tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / seccomp.h
at v5.7 3.0 kB view raw
1/* SPDX-License-Identifier: GPL-2.0 */ 2#ifndef _LINUX_SECCOMP_H 3#define _LINUX_SECCOMP_H 4 5#include <uapi/linux/seccomp.h> 6 7#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ 8 SECCOMP_FILTER_FLAG_LOG | \ 9 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ 10 SECCOMP_FILTER_FLAG_NEW_LISTENER | \ 11 SECCOMP_FILTER_FLAG_TSYNC_ESRCH) 12 13#ifdef CONFIG_SECCOMP 14 15#include <linux/thread_info.h> 16#include <asm/seccomp.h> 17 18struct seccomp_filter; 19/** 20 * struct seccomp - the state of a seccomp'ed process 21 * 22 * @mode: indicates one of the valid values above for controlled 23 * system calls available to a process. 24 * @filter: must always point to a valid seccomp-filter or NULL as it is 25 * accessed without locking during system call entry. 26 * 27 * @filter must only be accessed from the context of current as there 28 * is no read locking. 29 */ 30struct seccomp { 31 int mode; 32 struct seccomp_filter *filter; 33}; 34 35#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 36extern int __secure_computing(const struct seccomp_data *sd); 37static inline int secure_computing(void) 38{ 39 if (unlikely(test_thread_flag(TIF_SECCOMP))) 40 return __secure_computing(NULL); 41 return 0; 42} 43#else 44extern void secure_computing_strict(int this_syscall); 45#endif 46 47extern long prctl_get_seccomp(void); 48extern long prctl_set_seccomp(unsigned long, void __user *); 49 50static inline int seccomp_mode(struct seccomp *s) 51{ 52 return s->mode; 53} 54 55#else /* CONFIG_SECCOMP */ 56 57#include <linux/errno.h> 58 59struct seccomp { }; 60struct seccomp_filter { }; 61 62#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 63static inline int secure_computing(void) { return 0; } 64#else 65static inline void secure_computing_strict(int this_syscall) { return; } 66#endif 67 68static inline long prctl_get_seccomp(void) 69{ 70 return -EINVAL; 71} 72 73static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3) 74{ 75 return -EINVAL; 76} 77 78static inline int seccomp_mode(struct seccomp *s) 79{ 80 return SECCOMP_MODE_DISABLED; 81} 82#endif /* CONFIG_SECCOMP */ 83 84#ifdef CONFIG_SECCOMP_FILTER 85extern void put_seccomp_filter(struct task_struct *tsk); 86extern void get_seccomp_filter(struct task_struct *tsk); 87#else /* CONFIG_SECCOMP_FILTER */ 88static inline void put_seccomp_filter(struct task_struct *tsk) 89{ 90 return; 91} 92static inline void get_seccomp_filter(struct task_struct *tsk) 93{ 94 return; 95} 96#endif /* CONFIG_SECCOMP_FILTER */ 97 98#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) 99extern long seccomp_get_filter(struct task_struct *task, 100 unsigned long filter_off, void __user *data); 101extern long seccomp_get_metadata(struct task_struct *task, 102 unsigned long filter_off, void __user *data); 103#else 104static inline long seccomp_get_filter(struct task_struct *task, 105 unsigned long n, void __user *data) 106{ 107 return -EINVAL; 108} 109static inline long seccomp_get_metadata(struct task_struct *task, 110 unsigned long filter_off, 111 void __user *data) 112{ 113 return -EINVAL; 114} 115#endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */ 116#endif /* _LINUX_SECCOMP_H */