[mirror_ubuntu-zesty-kernel.git] / include / linux / seccomp.h

#ifndef _LINUX_SECCOMP_H
#define _LINUX_SECCOMP_H

#include <linux/compiler.h>
#include <linux/types.h>


/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
#define SECCOMP_MODE_DISABLED	0 /* seccomp is not in use. */
#define SECCOMP_MODE_STRICT	1 /* uses hard-coded filter. */
#define SECCOMP_MODE_FILTER	2 /* uses user-supplied filter. */

/*
 * All BPF programs must return a 32-bit value.
 * The bottom 16-bits are reserved for future use.
 * The upper 16-bits are ordered from least permissive values to most.
 *
 * The ordering ensures that a min_t() over composed return values always
 * selects the least permissive choice.
 */
#define SECCOMP_RET_KILL	0x00000000U /* kill the task immediately */
#define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */

/* Masks for the return value sections. */
#define SECCOMP_RET_ACTION	0x7fff0000U
#define SECCOMP_RET_DATA	0x0000ffffU

/**
 * struct seccomp_data - the format the BPF program executes over.
 * @nr: the system call number
 * @arch: indicates system call convention as an AUDIT_ARCH_* value
 *        as defined in <linux/audit.h>.
 * @instruction_pointer: at the time of the system call.
 * @args: up to 6 system call arguments always stored as 64-bit values
 *        regardless of the architecture.
 */
struct seccomp_data {
	int nr;
	__u32 arch;
	__u64 instruction_pointer;
	__u64 args[6];
};

#ifdef __KERNEL__
#ifdef CONFIG_SECCOMP

#include <linux/thread_info.h>
#include <asm/seccomp.h>

struct seccomp_filter;
/**
 * struct seccomp - the state of a seccomp'ed process
 *
 * @mode:  indicates one of the valid values above for controlled
 *         system calls available to a process.
 * @filter: The metadata and ruleset for determining what system calls
 *          are allowed for a task.
 *
 *          @filter must only be accessed from the context of current as there
 *          is no locking.
 */
struct seccomp {
	int mode;
	struct seccomp_filter *filter;
};

extern void __secure_computing(int);
static inline void secure_computing(int this_syscall)
{
	if (unlikely(test_thread_flag(TIF_SECCOMP)))
		__secure_computing(this_syscall);
}

extern long prctl_get_seccomp(void);
extern long prctl_set_seccomp(unsigned long, char __user *);

static inline int seccomp_mode(struct seccomp *s)
{
	return s->mode;
}

#else /* CONFIG_SECCOMP */

#include <linux/errno.h>

struct seccomp { };
struct seccomp_filter { };

#define secure_computing(x) 0

static inline long prctl_get_seccomp(void)
{
	return -EINVAL;
}

static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
{
	return -EINVAL;
}

static inline int seccomp_mode(struct seccomp *s)
{
	return 0;
}
#endif /* CONFIG_SECCOMP */

#ifdef CONFIG_SECCOMP_FILTER
extern void put_seccomp_filter(struct task_struct *tsk);
extern void get_seccomp_filter(struct task_struct *tsk);
extern u32 seccomp_bpf_load(int off);
#else  /* CONFIG_SECCOMP_FILTER */
static inline void put_seccomp_filter(struct task_struct *tsk)
{
	return;
}
static inline void get_seccomp_filter(struct task_struct *tsk)
{
	return;
}
#endif /* CONFIG_SECCOMP_FILTER */
#endif /* __KERNEL__ */
#endif /* _LINUX_SECCOMP_H */
Commit	Line	Data
1da177e4 LT	1	#ifndef _LINUX_SECCOMP_H
	2	#define _LINUX_SECCOMP_H
	3
e2cfabdf WD	4	#include <linux/compiler.h>
	5	#include <linux/types.h>
	6
	7
	8	/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
	9	#define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */
	10	#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
	11	#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
	12
	13	/*
	14	* All BPF programs must return a 32-bit value.
	15	* The bottom 16-bits are reserved for future use.
	16	* The upper 16-bits are ordered from least permissive values to most.
	17	*
	18	* The ordering ensures that a min_t() over composed return values always
	19	* selects the least permissive choice.
	20	*/
	21	#define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
	22	#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
	23
	24	/* Masks for the return value sections. */
	25	#define SECCOMP_RET_ACTION 0x7fff0000U
	26	#define SECCOMP_RET_DATA 0x0000ffffU
	27
	28	/**
	29	* struct seccomp_data - the format the BPF program executes over.
	30	* @nr: the system call number
	31	* @arch: indicates system call convention as an AUDIT_ARCH_* value
	32	* as defined in <linux/audit.h>.
	33	* @instruction_pointer: at the time of the system call.
	34	* @args: up to 6 system call arguments always stored as 64-bit values
	35	* regardless of the architecture.
	36	*/
	37	struct seccomp_data {
	38	int nr;
	39	__u32 arch;
	40	__u64 instruction_pointer;
	41	__u64 args[6];
	42	};
1da177e4	43
e2cfabdf	44	#ifdef __KERNEL__
1da177e4 LT	45	#ifdef CONFIG_SECCOMP
1da177e4 LT	46
1da177e4 LT	47	#include <linux/thread_info.h>
	48	#include <asm/seccomp.h>
	49
e2cfabdf WD	50	struct seccomp_filter;
	51	/**
	52	* struct seccomp - the state of a seccomp'ed process
	53	*
	54	* @mode: indicates one of the valid values above for controlled
	55	* system calls available to a process.
	56	* @filter: The metadata and ruleset for determining what system calls
	57	* are allowed for a task.
	58	*
	59	* @filter must only be accessed from the context of current as there
	60	* is no locking.
	61	*/
932ecebb WD	62	struct seccomp {
932ecebb WD	63	int mode;
e2cfabdf	64	struct seccomp_filter *filter;
932ecebb	65	};
1da177e4 LT	66
	67	extern void __secure_computing(int);
	68	static inline void secure_computing(int this_syscall)
	69	{
	70	if (unlikely(test_thread_flag(TIF_SECCOMP)))
	71	__secure_computing(this_syscall);
	72	}
	73
1d9d02fe	74	extern long prctl_get_seccomp(void);
e2cfabdf	75	extern long prctl_set_seccomp(unsigned long, char __user *);
1d9d02fe	76
932ecebb	77	static inline int seccomp_mode(struct seccomp *s)
5cec93c2 AL	78	{
	79	return s->mode;
	80	}
	81
1da177e4 LT	82	#else /* CONFIG_SECCOMP */
1da177e4 LT	83
42a17ad2 RB	84	#include <linux/errno.h>
42a17ad2 RB	85
932ecebb	86	struct seccomp { };
e2cfabdf	87	struct seccomp_filter { };
1da177e4	88
e2cfabdf	89	#define secure_computing(x) 0
1da177e4	90
1d9d02fe AA	91	static inline long prctl_get_seccomp(void)
	92	{
	93	return -EINVAL;
	94	}
	95
e2cfabdf	96	static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
1d9d02fe AA	97	{
	98	return -EINVAL;
	99	}
	100
932ecebb	101	static inline int seccomp_mode(struct seccomp *s)
5cec93c2 AL	102	{
	103	return 0;
	104	}
1da177e4 LT	105	#endif /* CONFIG_SECCOMP */
1da177e4 LT	106
e2cfabdf WD	107	#ifdef CONFIG_SECCOMP_FILTER
	108	extern void put_seccomp_filter(struct task_struct *tsk);
	109	extern void get_seccomp_filter(struct task_struct *tsk);
	110	extern u32 seccomp_bpf_load(int off);
	111	#else /* CONFIG_SECCOMP_FILTER */
	112	static inline void put_seccomp_filter(struct task_struct *tsk)
	113	{
	114	return;
	115	}
	116	static inline void get_seccomp_filter(struct task_struct *tsk)
	117	{
	118	return;
	119	}
	120	#endif /* CONFIG_SECCOMP_FILTER */
	121	#endif /* __KERNEL__ */
1da177e4	122	#endif /* _LINUX_SECCOMP_H */