1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _LINUX_SECCOMP_H 3 #define _LINUX_SECCOMP_H 4 5 #include <uapi/linux/seccomp.h> 6 7 #define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ 8 SECCOMP_FILTER_FLAG_LOG | \ 9 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ 10 SECCOMP_FILTER_FLAG_NEW_LISTENER | \ 11 SECCOMP_FILTER_FLAG_TSYNC_ESRCH) 12 13 #ifdef CONFIG_SECCOMP 14 15 #include <linux/thread_info.h> 16 #include <asm/seccomp.h> 17 18 struct seccomp_filter; 19 /** 20 * struct seccomp - the state of a seccomp'ed process 21 * 22 * @mode: indicates one of the valid values above for controlled 23 * system calls available to a process. 24 * @filter: must always point to a valid seccomp-filter or NULL as it is 25 * accessed without locking during system call entry. 26 * 27 * @filter must only be accessed from the context of current as there 28 * is no read locking. 29 */ 30 struct seccomp { 31 int mode; 32 struct seccomp_filter *filter; 33 }; 34 35 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 36 extern int __secure_computing(const struct seccomp_data *sd); 37 static inline int secure_computing(void) 38 { 39 if (unlikely(test_thread_flag(TIF_SECCOMP))) 40 return __secure_computing(NULL); 41 return 0; 42 } 43 #else 44 extern void secure_computing_strict(int this_syscall); 45 #endif 46 47 extern long prctl_get_seccomp(void); 48 extern long prctl_set_seccomp(unsigned long, void __user *); 49 50 static inline int seccomp_mode(struct seccomp *s) 51 { 52 return s->mode; 53 } 54 55 #else /* CONFIG_SECCOMP */ 56 57 #include <linux/errno.h> 58 59 struct seccomp { }; 60 struct seccomp_filter { }; 61 62 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER 63 static inline int secure_computing(void) { return 0; } 64 #else 65 static inline void secure_computing_strict(int this_syscall) { return; } 66 #endif 67 68 static inline long prctl_get_seccomp(void) 69 { 70 return -EINVAL; 71 } 72 73 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3) 74 { 75 return -EINVAL; 76 } 77 78 static inline int seccomp_mode(struct seccomp *s) 79 { 80 return SECCOMP_MODE_DISABLED; 81 } 82 #endif /* CONFIG_SECCOMP */ 83 84 #ifdef CONFIG_SECCOMP_FILTER 85 extern void put_seccomp_filter(struct task_struct *tsk); 86 extern void get_seccomp_filter(struct task_struct *tsk); 87 #else /* CONFIG_SECCOMP_FILTER */ 88 static inline void put_seccomp_filter(struct task_struct *tsk) 89 { 90 return; 91 } 92 static inline void get_seccomp_filter(struct task_struct *tsk) 93 { 94 return; 95 } 96 #endif /* CONFIG_SECCOMP_FILTER */ 97 98 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) 99 extern long seccomp_get_filter(struct task_struct *task, 100 unsigned long filter_off, void __user *data); 101 extern long seccomp_get_metadata(struct task_struct *task, 102 unsigned long filter_off, void __user *data); 103 #else 104 static inline long seccomp_get_filter(struct task_struct *task, 105 unsigned long n, void __user *data) 106 { 107 return -EINVAL; 108 } 109 static inline long seccomp_get_metadata(struct task_struct *task, 110 unsigned long filter_off, 111 void __user *data) 112 { 113 return -EINVAL; 114 } 115 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */ 116 #endif /* _LINUX_SECCOMP_H */ 117