]>
Commit | Line | Data |
---|---|---|
6f52b16c | 1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
607ca46e DH |
2 | #ifndef _UAPI_LINUX_SECCOMP_H |
3 | #define _UAPI_LINUX_SECCOMP_H | |
4 | ||
5 | #include <linux/compiler.h> | |
6 | #include <linux/types.h> | |
7 | ||
8 | ||
9 | /* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */ | |
10 | #define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */ | |
11 | #define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */ | |
12 | #define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ | |
13 | ||
48dc92b9 | 14 | /* Valid operations for seccomp syscall. */ |
d612b1fd TH |
15 | #define SECCOMP_SET_MODE_STRICT 0 |
16 | #define SECCOMP_SET_MODE_FILTER 1 | |
17 | #define SECCOMP_GET_ACTION_AVAIL 2 | |
48dc92b9 | 18 | |
c2e1f2e3 KC |
19 | /* Valid flags for SECCOMP_SET_MODE_FILTER */ |
20 | #define SECCOMP_FILTER_FLAG_TSYNC 1 | |
e66a3997 | 21 | #define SECCOMP_FILTER_FLAG_LOG 2 |
c2e1f2e3 | 22 | |
607ca46e DH |
23 | /* |
24 | * All BPF programs must return a 32-bit value. | |
25 | * The bottom 16-bits are for optional return data. | |
4d3b0b05 KC |
26 | * The upper 16-bits are ordered from least permissive values to most, |
27 | * as a signed value (so 0x8000000 is negative). | |
607ca46e DH |
28 | * |
29 | * The ordering ensures that a min_t() over composed return values always | |
30 | * selects the least permissive choice. | |
31 | */ | |
4d3b0b05 KC |
32 | #define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */ |
33 | #define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */ | |
34 | #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD | |
35 | #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ | |
36 | #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ | |
37 | #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ | |
38 | #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */ | |
39 | #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ | |
607ca46e DH |
40 | |
41 | /* Masks for the return value sections. */ | |
0466bdb9 | 42 | #define SECCOMP_RET_ACTION_FULL 0xffff0000U |
607ca46e DH |
43 | #define SECCOMP_RET_ACTION 0x7fff0000U |
44 | #define SECCOMP_RET_DATA 0x0000ffffU | |
45 | ||
46 | /** | |
47 | * struct seccomp_data - the format the BPF program executes over. | |
48 | * @nr: the system call number | |
49 | * @arch: indicates system call convention as an AUDIT_ARCH_* value | |
50 | * as defined in <linux/audit.h>. | |
51 | * @instruction_pointer: at the time of the system call. | |
52 | * @args: up to 6 system call arguments always stored as 64-bit values | |
53 | * regardless of the architecture. | |
54 | */ | |
55 | struct seccomp_data { | |
56 | int nr; | |
57 | __u32 arch; | |
58 | __u64 instruction_pointer; | |
59 | __u64 args[6]; | |
60 | }; | |
61 | ||
62 | #endif /* _UAPI_LINUX_SECCOMP_H */ |