1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _LINUX_SECCOMP_H 3 #define _LINUX_SECCOMP_H 4 5 #include <uapi/linux/seccomp.h> 6 7 #define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ 8 SECCOMP_FILTER_FLAG_LOG | \ 9 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ 10 SECCOMP_FILTER_FLAG_NEW_LISTENER) 11 12 #ifdef CONFIG_SECCOMP 13 14 #include <linux/thread_info.h> 15 #include <asm/seccomp.h> 16 17 struct seccomp_filter; 18 /** 19 * struct seccomp - the state of a seccomp'ed process 20 * 21 * @mode: indicates one of the valid values above for controlled 22 * system calls available to a process. 23 * @filter: must always point to a valid seccomp-filter or NULL as it is 24 * accessed without locking during system call entry. 25 * 26 * @filter must only be accessed from the context of current as there 27 * is no read locking. 28 */ 29 struct seccomp { 30 int mode; 31 struct seccomp_filter *filter; 32 }; 33 34 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 35 extern int __secure_computing(const struct seccomp_data *sd); 36 static inline int secure_computing(const struct seccomp_data *sd) 37 { 38 if (unlikely(test_thread_flag(TIF_SECCOMP))) 39 return __secure_computing(sd); 40 return 0; 41 } 42 #else 43 extern void secure_computing_strict(int this_syscall); 44 #endif 45 46 extern long prctl_get_seccomp(void); 47 extern long prctl_set_seccomp(unsigned long, void __user *); 48 49 static inline int seccomp_mode(struct seccomp *s) 50 { 51 return s->mode; 52 } 53 54 #else /* CONFIG_SECCOMP */ 55 56 #include <linux/errno.h> 57 58 struct seccomp { }; 59 struct seccomp_filter { }; 60 61 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 62 static inline int secure_computing(struct seccomp_data *sd) { return 0; } 63 #else 64 static inline void secure_computing_strict(int this_syscall) { return; } 65 #endif 66 67 static inline long prctl_get_seccomp(void) 68 { 69 return -EINVAL; 70 } 71 72 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3) 73 { 74 return -EINVAL; 75 } 76 77 static inline int seccomp_mode(struct seccomp *s) 78 { 79 return SECCOMP_MODE_DISABLED; 80 } 81 #endif /* CONFIG_SECCOMP */ 82 83 #ifdef CONFIG_SECCOMP_FILTER 84 extern void put_seccomp_filter(struct task_struct *tsk); 85 extern void get_seccomp_filter(struct task_struct *tsk); 86 #else /* CONFIG_SECCOMP_FILTER */ 87 static inline void put_seccomp_filter(struct task_struct *tsk) 88 { 89 return; 90 } 91 static inline void get_seccomp_filter(struct task_struct *tsk) 92 { 93 return; 94 } 95 #endif /* CONFIG_SECCOMP_FILTER */ 96 97 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) 98 extern long seccomp_get_filter(struct task_struct *task, 99 unsigned long filter_off, void __user *data); 100 extern long seccomp_get_metadata(struct task_struct *task, 101 unsigned long filter_off, void __user *data); 102 #else 103 static inline long seccomp_get_filter(struct task_struct *task, 104 unsigned long n, void __user *data) 105 { 106 return -EINVAL; 107 } 108 static inline long seccomp_get_metadata(struct task_struct *task, 109 unsigned long filter_off, 110 void __user *data) 111 { 112 return -EINVAL; 113 } 114 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */ 115 #endif /* _LINUX_SECCOMP_H */ 116