| seccomp.h | seccomp.h | |||
|---|---|---|---|---|
| skipping to change at line 27 | skipping to change at line 27 | |||
| * | * | |||
| * You should have received a copy of the GNU Lesser General Public License | * You should have received a copy of the GNU Lesser General Public License | |||
| * along with this library; if not, see <http://www.gnu.org/licenses>. | * along with this library; if not, see <http://www.gnu.org/licenses>. | |||
| */ | */ | |||
| #ifndef _SECCOMP_H | #ifndef _SECCOMP_H | |||
| #define _SECCOMP_H | #define _SECCOMP_H | |||
| #include <inttypes.h> | #include <inttypes.h> | |||
| #include <asm/unistd.h> | #include <asm/unistd.h> | |||
| #include <linux/audit.h> | ||||
| #ifdef __cplusplus | ||||
| extern "C" { | ||||
| #endif | ||||
| /* | /* | |||
| * types | * types | |||
| */ | */ | |||
| /** | /** | |||
| * Filter context/handle | * Filter context/handle | |||
| */ | */ | |||
| typedef void * scmp_filter_ctx; | typedef void * scmp_filter_ctx; | |||
| skipping to change at line 83 | skipping to change at line 88 | |||
| enum scmp_compare op; /**< the comparison op, e.g. SCMP_CMP_* */ | enum scmp_compare op; /**< the comparison op, e.g. SCMP_CMP_* */ | |||
| scmp_datum_t datum_a; | scmp_datum_t datum_a; | |||
| scmp_datum_t datum_b; | scmp_datum_t datum_b; | |||
| }; | }; | |||
| /* | /* | |||
| * macros/defines | * macros/defines | |||
| */ | */ | |||
| /** | /** | |||
| * The native architecture token | ||||
| */ | ||||
| #define SCMP_ARCH_NATIVE 0 | ||||
| /** | ||||
| * The x86 (32-bit) architecture token | ||||
| */ | ||||
| #define SCMP_ARCH_X86 AUDIT_ARCH_I386 | ||||
| /** | ||||
| * The x86-64 (64-bit) architecture token | ||||
| */ | ||||
| #define SCMP_ARCH_X86_64 AUDIT_ARCH_X86_64 | ||||
| /** | ||||
| * Convert a syscall name into the associated syscall number | * Convert a syscall name into the associated syscall number | |||
| * @param x the syscall name | * @param x the syscall name | |||
| */ | */ | |||
| #define SCMP_SYS(x) __NR_##x | #define SCMP_SYS(x) __NR_##x | |||
| /** | /** | |||
| * Specify an argument comparison struct for use in declaring rules | * Specify an argument comparison struct for use in declaring rules | |||
| * @param arg the argument number, starting at 0 | * @param arg the argument number, starting at 0 | |||
| * @param op the comparison operator, e.g. SCMP_CMP_* | * @param op the comparison operator, e.g. SCMP_CMP_* | |||
| * @param datum_a dependent on comparison | * @param datum_a dependent on comparison | |||
| skipping to change at line 168 | skipping to change at line 188 | |||
| * @param def_action the default filter action | * @param def_action the default filter action | |||
| * | * | |||
| * This function initializes the internal seccomp filter state and should | * This function initializes the internal seccomp filter state and should | |||
| * be called before any other functions in this library to ensure the filte r | * be called before any other functions in this library to ensure the filte r | |||
| * state is initialized. Returns a filter context on success, NULL on fail ure. | * state is initialized. Returns a filter context on success, NULL on fail ure. | |||
| * | * | |||
| */ | */ | |||
| scmp_filter_ctx seccomp_init(uint32_t def_action); | scmp_filter_ctx seccomp_init(uint32_t def_action); | |||
| /** | /** | |||
| * Reset the current filter state | * Reset the filter state | |||
| * @param ctx the filter context | * @param ctx the filter context | |||
| * @param def_action the default filter action | * @param def_action the default filter action | |||
| * | * | |||
| * This function resets the given seccomp filter state and ensures the | * This function resets the given seccomp filter state and ensures the | |||
| * filter state is reinitialized. This function does not reset any seccomp | * filter state is reinitialized. This function does not reset any seccomp | |||
| * filters already loaded into the kernel. Returns zero on success, negati ve | * filters already loaded into the kernel. Returns zero on success, negati ve | |||
| * values on failure. | * values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action); | int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action); | |||
| /** | /** | |||
| * Destroys the current filter state and releases any resources | * Destroys the filter state and releases any resources | |||
| * @param ctx the filter context | * @param ctx the filter context | |||
| * | * | |||
| * This functions destroys the given seccomp filter state and releases any | * This functions destroys the given seccomp filter state and releases any | |||
| * resources, including memory, associated with the filter state. This | * resources, including memory, associated with the filter state. This | |||
| * function does not reset any seccomp filters already loaded into the kern el. | * function does not reset any seccomp filters already loaded into the kern el. | |||
| * The filter context can no longer be used after calling this function. | * The filter context can no longer be used after calling this function. | |||
| * | * | |||
| */ | */ | |||
| void seccomp_release(scmp_filter_ctx ctx); | void seccomp_release(scmp_filter_ctx ctx); | |||
| /** | /** | |||
| * Loads the current filter into the kernel | * Loads the filter into the kernel | |||
| * @param ctx the filter context | * @param ctx the filter context | |||
| * | * | |||
| * This function loads the given seccomp filter context into the kernel. I f | * This function loads the given seccomp filter context into the kernel. I f | |||
| * the filter was loaded correctly, the kernel will be enforcing the filter | * the filter was loaded correctly, the kernel will be enforcing the filter | |||
| * when this function returns. Returns zero on success, negative values on | * when this function returns. Returns zero on success, negative values on | |||
| * error. | * error. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_load(const scmp_filter_ctx ctx); | int seccomp_load(const scmp_filter_ctx ctx); | |||
| skipping to change at line 246 | skipping to change at line 266 | |||
| * This function sets the priority of the given syscall; this value is used | * This function sets the priority of the given syscall; this value is used | |||
| * when generating the seccomp filter code such that higher priority syscal ls | * when generating the seccomp filter code such that higher priority syscal ls | |||
| * will incur less filter code overhead than the lower priority syscalls in the | * will incur less filter code overhead than the lower priority syscalls in the | |||
| * filter. Returns zero on success, negative values on failure. | * filter. Returns zero on success, negative values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_syscall_priority(scmp_filter_ctx ctx, | int seccomp_syscall_priority(scmp_filter_ctx ctx, | |||
| int syscall, uint8_t priority); | int syscall, uint8_t priority); | |||
| /** | /** | |||
| * Add a new rule to the current filter | * Add a new rule to the filter | |||
| * @param ctx the filter context | * @param ctx the filter context | |||
| * @param action the filter action | * @param action the filter action | |||
| * @param syscall the syscall number | * @param syscall the syscall number | |||
| * @param arg_cnt the number of argument filters in the argument filter cha in | * @param arg_cnt the number of argument filters in the argument filter cha in | |||
| * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) | * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) | |||
| * | * | |||
| * This function adds a series of new argument/value checks to the seccomp | * This function adds a series of new argument/value checks to the seccomp | |||
| * filter for the given syscall; multiple argument/value checks can be | * filter for the given syscall; multiple argument/value checks can be | |||
| * specified and they will be chained together (AND'd together) in the filt er. | * specified and they will be chained together (AND'd together) in the filt er. | |||
| * If the specified rule needs to be adjusted due to architecture specifics it | * If the specified rule needs to be adjusted due to architecture specifics it | |||
| * will be adjusted without notification. Returns zero on success, negativ e | * will be adjusted without notification. Returns zero on success, negativ e | |||
| * values on failure. | * values on failure. | |||
| * | * | |||
| */ | */ | |||
| int seccomp_rule_add(scmp_filter_ctx ctx, | int seccomp_rule_add(scmp_filter_ctx ctx, | |||
| uint32_t action, int syscall, unsigned int arg_cnt, ... ); | uint32_t action, int syscall, unsigned int arg_cnt, ... ); | |||
| /** | /** | |||
| * Add a new rule to the current filter | * Add a new rule to the filter | |||
| * @param ctx the filter context | * @param ctx the filter context | |||
| * @param action the filter action | * @param action the filter action | |||
| * @param syscall the syscall number | * @param syscall the syscall number | |||
| * @param arg_cnt the number of argument filters in the argument filter cha in | * @param arg_cnt the number of argument filters in the argument filter cha in | |||
| * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) | * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) | |||
| * | * | |||
| * This function adds a series of new argument/value checks to the seccomp | * This function adds a series of new argument/value checks to the seccomp | |||
| * filter for the given syscall; multiple argument/value checks can be | * filter for the given syscall; multiple argument/value checks can be | |||
| * specified and they will be chained together (AND'd together) in the filt er. | * specified and they will be chained together (AND'd together) in the filt er. | |||
| * If the specified rule can not be represented on the architecture the | * If the specified rule can not be represented on the architecture the | |||
| skipping to change at line 309 | skipping to change at line 329 | |||
| * it to the given fd. Returns zero on success, negative values on failure . | * it to the given fd. Returns zero on success, negative values on failure . | |||
| * | * | |||
| */ | */ | |||
| int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); | int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); | |||
| /* | /* | |||
| * pseudo syscall definitions | * pseudo syscall definitions | |||
| */ | */ | |||
| /* NOTE - pseudo syscall values {-1..-99} are reserved */ | /* NOTE - pseudo syscall values {-1..-99} are reserved */ | |||
| #define __NR_SCMP_ERROR -1 | ||||
| #define __PNR_socket -100 | #define __PNR_socket -100 | |||
| #ifndef __NR_socket | #ifndef __NR_socket | |||
| #define __NR_socket __PNR_socket | #define __NR_socket __PNR_socket | |||
| #endif /* __NR_socket */ | #endif /* __NR_socket */ | |||
| #define __PNR_bind -101 | #define __PNR_bind -101 | |||
| #ifndef __NR_bind | #ifndef __NR_bind | |||
| #define __NR_bind __PNR_bind | #define __NR_bind __PNR_bind | |||
| #endif /* __NR_bind */ | #endif /* __NR_bind */ | |||
| skipping to change at line 460 | skipping to change at line 481 | |||
| #define __PNR_shmget -210 | #define __PNR_shmget -210 | |||
| #ifndef __NR_shmget | #ifndef __NR_shmget | |||
| #define __NR_shmget __PNR_shmget | #define __NR_shmget __PNR_shmget | |||
| #endif /* __NR_shmget */ | #endif /* __NR_shmget */ | |||
| #define __PNR_shmctl -211 | #define __PNR_shmctl -211 | |||
| #ifndef __NR_shmctl | #ifndef __NR_shmctl | |||
| #define __NR_shmctl __PNR_shmctl | #define __NR_shmctl __PNR_shmctl | |||
| #endif /* __NR_shmctl */ | #endif /* __NR_shmctl */ | |||
| #ifdef __cplusplus | ||||
| } | ||||
| #endif | ||||
| #endif | #endif | |||
| End of changes. 9 change blocks. | ||||
| 5 lines changed or deleted | 30 lines changed or added | |||