| /openbmc/linux/Documentation/translations/zh_CN/userspace-api/ |
| H A D | seccomp_filter.rst | 29 此外,BPF让seccomp用户不再成为在系统调用干预框架(system call interposition
45 添加了一个额外的seccomp模式,它可以使用和严格seccomp相同的 prctl(2) 调用来启用。
76 一个seccomp过滤器可能返回下列任意值。如果多个过滤器存在,评估一个指定系统调用的
100 由seccomp触发的 ``SIGSYS`` 会有一个 ``SYS_SECCOMP`` 的 si_code 。
121 在追踪器被通知后,seccomp检查不会再次运行。(这意味着基于seccomp的沙箱必须禁止
149 ``samples/seccomp/`` 文件夹包含了x86专用和更通用的使用高层宏接口来生成BPF程序的
155 ``SECCOMP_RET_USER_NOTIF`` 返回值会让seccomp过滤器传递一个特定的系统调用给用户
159 传递 ``SECCOMP_FILTER_FLAG_NEW_LISTENER`` 参数给 ``seccomp()`` 系统调用可以取
164 fd = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog);
171 seccomp通知文件描述符由两个结构体组成:
[all …]
|
| /openbmc/openbmc/meta-security/recipes-security/Firejail/ |
| H A D | firejail_0.9.72.bb | 4 SUMMARY = "Linux namespaces and seccomp-bpf sandbox"
7 seccomp-bpf and Linux capabilities."
23 REQUIRED_DISTRO_FEATURES = "seccomp"
52 ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp
53 ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp
54 ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp.debug allow-debuggers
55 ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.debug
56 ${libdir}/${BPN}/fseccomp secondary 32 ${libdir}/${BPN}/seccomp.32
57 ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.32
58 ${libdir}/${BPN}/fseccomp secondary block ${libdir}/${BPN}/seccomp.block_secondary
[all …]
|
| /openbmc/openbmc/meta-security/recipes-security/Firejail/firejail/ |
| H A D | exclude_seccomp_util_compiles.patch | 1 Exclude all the seccomp files to run during build.
16 -SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.md…
26 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
27 src/fseccomp/fseccomp default seccomp
28 src/fsec-optimize/fsec-optimize seccomp
|
| /openbmc/openbmc/poky/meta/conf/distro/include/ |
| H A D | default-distrovars.inc | 17 # seccomp is not yet ported to rv32
18 DISTRO_FEATURES_DEFAULT:remove:riscv32 = "seccomp"
20 # seccomp is not yet ported to ARC
21 DISTRO_FEATURES_DEFAULT:remove:arc = "seccomp"
23 # seccomp is not yet ported to microblaze
24 DISTRO_FEATURES_DEFAULT:remove:microblaze = "seccomp"
26 # seccomp is not yet ported to loongarch64
27 DISTRO_FEATURES_DEFAULT:remove:loongarch64 = "seccomp"
29 …ginfod ext2 ipv4 ipv6 pcmcia usbgadget usbhost wifi xattr nfs zeroconf pci 3g nfc x11 vfat seccomp"
|
| /openbmc/openbmc/poky/meta/recipes-support/gnutls/gnutls/ |
| H A D | arm_eabi.patch | 13 tests/seccomp.c | 2 ++
16 diff --git a/tests/seccomp.c b/tests/seccomp.c
18 --- a/tests/seccomp.c
19 +++ b/tests/seccomp.c
|
| /openbmc/linux/include/linux/ |
| H A D | seccomp.h | 37 struct seccomp { struct
58 static inline int seccomp_mode(struct seccomp *s) in seccomp_mode() argument
67 struct seccomp { }; struct
88 static inline int seccomp_mode(struct seccomp *s) in seccomp_mode()
|
| /openbmc/openbmc/meta-security/meta-tpm/recipes-tpm/swtpm/ |
| H A D | swtpm_0.8.2.bb | 23 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)}"
32 PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
|
| /openbmc/linux/kernel/ |
| H A D | seccomp.c | 412 READ_ONCE(current->seccomp.filter); in seccomp_run_filters()
441 if (current->seccomp.mode && current->seccomp.mode != seccomp_mode) in seccomp_may_assign_mode()
455 task->seccomp.mode = seccomp_mode; in seccomp_assign_mode()
506 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED || in seccomp_can_sync_threads()
507 (thread->seccomp.mode == SECCOMP_MODE_FILTER && in seccomp_can_sync_threads()
508 is_ancestor(thread->seccomp.filter, in seccomp_can_sync_threads()
509 caller->seccomp.filter))) in seccomp_can_sync_threads()
571 struct seccomp_filter *orig = tsk->seccomp.filter; in seccomp_filter_release()
577 tsk->seccomp.filter = NULL; in seccomp_filter_release()
613 __seccomp_filter_release(thread->seccomp.filter); in seccomp_sync_threads()
[all …]
|
| /openbmc/linux/Documentation/userspace-api/ |
| H A D | seccomp_filter.rst | 24 Additionally, BPF makes it impossible for users of seccomp to fall prey
46 An additional seccomp mode is added and is enabled using the same
47 prctl(2) call as the strict seccomp. If the architecture has
87 A seccomp filter may return any of the following values. If multiple
119 ``SIGSYS`` triggered by seccomp will have a si_code of ``SYS_SECCOMP``.
149 The seccomp check will not be run again after the tracer is
150 notified. (This means that seccomp-based sandboxes MUST NOT
187 The ``samples/seccomp/`` directory contains both an x86-specific example
194 The ``SECCOMP_RET_USER_NOTIF`` return code lets seccomp filters pass a
200 argument to the ``seccomp()`` syscall:
[all …]
|
| /openbmc/openbmc/poky/meta/recipes-support/libseccomp/ |
| H A D | libseccomp_2.5.5.bb | 1 SUMMARY = "interface to seccomp filtering mechanism"
2 …o use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp."
3 HOMEPAGE = "https://github.com/seccomp/libseccomp"
12 SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5;protocol=https \
22 REQUIRED_DISTRO_FEATURES = "seccomp"
|
| /openbmc/openbmc/meta-openembedded/meta-oe/recipes-devtools/ctags/ |
| H A D | ctags_6.1.20241201.0.bb | 32 PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp"
|
| /openbmc/openbmc/meta-openembedded/meta-oe/recipes-security/usbguard/ |
| H A D | usbguard_1.1.3.bb | 35 ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \
45 PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp"
|
| /openbmc/linux/Documentation/features/seccomp/seccomp-filter/ |
| H A D | arch-support.txt | 2 # Feature name: seccomp-filter
4 # description: arch supports seccomp filters
|
| /openbmc/openbmc/meta-ibm/meta-romulus/recipes-core/systemd/ |
| H A D | systemd_%.bbappend | 9 # Remove seccomp support for Romulus to save space. This isn't actively
11 PACKAGECONFIG:remove:romulus = "seccomp"
|
| /openbmc/openbmc/meta-openembedded/meta-oe/recipes-extended/flatpak/ |
| H A D | flatpak_1.15.10.bb | 60 PACKAGECONFIG[seccomp] = "-Dseccomp=enabled,-Dseccomp=disabled,libseccomp"
68 ${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)} \
|
| /openbmc/openbmc/meta-openembedded/meta-networking/recipes-support/ntpsec/ |
| H A D | ntpsec_1.2.2a.bb | 29 PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'seccomp systemd', d)} \
37 PACKAGECONFIG:remove:riscv32 = "seccomp"
46 PACKAGECONFIG[seccomp] = "--enable-seccomp,,libseccomp"
|
| /openbmc/qemu/system/ |
| H A D | meson.build | 33 system_ss.add(when: seccomp, if_true: files('qemu-seccomp.c'))
|
| /openbmc/openbmc/meta-openembedded/meta-gnome/recipes-gnome/tracker/ |
| H A D | localsearch_3.8.1.bb | 41 ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \
47 PACKAGECONFIG:remove:libc-musl = "seccomp"
71 PACKAGECONFIG[seccomp] = "-Dseccomp=true,-Dseccomp=false,libseccomp"
|
| /openbmc/linux/tools/testing/selftests/seccomp/ |
| H A D | seccomp_bpf.c | 282 #ifndef seccomp
283 int seccomp(unsigned int op, unsigned int flags, void *args) in seccomp() function
835 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, in kill_thread_or_group()
844 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread)); in kill_thread_or_group()
2123 FIXTURE_VARIANT_ADD(TRACE_syscall, seccomp) { in FIXTURE_VARIANT_ADD() argument
2322 ret = seccomp(-1, 0, &prog); in TEST()
2331 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL); in TEST()
2335 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog); in TEST()
2341 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog); in TEST()
2345 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL); in TEST()
[all …]
|
| /openbmc/openbmc/meta-openembedded/meta-networking/recipes-daemons/lldpd/ |
| H A D | lldpd_1.0.18.bb | 35 PACKAGECONFIG[seccomp] = "--with-seccomp,--without-seccomp,libseccomp"
|
| /openbmc/openbmc/meta-openembedded/meta-oe/recipes-devtools/pax-utils/ |
| H A D | pax-utils_1.3.3.bb | 32 PACKAGECONFIG[libseccomp] = "--with-seccomp, --without-seccomp, libseccomp"
|
| /openbmc/openbmc/poky/meta/recipes-devtools/apt/apt/ |
| H A D | 0001-Hide-fstatat64-and-prlimit64-defines-on-musl.patch | 7 seccomp sysall rewiring since there are syscalls with same names
21 return _error->FatalE("HttpMethod::Configuration", "Cannot init seccomp");
|
| /openbmc/linux/samples/seccomp/ |
| H A D | user-trap.c | 26 static int seccomp(unsigned int op, unsigned int flags, void *args) in seccomp() function
101 return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog); in user_trap_syscall()
293 if (seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes) < 0) { in main()
|
| /openbmc/qemu/tests/unit/ |
| H A D | meson.build | 58 if seccomp.found()
59 tests += {'test-seccomp': ['../../system/qemu-seccomp.c', seccomp]}
|
| /openbmc/openbmc/poky/meta/recipes-support/gnutls/ |
| H A D | gnutls_3.8.8.bb | 32 PACKAGECONFIG ??= "libidn libtasn1 ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)}"
35 # seccomp to work.
36 PACKAGECONFIG[seccomp] = "--with-libseccomp-prefix=${STAGING_EXECPREFIXDIR},ac_cv_libseccomp=no,lib…
|