1/* SPDX-License-Identifier: GPL-2.0 */
  2#ifndef _LINUX_SECCOMP_H
  3#define _LINUX_SECCOMP_H
  4
  5#include <uapi/linux/seccomp.h>
 
  6
  7#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
  8					 SECCOMP_FILTER_FLAG_LOG | \
  9					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
 10					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
 11					 SECCOMP_FILTER_FLAG_TSYNC_ESRCH)
 
 12
 13/* sizeof() the first published struct seccomp_notif_addfd */
 14#define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24
 15#define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0
 16
 17#ifdef CONFIG_SECCOMP
 18
 19#include <linux/thread_info.h>
 20#include <linux/atomic.h>
 21#include <asm/seccomp.h>
 22
 23struct seccomp_filter;
 24/**
 25 * struct seccomp - the state of a seccomp'ed process
 26 *
 27 * @mode:  indicates one of the valid values above for controlled
 28 *         system calls available to a process.
 29 * @filter: must always point to a valid seccomp-filter or NULL as it is
 30 *          accessed without locking during system call entry.
 31 *
 32 *          @filter must only be accessed from the context of current as there
 33 *          is no read locking.
 34 */
 35struct seccomp {
 36	int mode;
 37	atomic_t filter_count;
 38	struct seccomp_filter *filter;
 39};
 40
 41#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
 42extern int __secure_computing(const struct seccomp_data *sd);
 43static inline int secure_computing(void)
 44{
 45	if (unlikely(test_syscall_work(SECCOMP)))
 46		return  __secure_computing(NULL);
 47	return 0;
 48}
 49#else
 50extern void secure_computing_strict(int this_syscall);
 
 
 
 
 
 51#endif
 52
 53extern long prctl_get_seccomp(void);
 54extern long prctl_set_seccomp(unsigned long, void __user *);
 55
 56static inline int seccomp_mode(struct seccomp *s)
 57{
 58	return s->mode;
 59}
 60
 61#else /* CONFIG_SECCOMP */
 62
 63#include <linux/errno.h>
 64
 65struct seccomp { };
 66struct seccomp_filter { };
 67struct seccomp_data;
 68
 69#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
 70static inline int secure_computing(void) { return 0; }
 71static inline int __secure_computing(const struct seccomp_data *sd) { return 0; }
 72#else
 73static inline void secure_computing_strict(int this_syscall) { return; }
 74#endif
 
 75
 76static inline long prctl_get_seccomp(void)
 77{
 78	return -EINVAL;
 79}
 80
 81static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
 82{
 83	return -EINVAL;
 84}
 85
 86static inline int seccomp_mode(struct seccomp *s)
 87{
 88	return SECCOMP_MODE_DISABLED;
 89}
 90#endif /* CONFIG_SECCOMP */
 91
 92#ifdef CONFIG_SECCOMP_FILTER
 93extern void seccomp_filter_release(struct task_struct *tsk);
 94extern void get_seccomp_filter(struct task_struct *tsk);
 95#else  /* CONFIG_SECCOMP_FILTER */
 96static inline void seccomp_filter_release(struct task_struct *tsk)
 97{
 98	return;
 99}
100static inline void get_seccomp_filter(struct task_struct *tsk)
101{
102	return;
103}
104#endif /* CONFIG_SECCOMP_FILTER */
105
106#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
107extern long seccomp_get_filter(struct task_struct *task,
108			       unsigned long filter_off, void __user *data);
109extern long seccomp_get_metadata(struct task_struct *task,
110				 unsigned long filter_off, void __user *data);
111#else
112static inline long seccomp_get_filter(struct task_struct *task,
113				      unsigned long n, void __user *data)
114{
115	return -EINVAL;
116}
117static inline long seccomp_get_metadata(struct task_struct *task,
118					unsigned long filter_off,
119					void __user *data)
120{
121	return -EINVAL;
122}
123#endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
124
125#ifdef CONFIG_SECCOMP_CACHE_DEBUG
126struct seq_file;
 
 
127
128int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns,
129			   struct pid *pid, struct task_struct *task);
130#endif
131#endif /* _LINUX_SECCOMP_H */

  1/* SPDX-License-Identifier: GPL-2.0 */
  2#ifndef _LINUX_SECCOMP_H
  3#define _LINUX_SECCOMP_H
  4
  5#include <uapi/linux/seccomp.h>
  6#include <linux/seccomp_types.h>
  7
  8#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
  9					 SECCOMP_FILTER_FLAG_LOG | \
 10					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
 11					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
 12					 SECCOMP_FILTER_FLAG_TSYNC_ESRCH | \
 13					 SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV)
 14
 15/* sizeof() the first published struct seccomp_notif_addfd */
 16#define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24
 17#define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0
 18
 19#ifdef CONFIG_SECCOMP
 20
 21#include <linux/thread_info.h>
 22#include <linux/atomic.h>
 23#include <asm/seccomp.h>
 24
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 25#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
 26extern int __secure_computing(const struct seccomp_data *sd);
 27static inline int secure_computing(void)
 28{
 29	if (unlikely(test_syscall_work(SECCOMP)))
 30		return  __secure_computing(NULL);
 31	return 0;
 32}
 33#else
 34extern void secure_computing_strict(int this_syscall);
 35static inline int __secure_computing(const struct seccomp_data *sd)
 36{
 37	secure_computing_strict(sd->nr);
 38	return 0;
 39}
 40#endif
 41
 42extern long prctl_get_seccomp(void);
 43extern long prctl_set_seccomp(unsigned long, void __user *);
 44
 45static inline int seccomp_mode(struct seccomp *s)
 46{
 47	return s->mode;
 48}
 49
 50#else /* CONFIG_SECCOMP */
 51
 52#include <linux/errno.h>
 53
 
 
 54struct seccomp_data;
 55
 56#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
 57static inline int secure_computing(void) { return 0; }
 
 58#else
 59static inline void secure_computing_strict(int this_syscall) { return; }
 60#endif
 61static inline int __secure_computing(const struct seccomp_data *sd) { return 0; }
 62
 63static inline long prctl_get_seccomp(void)
 64{
 65	return -EINVAL;
 66}
 67
 68static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
 69{
 70	return -EINVAL;
 71}
 72
 73static inline int seccomp_mode(struct seccomp *s)
 74{
 75	return SECCOMP_MODE_DISABLED;
 76}
 77#endif /* CONFIG_SECCOMP */
 78
 79#ifdef CONFIG_SECCOMP_FILTER
 80extern void seccomp_filter_release(struct task_struct *tsk);
 81extern void get_seccomp_filter(struct task_struct *tsk);
 82#else  /* CONFIG_SECCOMP_FILTER */
 83static inline void seccomp_filter_release(struct task_struct *tsk)
 84{
 85	return;
 86}
 87static inline void get_seccomp_filter(struct task_struct *tsk)
 88{
 89	return;
 90}
 91#endif /* CONFIG_SECCOMP_FILTER */
 92
 93#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
 94extern long seccomp_get_filter(struct task_struct *task,
 95			       unsigned long filter_off, void __user *data);
 96extern long seccomp_get_metadata(struct task_struct *task,
 97				 unsigned long filter_off, void __user *data);
 98#else
 99static inline long seccomp_get_filter(struct task_struct *task,
100				      unsigned long n, void __user *data)
101{
102	return -EINVAL;
103}
104static inline long seccomp_get_metadata(struct task_struct *task,
105					unsigned long filter_off,
106					void __user *data)
107{
108	return -EINVAL;
109}
110#endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
111
112#ifdef CONFIG_SECCOMP_CACHE_DEBUG
113struct seq_file;
114struct pid_namespace;
115struct pid;
116
117int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns,
118			   struct pid *pid, struct task_struct *task);
119#endif
120#endif /* _LINUX_SECCOMP_H */