| seccomp.h | seccomp.h | |||
|---|---|---|---|---|
| skipping to change at line 33 | skipping to change at line 33 | |||
| #define _SECCOMP_H | #define _SECCOMP_H | |||
| #include <inttypes.h> | #include <inttypes.h> | |||
| #include <asm/unistd.h> | #include <asm/unistd.h> | |||
| /* | /* | |||
| * types | * types | |||
| */ | */ | |||
| /** | /** | |||
| * Filter context/handle | ||||
| */ | ||||
| typedef void * scmp_filter_ctx; | ||||
| /** | ||||
| * Filter attributes | * Filter attributes | |||
| */ | */ | |||
| enum scmp_filter_attr { | enum scmp_filter_attr { | |||
| _SCMP_FLTATR_MIN = 0, | _SCMP_FLTATR_MIN = 0, | |||
| SCMP_FLTATR_ACT_DEFAULT = 1, /**< default filter action */ | SCMP_FLTATR_ACT_DEFAULT = 1, /**< default filter action */ | |||
| SCMP_FLTATR_ACT_BADARCH = 2, /**< bad architecture action */ | SCMP_FLTATR_ACT_BADARCH = 2, /**< bad architecture action */ | |||
| SCMP_FLTATR_CTL_NNP = 3, /**< set NO_NEW_PRIVS on filter load */ | SCMP_FLTATR_CTL_NNP = 3, /**< set NO_NEW_PRIVS on filter load */ | |||
| _SCMP_FLTATR_MAX, | _SCMP_FLTATR_MAX, | |||
| }; | }; | |||
| skipping to change at line 157 | skipping to change at line 162 | |||
| /* | /* | |||
| * functions | * functions | |||
| */ | */ | |||
| /** | /** | |||
| * Initialize the filter state | * Initialize the filter state | |||
| * @param def_action the default filter action | * @param def_action the default filter action | |||
| * | * | |||
| * This function initializes the internal seccomp filter state and should | * This function initializes the internal seccomp filter state and should | |||
| * be called before any other functions in this library to ensure the filte r | * be called before any other functions in this library to ensure the filte r | |||
| * state is initialized. Returns zero on success, negative values on failu re. | * state is initialized. Returns a filter context on success, NULL on fail ure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_init(uint32_t def_action); | scmp_filter_ctx seccomp_init(uint32_t def_action); | |||
| /** | /** | |||
| * Reset the current filter state | * Reset the current filter state | |||
| * @param ctx the filter context | ||||
| * @param def_action the default filter action | * @param def_action the default filter action | |||
| * | * | |||
| * This function resets the internal seccomp filter state and ensures the | * This function resets the given seccomp filter state and ensures the | |||
| * filter state is reinitialized. This function does not reset any seccomp | * filter state is reinitialized. This function does not reset any seccomp | |||
| * filters already loaded into the kernel. Returns zero on success, negati ve | * filters already loaded into the kernel. Returns zero on success, negati ve | |||
| * values on failure. | * values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_reset(uint32_t def_action); | int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action); | |||
| /** | /** | |||
| * Destroys the current filter state and releases any resources | * Destroys the current filter state and releases any resources | |||
| * @param ctx the filter context | ||||
| * | * | |||
| * This functions destroys the internal seccomp filter state and releases a ny | * This functions destroys the given seccomp filter state and releases any | |||
| * resources, including memory, associated with the filter state. This | * resources, including memory, associated with the filter state. This | |||
| * function does not reset any seccomp filters already loaded into the kern el. | * function does not reset any seccomp filters already loaded into the kern el. | |||
| * The function seccomp_reset() must be called before the filter can be | * The filter context can no longer be used after calling this function. | |||
| * reconfigured after calling this function. | ||||
| * | * | |||
| */ | */ | |||
| void seccomp_release(void); | void seccomp_release(scmp_filter_ctx ctx); | |||
| /** | /** | |||
| * Loads the current filter into the kernel | * Loads the current filter into the kernel | |||
| * @param ctx the filter context | ||||
| * | * | |||
| * This function loads the currently configured seccomp filter into the ker | * This function loads the given seccomp filter context into the kernel. I | |||
| nel. | f | |||
| * If the filter was loaded correctly, the kernel will be enforcing the fil | * the filter was loaded correctly, the kernel will be enforcing the filter | |||
| ter | ||||
| * when this function returns. Returns zero on success, negative values on | * when this function returns. Returns zero on success, negative values on | |||
| * error. | * error. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_load(void); | int seccomp_load(const scmp_filter_ctx ctx); | |||
| /** | /** | |||
| * Get the value of a filter attribute | * Get the value of a filter attribute | |||
| * @param ctx the filter context | ||||
| * @param attr the filter attribute name | * @param attr the filter attribute name | |||
| * @param value the filter attribute value | * @param value the filter attribute value | |||
| * | * | |||
| * This function fetches the value of the given attribute name and returns it | * This function fetches the value of the given attribute name and returns it | |||
| * via @value. Returns zero on success, negative values on failure. | * via @value. Returns zero on success, negative values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_attr_get(enum scmp_filter_attr attr, uint32_t *value); | int seccomp_attr_get(const scmp_filter_ctx ctx, | |||
| enum scmp_filter_attr attr, uint32_t *value); | ||||
| /** | /** | |||
| * Set the value of a filter attribute | * Set the value of a filter attribute | |||
| * @param ctx the filter context | ||||
| * @param attr the filter attribute name | * @param attr the filter attribute name | |||
| * @param value the filter attribute value | * @param value the filter attribute value | |||
| * | * | |||
| * This function sets the value of the given attribute. Returns zero on | * This function sets the value of the given attribute. Returns zero on | |||
| * success, negative values on failure. | * success, negative values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_attr_set(enum scmp_filter_attr attr, uint32_t value); | int seccomp_attr_set(scmp_filter_ctx ctx, | |||
| enum scmp_filter_attr attr, uint32_t value); | ||||
| /** | /** | |||
| * Set the priority of a given syscall | * Set the priority of a given syscall | |||
| * @param ctx the filter context | ||||
| * @param syscall the syscall number | * @param syscall the syscall number | |||
| * @param priority priority value, higher value == higher priority | * @param priority priority value, higher value == higher priority | |||
| * | * | |||
| * This function sets the priority of the given syscall; this value is used | * This function sets the priority of the given syscall; this value is used | |||
| * when generating the seccomp filter code such that higher priority syscal ls | * when generating the seccomp filter code such that higher priority syscal ls | |||
| * will incur less filter code overhead than the lower priority syscalls in the | * will incur less filter code overhead than the lower priority syscalls in the | |||
| * filter. Returns zero on success, negative values on failure. | * filter. Returns zero on success, negative values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_syscall_priority(int syscall, uint8_t priority); | int seccomp_syscall_priority(scmp_filter_ctx ctx, | |||
| int syscall, uint8_t priority); | ||||
| /** | /** | |||
| * Add a new rule to the current filter | * Add a new rule to the current filter | |||
| * @param ctx the filter context | ||||
| * @param action the filter action | * @param action the filter action | |||
| * @param syscall the syscall number | * @param syscall the syscall number | |||
| * @param arg_cnt the number of argument filters in the argument filter cha in | * @param arg_cnt the number of argument filters in the argument filter cha in | |||
| * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) | * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) | |||
| * | * | |||
| * This function adds a series of new argument/value checks to the seccomp | * This function adds a series of new argument/value checks to the seccomp | |||
| * filter for the given syscall; multiple argument/value checks can be | * filter for the given syscall; multiple argument/value checks can be | |||
| * specified and they will be chained together (AND'd together) in the filt er. | * specified and they will be chained together (AND'd together) in the filt er. | |||
| * If the specified rule needs to be adjusted due to architecture specifics it | * If the specified rule needs to be adjusted due to architecture specifics it | |||
| * will be adjusted without notification. Returns zero on success, negativ e | * will be adjusted without notification. Returns zero on success, negativ e | |||
| * values on failure. | * values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_rule_add(uint32_t action, int syscall, unsigned int arg_cnt, .. | int seccomp_rule_add(scmp_filter_ctx ctx, | |||
| .); | uint32_t action, int syscall, unsigned int arg_cnt, ... | |||
| ); | ||||
| /** | /** | |||
| * Add a new rule to the current filter | * Add a new rule to the current filter | |||
| * @param ctx the filter context | ||||
| * @param action the filter action | * @param action the filter action | |||
| * @param syscall the syscall number | * @param syscall the syscall number | |||
| * @param arg_cnt the number of argument filters in the argument filter cha in | * @param arg_cnt the number of argument filters in the argument filter cha in | |||
| * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) | * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) | |||
| * | * | |||
| * This function adds a series of new argument/value checks to the seccomp | * This function adds a series of new argument/value checks to the seccomp | |||
| * filter for the given syscall; multiple argument/value checks can be | * filter for the given syscall; multiple argument/value checks can be | |||
| * specified and they will be chained together (AND'd together) in the filt er. | * specified and they will be chained together (AND'd together) in the filt er. | |||
| * If the specified rule can not be represented on the architecture the | * If the specified rule can not be represented on the architecture the | |||
| * function will fail. Returns zero on success, negative values on failure . | * function will fail. Returns zero on success, negative values on failure . | |||
| * | * | |||
| */ | */ | |||
| int seccomp_rule_add_exact(uint32_t action, | int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, | |||
| int syscall, unsigned int arg_cnt, ...); | int syscall, unsigned int arg_cnt, ...); | |||
| /** | /** | |||
| * Generate seccomp Pseudo Filter Code (PFC) and export it to a file | * Generate seccomp Pseudo Filter Code (PFC) and export it to a file | |||
| * @param ctx the filter context | ||||
| * @param fd the destination fd | * @param fd the destination fd | |||
| * | * | |||
| * This function generates seccomp Pseudo Filter Code (PFC) and writes it t o | * This function generates seccomp Pseudo Filter Code (PFC) and writes it t o | |||
| * the given fd. Returns zero on success, negative values on failure. | * the given fd. Returns zero on success, negative values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_export_pfc(int fd); | int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd); | |||
| /** | /** | |||
| * Generate seccomp Berkley Packet Filter (BPF) code and export it to a fil e | * Generate seccomp Berkley Packet Filter (BPF) code and export it to a fil e | |||
| * @param ctx the filter context | ||||
| * @param fd the destination fd | * @param fd the destination fd | |||
| * | * | |||
| * This function generates seccomp Berkley Packer Filter (BPF) code and wri tes | * This function generates seccomp Berkley Packer Filter (BPF) code and wri tes | |||
| * it to the given fd. Returns zero on success, negative values on failure . | * it to the given fd. Returns zero on success, negative values on failure . | |||
| * | * | |||
| */ | */ | |||
| int seccomp_export_bpf(int fd); | int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); | |||
| /* | /* | |||
| * pseudo syscall definitions | * pseudo syscall definitions | |||
| */ | */ | |||
| /* NOTE - pseudo syscall values {-1..-99} are reserved */ | /* NOTE - pseudo syscall values {-1..-99} are reserved */ | |||
| #define __PNR_socket -100 | #define __PNR_socket -100 | |||
| #ifndef __NR_socket | #ifndef __NR_socket | |||
| #define __NR_socket __PNR_socket | #define __NR_socket __PNR_socket | |||
| End of changes. 27 change blocks. | ||||
| 21 lines changed or deleted | 38 lines changed or added | |||