jail/seccomp-bpf.h

   1 /*
   2  * seccomp example for x86 (32-bit and 64-bit) with BPF macros
   3  *
   4  * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
   5  * Authors:
   6  *  Will Drewry <wad@chromium.org>
   7  *  Kees Cook <keescook@chromium.org>
   8  *
   9  * Use of this source code is governed by a BSD-style license that can be
  10  * found in the LICENSE file.
  11  */
  12 #ifndef _SECCOMP_BPF_H_
  13 #define _SECCOMP_BPF_H_
  14
  15 #define _GNU_SOURCE 1
  16 #include <stdio.h>
  17 #include <stddef.h>
  18 #include <stdlib.h>
  19 #include <errno.h>
  20 #include <signal.h>
  21 #include <string.h>
  22 #include <unistd.h>
  23 #include <endian.h>
  24
  25 #include <sys/prctl.h>
  26 #ifndef PR_SET_NO_NEW_PRIVS
  27 # define PR_SET_NO_NEW_PRIVS 38
  28 #endif
  29
  30 #include <linux/unistd.h>
  31 #include <linux/audit.h>
  32 #include <linux/filter.h>
  33
  34 #ifdef HAVE_LINUX_SECCOMP_H
  35 # include <linux/seccomp.h>
  36 #endif
  37
  38 #ifndef SECCOMP_MODE_FILTER
  39 #define SECCOMP_MODE_FILTER     2 /* uses user-supplied filter. */
  40 #define SECCOMP_RET_KILL        0x00000000U /* kill the task immediately */
  41 #define SECCOMP_RET_TRAP        0x00030000U /* disallow and force a SIGSYS */
  42 #define SECCOMP_RET_ERRNO       0x00050000U /* returns an errno */
  43 #define SECCOMP_RET_LOG         0x00070000U
  44 #define SECCOMP_RET_ALLOW       0x7fff0000U /* allow */
  45 #define SECCOMP_RET_ERROR(x)    (SECCOMP_RET_ERRNO | ((x) & 0x0000ffffU))
  46 #define SECCOMP_RET_LOGGER(x)   (SECCOMP_RET_LOG | ((x) & 0x0000ffffU))
  47
  48 struct seccomp_data {
  49     int nr;
  50     __u32 arch;
  51     __u64 instruction_pointer;
  52     __u64 args[6];
  53 };
  54 #endif
  55
  56 #ifndef SYS_SECCOMP
  57 # define SYS_SECCOMP 1
  58 #endif
  59
  60 #define syscall_nr (offsetof(struct seccomp_data, nr))
  61 #define arch_nr (offsetof(struct seccomp_data, arch))
  62
  63 #if defined(__i386__)
  64 # define REG_SYSCALL    REG_EAX
  65 # define ARCH_NR        AUDIT_ARCH_I386
  66 #elif defined(__x86_64__)
  67 # define REG_SYSCALL    REG_RAX
  68 # define ARCH_NR        AUDIT_ARCH_X86_64
  69 #elif defined(__mips__)
  70 # define REG_SYSCALL    regs[2]
  71 # if __BYTE_ORDER == __LITTLE_ENDIAN
  72 #  define ARCH_NR       AUDIT_ARCH_MIPSEL
  73 # else
  74 #  define ARCH_NR       AUDIT_ARCH_MIPS
  75 # endif
  76 #elif defined(__arm__) && (defined(__ARM_EABI__) || defined(__thumb__))
  77 # define REG_SYSCALL    regs.uregs[7]
  78 # if __BYTE_ORDER == __LITTLE_ENDIAN
  79 #  define ARCH_NR       AUDIT_ARCH_ARM
  80 # else
  81 #  define ARCH_NR       AUDIT_ARCH_ARMEB
  82 # endif
  83 #else
  84 # warning "Platform does not support seccomp filter yet"
  85 # define REG_SYSCALL    0
  86 # define ARCH_NR        0
  87 #endif
  88
  89 #endif /* _SECCOMP_BPF_H_ */