xref: /openbmc/linux/include/linux/seccomp.h (revision ef9303fd) 
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _LINUX_SECCOMP_H
3 #define _LINUX_SECCOMP_H
4 
5 #include <uapi/linux/seccomp.h>
6 
7 #define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
8 					 SECCOMP_FILTER_FLAG_LOG | \
9 					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
10 					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
11 					 SECCOMP_FILTER_FLAG_TSYNC_ESRCH)
12 
13 #ifdef CONFIG_SECCOMP
14 
15 #include <linux/thread_info.h>
16 #include <asm/seccomp.h>
17 
18 struct seccomp_filter;
19 /**
20  * struct seccomp - the state of a seccomp'ed process
21  *
22  * @mode:  indicates one of the valid values above for controlled
23  *         system calls available to a process.
24  * @filter: must always point to a valid seccomp-filter or NULL as it is
25  *          accessed without locking during system call entry.
26  *
27  *          @filter must only be accessed from the context of current as there
28  *          is no read locking.
29  */
30 struct seccomp {
31 	int mode;
32 	struct seccomp_filter *filter;
33 };
34 
35 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
36 extern int __secure_computing(const struct seccomp_data *sd);
37 static inline int secure_computing(void)
38 {
39 	if (unlikely(test_thread_flag(TIF_SECCOMP)))
40 		return  __secure_computing(NULL);
41 	return 0;
42 }
43 #else
44 extern void secure_computing_strict(int this_syscall);
45 #endif
46 
47 extern long prctl_get_seccomp(void);
48 extern long prctl_set_seccomp(unsigned long, void __user *);
49 
50 static inline int seccomp_mode(struct seccomp *s)
51 {
52 	return s->mode;
53 }
54 
55 #else /* CONFIG_SECCOMP */
56 
57 #include <linux/errno.h>
58 
59 struct seccomp { };
60 struct seccomp_filter { };
61 
62 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
63 static inline int secure_computing(void) { return 0; }
64 #else
65 static inline void secure_computing_strict(int this_syscall) { return; }
66 #endif
67 
68 static inline long prctl_get_seccomp(void)
69 {
70 	return -EINVAL;
71 }
72 
73 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
74 {
75 	return -EINVAL;
76 }
77 
78 static inline int seccomp_mode(struct seccomp *s)
79 {
80 	return SECCOMP_MODE_DISABLED;
81 }
82 #endif /* CONFIG_SECCOMP */
83 
84 #ifdef CONFIG_SECCOMP_FILTER
85 extern void put_seccomp_filter(struct task_struct *tsk);
86 extern void get_seccomp_filter(struct task_struct *tsk);
87 #else  /* CONFIG_SECCOMP_FILTER */
88 static inline void put_seccomp_filter(struct task_struct *tsk)
89 {
90 	return;
91 }
92 static inline void get_seccomp_filter(struct task_struct *tsk)
93 {
94 	return;
95 }
96 #endif /* CONFIG_SECCOMP_FILTER */
97 
98 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
99 extern long seccomp_get_filter(struct task_struct *task,
100 			       unsigned long filter_off, void __user *data);
101 extern long seccomp_get_metadata(struct task_struct *task,
102 				 unsigned long filter_off, void __user *data);
103 #else
104 static inline long seccomp_get_filter(struct task_struct *task,
105 				      unsigned long n, void __user *data)
106 {
107 	return -EINVAL;
108 }
109 static inline long seccomp_get_metadata(struct task_struct *task,
110 					unsigned long filter_off,
111 					void __user *data)
112 {
113 	return -EINVAL;
114 }
115 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
116 #endif /* _LINUX_SECCOMP_H */
117