[systemd.git] / src / shared / seccomp-util.h

/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once

/***
  This file is part of systemd.

  Copyright 2014 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <seccomp.h>
#include <stdbool.h>
#include <stdint.h>

#include "set.h"

const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret);

int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action);

bool is_seccomp_available(void);

typedef struct SyscallFilterSet {
        const char *name;
        const char *help;
        const char *value;
} SyscallFilterSet;

enum {
        /* Please leave DEFAULT first, but sort the rest alphabetically */
        SYSCALL_FILTER_SET_DEFAULT,
        SYSCALL_FILTER_SET_AIO,
        SYSCALL_FILTER_SET_BASIC_IO,
        SYSCALL_FILTER_SET_CHOWN,
        SYSCALL_FILTER_SET_CLOCK,
        SYSCALL_FILTER_SET_CPU_EMULATION,
        SYSCALL_FILTER_SET_DEBUG,
        SYSCALL_FILTER_SET_FILE_SYSTEM,
        SYSCALL_FILTER_SET_IO_EVENT,
        SYSCALL_FILTER_SET_IPC,
        SYSCALL_FILTER_SET_KEYRING,
        SYSCALL_FILTER_SET_MEMLOCK,
        SYSCALL_FILTER_SET_MODULE,
        SYSCALL_FILTER_SET_MOUNT,
        SYSCALL_FILTER_SET_NETWORK_IO,
        SYSCALL_FILTER_SET_OBSOLETE,
        SYSCALL_FILTER_SET_PRIVILEGED,
        SYSCALL_FILTER_SET_PROCESS,
        SYSCALL_FILTER_SET_RAW_IO,
        SYSCALL_FILTER_SET_REBOOT,
        SYSCALL_FILTER_SET_RESOURCES,
        SYSCALL_FILTER_SET_SETUID,
        SYSCALL_FILTER_SET_SIGNAL,
        SYSCALL_FILTER_SET_SWAP,
        SYSCALL_FILTER_SET_SYNC,
        SYSCALL_FILTER_SET_TIMER,
        _SYSCALL_FILTER_SET_MAX
};

extern const SyscallFilterSet syscall_filter_sets[];

const SyscallFilterSet *syscall_filter_set_find(const char *name);

int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);

int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude);

int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action);

int seccomp_restrict_archs(Set *archs);
int seccomp_restrict_namespaces(unsigned long retain);
int seccomp_protect_sysctl(void);
int seccomp_restrict_address_families(Set *address_families, bool whitelist);
int seccomp_restrict_realtime(void);
int seccomp_memory_deny_write_execute(void);
int seccomp_lock_personality(unsigned long personality);

extern const uint32_t seccomp_local_archs[];

#define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
        for (unsigned _i = ({ (arch) = seccomp_local_archs[0]; 0; });   \
             seccomp_local_archs[_i] != (uint32_t) -1;                  \
             (arch) = seccomp_local_archs[++_i])

DEFINE_TRIVIAL_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release);

int parse_syscall_archs(char **l, Set **archs);
Commit	Line	Data
52ad194e	1	/* SPDX-License-Identifier: LGPL-2.1+ */
663996b3 MS	2	#pragma once
	3
	4	/***
	5	This file is part of systemd.
	6
60f067b4	7	Copyright 2014 Lennart Poettering
663996b3 MS	8
	9	systemd is free software; you can redistribute it and/or modify it
	10	under the terms of the GNU Lesser General Public License as published by
	11	the Free Software Foundation; either version 2.1 of the License, or
	12	(at your option) any later version.
	13
	14	systemd is distributed in the hope that it will be useful, but
	15	WITHOUT ANY WARRANTY; without even the implied warranty of
	16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	Lesser General Public License for more details.
	18
	19	You should have received a copy of the GNU Lesser General Public License
	20	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	21	***/
	22
e735f4d4	23	#include <seccomp.h>
8a584da2	24	#include <stdbool.h>
4c89c718	25	#include <stdint.h>
663996b3	26
2897b343 MP	27	#include "set.h"
2897b343 MP	28
60f067b4 JS	29	const char* seccomp_arch_to_string(uint32_t c);
	30	int seccomp_arch_from_string(const char n, uint32_t ret);
	31
2897b343	32	int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action);
8a584da2 MP	33
	34	bool is_seccomp_available(void);
	35
	36	typedef struct SyscallFilterSet {
	37	const char *name;
2897b343	38	const char *help;
5a920b42	39	const char *value;
8a584da2 MP	40	} SyscallFilterSet;
	41
	42	enum {
2897b343 MP	43	/* Please leave DEFAULT first, but sort the rest alphabetically */
2897b343 MP	44	SYSCALL_FILTER_SET_DEFAULT,
f5e65279	45	SYSCALL_FILTER_SET_AIO,
8a584da2	46	SYSCALL_FILTER_SET_BASIC_IO,
f5e65279	47	SYSCALL_FILTER_SET_CHOWN,
8a584da2 MP	48	SYSCALL_FILTER_SET_CLOCK,
	49	SYSCALL_FILTER_SET_CPU_EMULATION,
	50	SYSCALL_FILTER_SET_DEBUG,
2897b343	51	SYSCALL_FILTER_SET_FILE_SYSTEM,
8a584da2 MP	52	SYSCALL_FILTER_SET_IO_EVENT,
	53	SYSCALL_FILTER_SET_IPC,
	54	SYSCALL_FILTER_SET_KEYRING,
f5e65279	55	SYSCALL_FILTER_SET_MEMLOCK,
8a584da2 MP	56	SYSCALL_FILTER_SET_MODULE,
	57	SYSCALL_FILTER_SET_MOUNT,
	58	SYSCALL_FILTER_SET_NETWORK_IO,
	59	SYSCALL_FILTER_SET_OBSOLETE,
	60	SYSCALL_FILTER_SET_PRIVILEGED,
	61	SYSCALL_FILTER_SET_PROCESS,
	62	SYSCALL_FILTER_SET_RAW_IO,
2897b343	63	SYSCALL_FILTER_SET_REBOOT,
8a584da2	64	SYSCALL_FILTER_SET_RESOURCES,
f5e65279 MB	65	SYSCALL_FILTER_SET_SETUID,
f5e65279 MB	66	SYSCALL_FILTER_SET_SIGNAL,
2897b343	67	SYSCALL_FILTER_SET_SWAP,
f5e65279 MB	68	SYSCALL_FILTER_SET_SYNC,
f5e65279 MB	69	SYSCALL_FILTER_SET_TIMER,
8a584da2 MP	70	_SYSCALL_FILTER_SET_MAX
	71	};
	72
	73	extern const SyscallFilterSet syscall_filter_sets[];
	74
	75	const SyscallFilterSet syscall_filter_set_find(const char name);
	76
52ad194e	77	int seccomp_filter_set_add(Hashmap s, bool b, const SyscallFilterSet set);
f5e65279 MB	78
	79	int seccomp_add_syscall_filter_item(scmp_filter_ctx ctx, const char name, uint32_t action, char **exclude);
	80
2897b343	81	int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
52ad194e	82	int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action);
2897b343 MP	83
	84	int seccomp_restrict_archs(Set *archs);
	85	int seccomp_restrict_namespaces(unsigned long retain);
	86	int seccomp_protect_sysctl(void);
	87	int seccomp_restrict_address_families(Set *address_families, bool whitelist);
	88	int seccomp_restrict_realtime(void);
	89	int seccomp_memory_deny_write_execute(void);
f5e65279	90	int seccomp_lock_personality(unsigned long personality);
2897b343	91
2897b343 MP	92	extern const uint32_t seccomp_local_archs[];
	93
	94	#define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
	95	for (unsigned _i = ({ (arch) = seccomp_local_archs[0]; 0; }); \
	96	seccomp_local_archs[_i] != (uint32_t) -1; \
	97	(arch) = seccomp_local_archs[++_i])
	98
	99	DEFINE_TRIVIAL_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release);
f5e65279 MB	100
f5e65279 MB	101	int parse_syscall_archs(char l, Set archs);