xref: /openbmc/linux/include/linux/seccomp.h (revision 0ed66cb7) 
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _LINUX_SECCOMP_H
3 #define _LINUX_SECCOMP_H
4 
5 #include <uapi/linux/seccomp.h>
6 
7 #define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
8 					 SECCOMP_FILTER_FLAG_LOG | \
9 					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
10 					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
11 					 SECCOMP_FILTER_FLAG_TSYNC_ESRCH)
12 
13 /* sizeof() the first published struct seccomp_notif_addfd */
14 #define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24
15 #define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0
16 
17 #ifdef CONFIG_SECCOMP
18 
19 #include <linux/thread_info.h>
20 #include <linux/atomic.h>
21 #include <asm/seccomp.h>
22 
23 struct seccomp_filter;
24 /**
25  * struct seccomp - the state of a seccomp'ed process
26  *
27  * @mode:  indicates one of the valid values above for controlled
28  *         system calls available to a process.
29  * @filter: must always point to a valid seccomp-filter or NULL as it is
30  *          accessed without locking during system call entry.
31  *
32  *          @filter must only be accessed from the context of current as there
33  *          is no read locking.
34  */
35 struct seccomp {
36 	int mode;
37 	atomic_t filter_count;
38 	struct seccomp_filter *filter;
39 };
40 
41 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
42 extern int __secure_computing(const struct seccomp_data *sd);
43 static inline int secure_computing(void)
44 {
45 	if (unlikely(test_syscall_work(SECCOMP)))
46 		return  __secure_computing(NULL);
47 	return 0;
48 }
49 #else
50 extern void secure_computing_strict(int this_syscall);
51 #endif
52 
53 extern long prctl_get_seccomp(void);
54 extern long prctl_set_seccomp(unsigned long, void __user *);
55 
56 static inline int seccomp_mode(struct seccomp *s)
57 {
58 	return s->mode;
59 }
60 
61 #else /* CONFIG_SECCOMP */
62 
63 #include <linux/errno.h>
64 
65 struct seccomp { };
66 struct seccomp_filter { };
67 struct seccomp_data;
68 
69 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
70 static inline int secure_computing(void) { return 0; }
71 static inline int __secure_computing(const struct seccomp_data *sd) { return 0; }
72 #else
73 static inline void secure_computing_strict(int this_syscall) { return; }
74 #endif
75 
76 static inline long prctl_get_seccomp(void)
77 {
78 	return -EINVAL;
79 }
80 
81 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
82 {
83 	return -EINVAL;
84 }
85 
86 static inline int seccomp_mode(struct seccomp *s)
87 {
88 	return SECCOMP_MODE_DISABLED;
89 }
90 #endif /* CONFIG_SECCOMP */
91 
92 #ifdef CONFIG_SECCOMP_FILTER
93 extern void seccomp_filter_release(struct task_struct *tsk);
94 extern void get_seccomp_filter(struct task_struct *tsk);
95 #else  /* CONFIG_SECCOMP_FILTER */
96 static inline void seccomp_filter_release(struct task_struct *tsk)
97 {
98 	return;
99 }
100 static inline void get_seccomp_filter(struct task_struct *tsk)
101 {
102 	return;
103 }
104 #endif /* CONFIG_SECCOMP_FILTER */
105 
106 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
107 extern long seccomp_get_filter(struct task_struct *task,
108 			       unsigned long filter_off, void __user *data);
109 extern long seccomp_get_metadata(struct task_struct *task,
110 				 unsigned long filter_off, void __user *data);
111 #else
112 static inline long seccomp_get_filter(struct task_struct *task,
113 				      unsigned long n, void __user *data)
114 {
115 	return -EINVAL;
116 }
117 static inline long seccomp_get_metadata(struct task_struct *task,
118 					unsigned long filter_off,
119 					void __user *data)
120 {
121 	return -EINVAL;
122 }
123 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
124 
125 #ifdef CONFIG_SECCOMP_CACHE_DEBUG
126 struct seq_file;
127 
128 int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns,
129 			   struct pid *pid, struct task_struct *task);
130 #endif
131 #endif /* _LINUX_SECCOMP_H */
132