadata(struct task_struct *task, 118 : unsigned long filter_off, 119 : void __user *data) 120 : { 121 0 : return -EINVAL; 122 : } 123 : #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */ 124 : 125 : #ifdef CONFIG_SECCOMP_CACHE_DEBUG 126 : struct seq_file; 127 : 128 : int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns, 129 : struct pid *pid, struct task_struct *task); 130 : #endif 131 : #endif /* _LINUX_SECCOMP_H */
