2 * seccomp example for x86 (32-bit and 64-bit) with BPF macros
4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
6 * Will Drewry <wad@chromium.org>
7 * Kees Cook <keescook@chromium.org>
9 * Use of this source code is governed by a BSD-style license that can be
10 * found in the LICENSE file.
12 #ifndef _SECCOMP_BPF_H_
13 #define _SECCOMP_BPF_H_
24 #include <sys/prctl.h>
25 #ifndef PR_SET_NO_NEW_PRIVS
26 # define PR_SET_NO_NEW_PRIVS 38
29 #include <linux/unistd.h>
30 #include <linux/audit.h>
31 #include <linux/filter.h>
33 #ifdef HAVE_LINUX_SECCOMP_H
34 # include <linux/seccomp.h>
37 #ifndef SECCOMP_MODE_FILTER
38 #define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
39 #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
40 #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
41 #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
42 #define SECCOMP_RET_LOG 0x00070000U
43 #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
44 #define SECCOMP_RET_ERROR(x) (SECCOMP_RET_ERRNO | ((x) & 0x0000ffffU))
45 #define SECCOMP_RET_LOGGER(x) (SECCOMP_RET_LOG | ((x) & 0x0000ffffU))
50 __u64 instruction_pointer
;
56 # define SYS_SECCOMP 1
59 #define syscall_nr (offsetof(struct seccomp_data, nr))
60 #define arch_nr (offsetof(struct seccomp_data, arch))
63 # define REG_SYSCALL REG_EAX
64 # define ARCH_NR AUDIT_ARCH_I386
65 #elif defined(__x86_64__)
66 # define REG_SYSCALL REG_RAX
67 # define ARCH_NR AUDIT_ARCH_X86_64
68 #elif defined(__mips__)
69 # define REG_SYSCALL regs[2]
70 # define ARCH_NR AUDIT_ARCH_MIPSEL
72 # warning "Platform does not support seccomp filter yet"
73 # define REG_SYSCALL 0
77 #endif /* _SECCOMP_BPF_H_ */