src/shared/linux/seccomp-bpf.h - systemd-stable - Rivoreo Source Code Repositories

 /*
  * seccomp example for x86 (32-bit and 64-bit) with BPF macros
  *
  * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
  * Authors:
  *  Will Drewry <wad@chromium.org>
  *  Kees Cook <keescook@chromium.org>
  *
  * The code may be used by anyone for any purpose, and can serve as a
  * starting point for developing applications using mode 2 seccomp.
  */
 #ifndef _SECCOMP_BPF_H_
 #define _SECCOMP_BPF_H_

 #include <stdio.h>
 #include <stddef.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <signal.h>
 #include <string.h>
 #include <unistd.h>

 #include <sys/prctl.h>

 #include <linux/unistd.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
 #include <linux/seccomp.h>

 #ifndef SECCOMP_MODE_FILTER
 # define SECCOMP_MODE_FILTER	2 /* uses user-supplied filter. */
 # define SECCOMP_RET_KILL	0x00000000U /* kill the task immediately */
 # define SECCOMP_RET_TRAP	0x00030000U /* disallow and force a SIGSYS */
 # define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */
 struct seccomp_data {
     int nr;
     __u32 arch;
     __u64 instruction_pointer;
     __u64 args[6];
 };
 #endif
 #ifndef SYS_SECCOMP
 # define SYS_SECCOMP 1
 #endif

 #define syscall_nr (offsetof(struct seccomp_data, nr))
 #define arch_nr (offsetof(struct seccomp_data, arch))

 #if defined(__i386__)
 # define REG_SYSCALL	REG_EAX
 # define ARCH_NR	AUDIT_ARCH_I386
 #elif defined(__x86_64__)
 # define REG_SYSCALL	REG_RAX
 # define ARCH_NR	AUDIT_ARCH_X86_64
 #else
 # warning "Platform does not support seccomp filter yet"
 # define REG_SYSCALL	0
 # define ARCH_NR	0
 #endif

 #define VALIDATE_ARCHITECTURE \
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

 #define EXAMINE_SYSCALL \
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)

 #define ALLOW_SYSCALL(name) \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)

 #define _KILL_PROCESS \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

 #endif /* _SECCOMP_BPF_H_ */
	/*
	* seccomp example for x86 (32-bit and 64-bit) with BPF macros
	*
	* Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
	* Authors:
	* Will Drewry <wad@chromium.org>
	* Kees Cook <keescook@chromium.org>
	*
	* The code may be used by anyone for any purpose, and can serve as a
	* starting point for developing applications using mode 2 seccomp.
	*/
	#ifndef _SECCOMP_BPF_H_
	#define _SECCOMP_BPF_H_

	#include <stdio.h>
	#include <stddef.h>
	#include <stdlib.h>
	#include <errno.h>
	#include <signal.h>
	#include <string.h>
	#include <unistd.h>

	#include <sys/prctl.h>

	#include <linux/unistd.h>
	#include <linux/audit.h>
	#include <linux/filter.h>
	#include <linux/seccomp.h>

	#ifndef SECCOMP_MODE_FILTER
	# define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
	# define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
	# define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
	# define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
	struct seccomp_data {
	int nr;
	__u32 arch;
	__u64 instruction_pointer;
	__u64 args[6];
	};
	#endif
	#ifndef SYS_SECCOMP
	# define SYS_SECCOMP 1
	#endif

	#define syscall_nr (offsetof(struct seccomp_data, nr))
	#define arch_nr (offsetof(struct seccomp_data, arch))

	#if defined(__i386__)
	# define REG_SYSCALL REG_EAX
	# define ARCH_NR AUDIT_ARCH_I386
	#elif defined(__x86_64__)
	# define REG_SYSCALL REG_RAX
	# define ARCH_NR AUDIT_ARCH_X86_64
	#else
	# warning "Platform does not support seccomp filter yet"
	# define REG_SYSCALL 0
	# define ARCH_NR 0
	#endif

	#define VALIDATE_ARCHITECTURE \
	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

	#define EXAMINE_SYSCALL \
	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)

	#define ALLOW_SYSCALL(name) \
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)

	#define _KILL_PROCESS \
	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

	#endif /* _SECCOMP_BPF_H_ */