xref: /openbmc/linux/include/linux/seccomp.h (revision be709d48) 
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _LINUX_SECCOMP_H
3 #define _LINUX_SECCOMP_H
4 
5 #include <uapi/linux/seccomp.h>
6 
7 #define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
8 					 SECCOMP_FILTER_FLAG_LOG | \
9 					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
10 					 SECCOMP_FILTER_FLAG_NEW_LISTENER)
11 
12 #ifdef CONFIG_SECCOMP
13 
14 #include <linux/thread_info.h>
15 #include <asm/seccomp.h>
16 
17 struct seccomp_filter;
18 /**
19  * struct seccomp - the state of a seccomp'ed process
20  *
21  * @mode:  indicates one of the valid values above for controlled
22  *         system calls available to a process.
23  * @filter: must always point to a valid seccomp-filter or NULL as it is
24  *          accessed without locking during system call entry.
25  *
26  *          @filter must only be accessed from the context of current as there
27  *          is no read locking.
28  */
29 struct seccomp {
30 	int mode;
31 	struct seccomp_filter *filter;
32 };
33 
34 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
35 extern int __secure_computing(const struct seccomp_data *sd);
36 static inline int secure_computing(const struct seccomp_data *sd)
37 {
38 	if (unlikely(test_thread_flag(TIF_SECCOMP)))
39 		return  __secure_computing(sd);
40 	return 0;
41 }
42 #else
43 extern void secure_computing_strict(int this_syscall);
44 #endif
45 
46 extern long prctl_get_seccomp(void);
47 extern long prctl_set_seccomp(unsigned long, void __user *);
48 
49 static inline int seccomp_mode(struct seccomp *s)
50 {
51 	return s->mode;
52 }
53 
54 #else /* CONFIG_SECCOMP */
55 
56 #include <linux/errno.h>
57 
58 struct seccomp { };
59 struct seccomp_filter { };
60 
61 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
62 static inline int secure_computing(struct seccomp_data *sd) { return 0; }
63 #else
64 static inline void secure_computing_strict(int this_syscall) { return; }
65 #endif
66 
67 static inline long prctl_get_seccomp(void)
68 {
69 	return -EINVAL;
70 }
71 
72 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
73 {
74 	return -EINVAL;
75 }
76 
77 static inline int seccomp_mode(struct seccomp *s)
78 {
79 	return SECCOMP_MODE_DISABLED;
80 }
81 #endif /* CONFIG_SECCOMP */
82 
83 #ifdef CONFIG_SECCOMP_FILTER
84 extern void put_seccomp_filter(struct task_struct *tsk);
85 extern void get_seccomp_filter(struct task_struct *tsk);
86 #else  /* CONFIG_SECCOMP_FILTER */
87 static inline void put_seccomp_filter(struct task_struct *tsk)
88 {
89 	return;
90 }
91 static inline void get_seccomp_filter(struct task_struct *tsk)
92 {
93 	return;
94 }
95 #endif /* CONFIG_SECCOMP_FILTER */
96 
97 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
98 extern long seccomp_get_filter(struct task_struct *task,
99 			       unsigned long filter_off, void __user *data);
100 extern long seccomp_get_metadata(struct task_struct *task,
101 				 unsigned long filter_off, void __user *data);
102 #else
103 static inline long seccomp_get_filter(struct task_struct *task,
104 				      unsigned long n, void __user *data)
105 {
106 	return -EINVAL;
107 }
108 static inline long seccomp_get_metadata(struct task_struct *task,
109 					unsigned long filter_off,
110 					void __user *data)
111 {
112 	return -EINVAL;
113 }
114 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
115 #endif /* _LINUX_SECCOMP_H */
116