1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _LINUX_SECCOMP_H 3 #define _LINUX_SECCOMP_H 4 5 #include <uapi/linux/seccomp.h> 6 7 #define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ 8 SECCOMP_FILTER_FLAG_LOG | \ 9 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ 10 SECCOMP_FILTER_FLAG_NEW_LISTENER | \ 11 SECCOMP_FILTER_FLAG_TSYNC_ESRCH) 12 13 /* sizeof() the first published struct seccomp_notif_addfd */ 14 #define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24 15 #define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0 16 17 #ifdef CONFIG_SECCOMP 18 19 #include <linux/thread_info.h> 20 #include <linux/atomic.h> 21 #include <asm/seccomp.h> 22 23 struct seccomp_filter; 24 /** 25 * struct seccomp - the state of a seccomp'ed process 26 * 27 * @mode: indicates one of the valid values above for controlled 28 * system calls available to a process. 29 * @filter: must always point to a valid seccomp-filter or NULL as it is 30 * accessed without locking during system call entry. 31 * 32 * @filter must only be accessed from the context of current as there 33 * is no read locking. 34 */ 35 struct seccomp { 36 int mode; 37 atomic_t filter_count; 38 struct seccomp_filter *filter; 39 }; 40 41 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 42 extern int __secure_computing(const struct seccomp_data *sd); 43 static inline int secure_computing(void) 44 { 45 if (unlikely(test_syscall_work(SECCOMP))) 46 return __secure_computing(NULL); 47 return 0; 48 } 49 #else 50 extern void secure_computing_strict(int this_syscall); 51 #endif 52 53 extern long prctl_get_seccomp(void); 54 extern long prctl_set_seccomp(unsigned long, void __user *); 55 56 static inline int seccomp_mode(struct seccomp *s) 57 { 58 return s->mode; 59 } 60 61 #else /* CONFIG_SECCOMP */ 62 63 #include <linux/errno.h> 64 65 struct seccomp { }; 66 struct seccomp_filter { }; 67 struct seccomp_data; 68 69 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 70 static inline int secure_computing(void) { return 0; } 71 static inline int __secure_computing(const struct seccomp_data *sd) { return 0; } 72 #else 73 static inline void secure_computing_strict(int this_syscall) { return; } 74 #endif 75 76 static inline long prctl_get_seccomp(void) 77 { 78 return -EINVAL; 79 } 80 81 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3) 82 { 83 return -EINVAL; 84 } 85 86 static inline int seccomp_mode(struct seccomp *s) 87 { 88 return SECCOMP_MODE_DISABLED; 89 } 90 #endif /* CONFIG_SECCOMP */ 91 92 #ifdef CONFIG_SECCOMP_FILTER 93 extern void seccomp_filter_release(struct task_struct *tsk); 94 extern void get_seccomp_filter(struct task_struct *tsk); 95 #else /* CONFIG_SECCOMP_FILTER */ 96 static inline void seccomp_filter_release(struct task_struct *tsk) 97 { 98 return; 99 } 100 static inline void get_seccomp_filter(struct task_struct *tsk) 101 { 102 return; 103 } 104 #endif /* CONFIG_SECCOMP_FILTER */ 105 106 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) 107 extern long seccomp_get_filter(struct task_struct *task, 108 unsigned long filter_off, void __user *data); 109 extern long seccomp_get_metadata(struct task_struct *task, 110 unsigned long filter_off, void __user *data); 111 #else 112 static inline long seccomp_get_filter(struct task_struct *task, 113 unsigned long n, void __user *data) 114 { 115 return -EINVAL; 116 } 117 static inline long seccomp_get_metadata(struct task_struct *task, 118 unsigned long filter_off, 119 void __user *data) 120 { 121 return -EINVAL; 122 } 123 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */ 124 125 #ifdef CONFIG_SECCOMP_CACHE_DEBUG 126 struct seq_file; 127 128 int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns, 129 struct pid *pid, struct task_struct *task); 130 #endif 131 #endif /* _LINUX_SECCOMP_H */ 132